RBAC policy for Wireshark-2

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

RBAC policy for Wireshark-2

Postby timbgo » Sun Oct 25, 2015 4:25 pm

title: RBAC policy for Wireshark-2

My policy has changed in the meantime, but is still based on:

A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153

which I posted trying to offer (an imperfect) reference to newbies.

---
WARNING: non-Gentoo users, skim through these first lines to "WARNING END", it's Gentoo specific
I just installed:

Code: Select all
# equery l net-analyzer/wireshark
 * Searching for wireshark in net-analyzer ...
[IP-] [  ] net-analyzer/wireshark-2.0.0_rc1:0/2.0.0_rc1
g0n ~ #


for which I needed to tweak the configuration in /etc/portage/package.accept_keywords (

Code: Select all
net-analyzer/wireshark **


) and also in /etc/portage/package.mask (

added:
Code: Select all
=net-analyzer/wireshark-1.12.8
=net-analyzer/wireshark-99999999

( the 1.12.8 was previously masked because it crashed my machine )
)
WARNING END
---

Just pick up the information that the above is about wireshark-2.0.0_rc1, which is, at the time of writing this topic, still in testing, that is: it is still unstable.

And I can see that wireshark-2 is going to be a great change. Much more easily viewed, the content in all the panes, no thick frames around panes and all that is not content is really slim, for one thing.

And I have a few computors that I still can only work on with at 800x600! Imagine what good news every pixel saved for the content is for me!

But also the internals appear to have changed. You'll figure out below, from first hand account, as the story is hands on!

Because I'm posting this to find the new policy for wireshark and for dumpcap.

If you look up my uncenz little program in action (e.g. in "SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox"), you'll see that I don't capture with Wireshark: that's too much X, all is more easily broken, but rather with dumpcap, or I could (and previously did), with pcapng, or with tcpdump, they're all libpcap based... But I do need the GUI (the Wireshark proper; dumpcap is part of its installation in *nix) to view things, at least I still need the GUI at this time.

With the net-analyzer/wireshark-1.12.7 and earlier ones, which all were pretty stable (just the net-analyzer/wireshark-1.12.8 crashed my machines), the RBAC policy below worked, and it worked great for my needs (in long time I haven't been capturing with Wireshark proper but with dumpcap/pcapng/tcpdump):

Code: Select all
# Role: root
subject /usr/bin/dumpcap o {
user_transition_allow miro root nobody
group_transition_allow miro root nobody

   /            h
   /Cmn            h
   /Cmn/MyVideos      r
   /Cmn/mr            rw
   /dev            h
   /dev/bus         rw
   /dev/usbmon*         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/libnl/classid      r
   /home            h
   /lib64            rx
   /lib64/modules         h
   /sys            
   /sys/bus         r
   /sys/bus/usb/devices   r   
   /sys/class         r
   /sys/class/net      r
   /sys/devices         r
   /usr            h
   /usr/bin         h
   /usr/bin/dumpcap      rx
   /usr/lib64         rx
   -CAP_ALL
   +CAP_NET_ADMIN
   +CAP_NET_RAW
   bind   0.0.0.0/32:0 dgram ip
   connect   disabled
   sock_allow_family netlink
}

# Role: miro
subject /usr/bin/wireshark o {
   /            
   /Cmn            r
   /Cmn/Kaff         rwc
   /Cmn/MyVideos/Scr      rwc
   /Cmn/dLo            rwc
   /Cmn/mr*            rwc
   /boot            h
   /dev            h
   /dev/sda3         
   /dev/random         r
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            
   /home/miro         rwcd
#   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
#   /proc/mounts         
   /proc/slabinfo         h
   /sys            h
   /usr            h
   /usr/bin         h
   /usr/bin/dumpcap      x
   /usr/bin/wireshark      x
   /usr/lib64         rx
   /usr/share         r
   /tmp            rwcd
   /var            h
   /var/cache         h
   /var/cache/fontconfig      r
   /var/www/localhost/htdocs   rwc
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_NET_ADMIN
   +CAP_NET_RAW
   bind   0.0.0.0/32:0 dgram ip
   connect   disabled
   sock_allow_family netlink
}


With these policies for dumpcap, and for wireshark, I had few if any issues in long months.

But that is not the case anymore.

