rules for rm, ln, and touch despite learning inheritance?

Submit your RBAC policies or suggest policy improvements

rules for rm, ln, and touch despite learning inheritance?

Postby countermode » Tue Mar 25, 2014 5:46 pm

Hi,

I've just collected a huge learning log with
Code: Select all
inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily

etc. in learn_config.

Nonetheless, I got the following policy entries
Code: Select all
# Role: root
subject /bin/rm o {
        /                               h
        /bin                            h
        /bin/rm                         x
        /etc                            h
        /etc/ld.so.cache                r
        /lib                            h
        /lib/ld-2.17.so                 x
        /lib/libc-2.17.so               rx
        /var                            h
        /var/spool/cron/lastrun/cron.daily      wd
        /var/spool/cron/lastrun/cron.hourly     wd
        /var/spool/cron/lastrun/cron.weekly     wd
        /var/spool/cron/lastrun/lock    wd
        -CAP_ALL
        bind    disabled
        connect disabled
}

Is that supposed to be like that?
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: rules for rm, ln, and touch despite learning inheritance

Postby spender » Thu Mar 27, 2014 8:23 am

That rm must have been executed from somewhere else. You'll have to find out where from (a start would be iteratively looking for executions going back from /bin/rm in the learning log). It might be something specific to your distro that I can just include in an update to the learn_config.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: rules for rm, ln, and touch despite learning inheritance

Postby countermode » Thu Mar 27, 2014 7:14 pm

That rm must have been executed from somewhere else

Well no, nothing I can think of. That must have been something from the cron corner. I let the system (a web server) run for a while and logged on and off a couple of times without doing much. (And certainly I did not issue a rm command.) If you could just give me the meaning of the eleven fields in the learning log I could inspect the relevant entries.


Regards
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: rules for rm, ln, and touch despite learning inheritance

Postby spender » Thu Mar 27, 2014 7:23 pm

It was probably from crond itself, as it's likely you have a line like:
Code: Select all
rm -f /var/spool/cron/lastrun/cron.daily

etc
in your /etc/crontab, which seems specific to some distros. Instead of adding "inherit-learn /usr/sbin/cron" line to learn_config, though, I'd recommend that you instead split out those commands into separate shell scripts in protected directories and then have crond execute those shell scripts instead. Then add inherit-learn lines for those shell scripts (or put them all in a single directory and add a single inherit-learn line) and it should resolve the problem.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: rules for rm, ln, and touch despite learning inheritance

Postby countermode » Thu Mar 27, 2014 8:00 pm

spender wrote:It was probably from crond itself, as it's likely you have a line like:
Code: Select all
rm -f /var/spool/cron/lastrun/cron.daily

etc
in your /etc/crontab, which seems specific to some distros.

-Brad

Well, this is a gentoo distro. The culprit seems to be indeed /etc/crontab, which says:
Code: Select all
# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
59  *  * * *    root    rm -f /var/spool/cron/lastrun/cron.hourly
9  3  * * *     root    rm -f /var/spool/cron/lastrun/cron.daily
19 4  * * 6     root    rm -f /var/spool/cron/lastrun/cron.weekly
29 5  1 * *     root    rm -f /var/spool/cron/lastrun/cron.monthly
*/10  *  * * *  root    test -x /usr/sbin/run-crons && /usr/sbin/run-crons

where run-crons is a shell script that calls ln, touch and rm. So that's where the policy entries come from. However, run-crons also calls find but there's no policy entry for find. Very odd...

Anyway, is there a description of the learning log format?


Regards
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm


Return to RBAC policy development

cron