I'll post next, the system log messages that I get when I launch Wireshark, and also when I open a file with captured traffic (some .pcap-ng file, but most people still like to keep the extension to just .pcap, even though .pcap was the old format, nowadays rarely used to my knowledge).
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Sun Oct 25, 2015 4:41 pm

I only cut out unrelated entries to this log, as best I could figure. The likely possible intruders, although you never know, know so well the hostnames in my machine --e.g. they know that they have not seen live any other machine then g0n, as I have only gone online with g0n for many months now --eversince I quit posting grsec-hardened kernels for readers and users of my Debian Tips page--

, and if some dirty hired hacker would want to attack, it would likely only be because bigger subject would want so: no moneys, only dire poverty here... But wait, I'm not talking nonsense, as some of the readers who haven't met me yet might think, just go and visit the clickjacking post in my topic "Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion",

and also

the throwing of my mail into junk post in the same topic

Digression written. Just, now you know that the messages below are from my lots of air in the gap to it

not-this-that-I-use-for-posting-online system

In other words, I'm posting logs from the air-gapped host gbn of mine:
Code: Select all
Oct 25 16:27:55 gbn kernel: [36815.643927] grsec: (admin:S:/) exec of /bin/grep (grep --colour=auto -r sbc /usr/portage/profiles/use.desc /usr/portage/profiles/use.local.desc ) by /bin/grep[bash:26501] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:26484] uid/euid:0/0 gid/egid:0/0
Oct 25 16:29:50 gbn kernel: [36929.997004] grsec: (miro:U:/usr/bin/wireshark) exec of /usr/bin/wireshark (wireshark ) by /usr/bin/wireshark[openbox:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:50 gbn kernel: [36930.043661] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /usr by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:50 gbn kernel: [36930.043710] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /usr by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:50 gbn kernel: [36930.258348] grsec: (:::kernel::::S:/) exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-16-family-nl80211 grsec_modharden_normal1000_ ) by /bin/kmod[kworker/u8:2:26510] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:2:26509] uid/euid:0/0 gid/egid:0/0
Oct 25 16:29:51 gbn kernel: [36930.954404] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -D -Z none ) by /usr/bin/dumpcap[wireshark:26511] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:51 gbn kernel: [36930.966103] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26511] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:51 gbn kernel: [36930.988027] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26512] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:51 gbn kernel: [36930.998587] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26512] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:52 gbn kernel: [36932.006412] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26513] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:52 gbn kernel: [36932.017272] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:29:53 gbn kernel: [36933.007001] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26524] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
...[ 9 lines with same "/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:" cut here ] ...
Oct 25 16:30:03 gbn kernel: [36943.012535] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26585] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:03 gbn kernel: [36943.023282] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26585] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:04 gbn kernel: [36944.014522] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26586] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:04 gbn kernel: [36944.025545] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26586] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:04 gbn kernel: [36944.141435] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:26589] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:05 gbn kernel: [36945.013793] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26597] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:05 gbn kernel: [36945.024582] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26597] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:06 gbn kernel: [36946.014388] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26598] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:06 gbn kernel: [36946.025233] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:30:07 gbn kernel: [36947.014899] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26609] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
...[ 9 lines with same "/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:" cut here ] ...
Oct 25 16:30:17 gbn kernel: [36957.020592] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26669] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:17 gbn kernel: [36957.031395] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26669] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:18 gbn kernel: [36958.021206] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26670] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:18 gbn kernel: [36958.032029] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26670] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:19 gbn kernel: [36959.022402] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26681] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:19 gbn kernel: [36959.032684] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26681] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:20 gbn kernel: [36960.022314] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26682] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:20 gbn kernel: [36960.033132] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26682] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:20 gbn kernel: [36960.150294] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:30:21 gbn kernel: [36961.022995] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26693] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
...[ 9 lines with same "/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:" cut here ] ...
Oct 25 16:30:31 gbn kernel: [36971.028525] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26753] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:31 gbn kernel: [36971.039326] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26753] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:32 gbn kernel: [36972.029177] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26754] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:32 gbn kernel: [36972.039725] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26754] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:33 gbn kernel: [36973.029878] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26765] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:33 gbn kernel: [36973.040537] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26765] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:34 gbn kernel: [36974.030266] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26766] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:34 gbn kernel: [36974.041105] grsec: (miro:U:/) denied socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:26766] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:30:34 gbn kernel: [36974.159061] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:30:35 gbn kernel: [36975.030979] grsec: (miro:U:/) exec of /usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:26777] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000
...[ 3 lines with same "/usr/bin/dumpcap -S -Z none ) by /usr/bin/dumpcap[wireshark:" cut here ] ...
Oct 25 16:30:46 gbn kernel: [36986.165928] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:26838] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
...[ 3 lines with same "denied access to hidden file /sys/devices/system/cpu/online" cut here ] ...
Oct 25 16:30:56 gbn kernel: [36996.171758] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:31:08 gbn kernel: [37008.177937] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
...[ 3 lines with same "denied access to hidden file /sys/devices/system/cpu/online" cut here ] ...
Oct 25 16:31:14 gbn kernel: [37014.181675] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:31:18 gbn kernel: [37017.991369] grsec: (admin:S:/) exec of /bin/cat (cat /var/log/messages ) by /bin/cat[bash:26993] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:13951] uid/euid:0/0 gid/egid:0/0
Oct 25 16:31:18 gbn kernel: [37017.992848] grsec: (admin:S:/) exec of /bin/date (date +%y%m%d_%H%M ) by /bin/date[bash:26995] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:26994] uid/euid:0/0 gid/egid:0/0
Oct 25 16:31:18 gbn kernel: [37017.994693] grsec: (admin:S:/) exec of /bin/hostname (hostname ) by /bin/hostname[bash:26996] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:26994] uid/euid:0/0 gid/egid:0/0
Oct 25 16:31:18 gbn kernel: [37017.997719] grsec: (admin:S:/) exec of /bin/grep (grep --colour=auto -A300000 36815.643927 ) by /bin/grep[bash:26994] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:13951] uid/euid:0/0 gid/egid:0/0

In bottom you can see how I took this first log, which is only firing up the Wireshark, nothing else.

I ran (as root):
Code: Select all
# cat /var/log/messages | grep -A300000 36815.643927 > messages_$(date +%y%m%d_%H%M)_$(hostname)


And now you can also see why I left to stand the very first line in the top of the paste: because that was the last line in the /var/log/messages that I copied with the mouse, to get this stretch of the log (I always run "tailf /var/log/messages" in a separate terminal). That was the last line in it before I fired up Wireshark.

In brief, examining more closely this first stretch of the system log (only starting of the Wireshark, no pcap file opened), it looks to me (but pls. remember that I'm not an expert; Gentooers who followed or elder ones who helped me in the past, can remember how I may have written a few articles with somewhat impressive foresight, but also made wrong and laughably wrong conjectures at other times...

Still, it looks to me that running dumpcap with the Wireshark 2, must be with all the necessary capabilities for dumpcap for the user who runs Wireshark.

I was able to go without those in the past, but not anymore, it appears to me (I'll go back on my words if I'm wrong here, don't worry!).

One more stretch of system messages, next.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Sun Oct 25, 2015 4:45 pm

And here (obviously it starts with the very last line of the former stretch: just find in the page the occurrences of the serial of the line:
Code: Select all
Oct 25 16:31:18 gbn kernel: [37017.997719] grsec: (admin:S:/) exec of /bin/grep (grep --colour=auto -A300000 36815.643927 ) by /bin/grep[bash:26994] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:13951] uid/euid:0/0 gid/egid:0/0
..[ 1 ln cut ]...
Oct 25 16:31:26 gbn kernel: [37026.188065] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27044] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:31:26 gbn kernel: [37026.188230] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:31:28 gbn kernel: [37028.189825] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27055] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:31:30 gbn kernel: [37030.191057] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27065] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:31:30 gbn kernel: [37030.191074] grsec: more alerts, logging disabled for 10 seconds

Here I viewed the previous stretch:
Code: Select all
Oct 25 16:31:40 gbn kernel: [37039.916286] grsec: (admin:S:/) exec of /usr/bin/vim (view messages_151025_1631_gbn ) by /usr/bin/vim[bash:27108] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:26484] uid/euid:0/0 gid/egid:0/0
...[ 141 lines cut, all pertaining to vim ]...
Oct 25 16:31:42 gbn kernel: [37042.197239] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:31:44 gbn kernel: [37044.198216] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27134] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
...[ 2 lines with "denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu" cut ]...
Oct 25 16:31:52 gbn kernel: [37052.202854] grsec: more alerts, logging disabled for 10 seconds
...[ 1 lines with "denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu" cut ]...
Oct 25 16:32:06 gbn kernel: [37066.211623] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
...[ 1 lines with "denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu" cut ]...
Oct 25 16:32:10 gbn kernel: [37070.213375] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:32:12 gbn kernel: [37072.214466] grsec: more alerts, logging disabled for 10 seconds
...[ 4 lines with "denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark" cut]...
Oct 25 16:32:34 gbn kernel: [37094.226840] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:32:46 gbn kernel: [37106.233644] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:32:48 gbn kernel: [37108.234642] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27465] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:32:48 gbn kernel: [37108.234702] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27464] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:32:50 gbn kernel: [37110.235758] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:32:52 gbn kernel: [37112.237368] grsec: more alerts, logging disabled for 10 seconds
Oct 25 16:33:04 gbn kernel: [37124.244302] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:33:08 gbn kernel: [37128.246235] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27568] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:33:12 gbn kernel: [37132.248339] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27586] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:33:12 gbn kernel: [37132.248397] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /sys/devices/system/cpu/online by /usr/bin/wireshark[RecentFileStatu:27587] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:33:14 gbn kernel: [37134.249429] grsec: more alerts, logging disabled for 10 seconds

Lots of "denied" lines there.

But it's not just cosmetically ugly. It's that this Wireshark can't decrypt SSL, probably until I fix the RBAC policy for it, and that is a problem.

Decrypting SSL (or the newer, mostly only politically newer name: the TLS), is what I've been into, and where I really make or break... Again, if you didn't carefully read:

SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
https://forums.gentoo.org/viewtopic-t-1029408.html

but that is just one small stretch in my journey, most of which journey I am yet to travel, the Forces that hold the Scructures of the Universe permitting...

Next, and possible not just within short time, although I really can't tell for sooner or for later that it might be, I need to fix my RBAC policies for Wireshark and for its dumpcap.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Sun Oct 25, 2015 7:04 pm

I'm thinking of trying these two snippets instead of the old policy for
wireshark and for dumpcap binary, and start learning.

Code: Select all
# Role: miro
subject /usr/bin/wireshark ol {
   /            
   -CAP_ALL
   bind   disabled
   connect   disabled
}


and:
Code: Select all
# Role: root
subject /usr/bin/dumpcap ol {
user_transition_allow miro root nobody
group_transition_allow miro root nobody
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}


The {user,group}_transition_allow can not be learned by grsecurity, at least not in all circumstances, can they?, and they need to be put in place by the user, right? That is my first qualm about this issue.

And my second uncertainty is: should I put the same two lines in the wireshark snippet of code for learning too?

I fear that is a little unsafe. Too much X and too much privelage to so much X... There's always the RedHat, the great customer to NSA, who rules in the X, regardless that the X is nothing so monstruous by any means as Systemd, not is the X such a wide comfortable bridge into GNU-and-other-FOSS programs, for any proprietary businesses' programs, however shady, like the Dbus is...

But I got all those 'denied' lines...

Why on Earth would Wireshark need access to the entire of the /usr? Have a look, as I'm pasting those two lines again:
Code: Select all
Oct 25 16:29:50 gbn kernel: [36930.043661] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /usr by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000
Oct 25 16:29:50 gbn kernel: [36930.043710] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /usr by /usr/bin/wireshark[wireshark:26504] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/openbox[openbox:13714] uid/euid:1000/1000 gid/egid:1000/1000


I don't like that!

So, I'll try and see what I can achieve with the above two snippets of code instead of the old full blown policy from the first post of this topic. I haven't enabled the learning mode in grsec for quite a number of weeks now. I'm curious about this one, really ;-) !
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Sun Oct 25, 2015 7:09 pm

So I replaced those snippets from the post previous to this instead of the
wireshark and dumpcap policies in the first post of the topic.

The changes I always do in backup first, and so the file grsec_151025_gbn_01 has those exact changes. And so:

Code: Select all
# cp -aiv grsec_151025_gbn_01 /etc/grsec/policy
# gradm -D
Password:
# gradm -C
Error: You have enabled some form of learning on the subject for
/usr/bin/wireshark in role miro.  You have not used -L on the command line
however.  If you wish to use learning on this subject, use the -L argument to
gradm.  Otherwise, remove the learning flag on this subject.
Error: You have enabled some form of learning on the subject for
/usr/bin/dumpcap in role root.  You have not used -L on the command line
however.  If you wish to use learning on this subject, use the -L argument to
gradm.  Otherwise, remove the learning flag on this subject.
There were 2 holes found in your RBAC configuration.  These must be fixed
before the RBAC system will be allowed to be enabled.
#

That was, surely, expected. I'm only being verbose, for the occasional newbie reading my posts (I always have them in mind when I write).

Truly, my setup I haven't touched pretty long... I don't even have the learning.logs in my /etc/grsec/ directory:

Code: Select all
g0n ~ # ls -l /etc/grsec/
total 132
-rw------- 1 root root   6540 2015-02-10 22:42 learn_config
-rw------- 1 root root   6458 2015-02-27 23:33 learn_config.dist_0000
-rw------- 1 root root 114089 2015-10-25 23:48 policy
-rw------- 1 root root    336 2015-02-12 09:25 pw
g0n ~ #

(
I admit I also need to fix a few things and get abreast with the news in grsec: the learn_config may be too old... Esp. where are the news that concern the new easy-to-do policy setup for shutdown, as I read in:

HOWTO: Grsecurity quickstarting RBAC roles for Gentoo (x86)
https://forums.gentoo.org/viewtopic-t-813544.html

and especially in:

RBAC startup and shutdown included in policy?
viewtopic.php?f=5&t=2248

where find:
spender wrote:Hi, good news! I've just finished writing up a feature that should prevent shutdown/reboot from being a hassle in RBAC.

I'm yet to find time to study those (I work slowly, I'm not lazy, just I take time to figure things out.)
)

OK. So after I did:
Code: Select all
# ...
# gradm -C
<see the verbose note by grsec, not reproducing it again>

I then went:

Code: Select all
# gradm -L /etc/grsec/learning.logs -E
#

And now I, surely, need to do some repetitive work with the dumpcap and with the wireshark (proper). That may take another (little?) time.
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Tue Oct 27, 2015 1:41 pm

Quick conclusion, prior to continuing this topic:

The wireshark-2 is still very unstable. It is still much more about it's bugs, than about my insufficient knowledge on RBAC policies, that I can't decrypt SSL with it.

Postponing the final conclusion, and the possible changes to RBAC policies to when Wireshark-2 will be workable.

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Sat Nov 07, 2015 9:40 am

Since a few days ago, I have:
Code: Select all
# equery l wireshark
 * Searching for wireshark ...
[IP-] [  ] net-analyzer/wireshark-2.0.0_rc2:0/2.0.0_rc2

installed. It appears to, at least partly work right (such as SSL decryption), but it still does crash my system.

I'd report more in detail if I had the time (actually I would see if there are updates first).

I will report if there are changes needed to the policy for wireshark that I previously had working, for wreshark-1.x. When I find time.

Regards!
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia

Re: RBAC policy for Wireshark-2

Postby timbgo » Tue May 31, 2016 7:34 am

In the meantime I have used Wireshark 2 a lot. But not lately. And some issues popped up.

Along with "denied connect() to port 0 " issue
(
Re: php-cgi and nonexisting connections to udp/80 (and udp/0
viewtopic.php?f=3&t=2951&start=15#p16324
)
, that hasn't gone away as I thought, I also have a "general protection ip... error" with Wireshark, which is simpler to describe.

Here's what my Wireshark policy entry was a day ago:
Code: Select all
# Role: miro
subject /usr/bin/wireshark o {
   /            
   /Cmn            r
   /Cmn/Kaff         rwc
   /Cmn/MyVideos/Scr      rwc
   /Cmn/dLo            rwc
   /Cmn/m*            rwc
   /boot            h
   /dev            h
   /dev/sda3         
   /dev/random         r
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /home            
   /home/miro         rwcd
#   /lib/modules         h
   /lib64            rx
   /lib64/modules         h
   /proc            r
   /proc/bus         h
   /proc/kallsyms         h
   /proc/kcore         h
   /proc/modules         h
#   /proc/mounts         
   /proc/slabinfo         h
   /sys            h
   /usr            h
   /usr/bin         h
   /usr/bin/dumpcap      x
   /usr/bin/wireshark      x
   /usr/lib64         rx
   /usr/share         r
   /sys/devices/system/cpu/online   r
   /tmp            rwcd
   /var            h
   /var/cache         h
   /var/cache/fontconfig      r
   /var/www/localhost/htdocs   rwc
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_NET_ADMIN
   +CAP_NET_RAW
   bind   0.0.0.0/32:0 dgram ip
   connect   disabled
   sock_allow_family netlink
}

and that worked fine for months I guess.

I didn't use Wireshark this month up until maybe a week ago. The system is not updated since beginning of May, almost a month (and how can I update it, when I need to get packages from internet, and I have that "port 0 " symptoms of something nefarious...).

I had started getting segmentation faults. Just the below logs is what I get after I changed the line in the policy above:
Code: Select all
   /usr            h

to read:
Code: Select all
   /usr            r

Previously one of the denied lines looked like this instead:
Code: Select all
May 29 20:45:41 g0n kernel: [26317.274333] grsec: (miro:U:/usr/bin/wireshark) denied access to hidden file /usr by /usr/bin/wireshark[wireshark:3935] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4941] uid/euid:1000/1000 gid/egid:1000/1000
denied access to hidden file /usr by /usr/bin/wireshark[wireshark:30939]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4941]
uid/euid:1000/1000 gid/egid:1000/1000

( just "hidden file /usr" instead of "hidden file /usr/bin" )

Here's the "general protection ip... error"
Code: Select all
May 31 12:26:03 g0n kernel: [169153.545809] grsec: (miro:U:/usr/bin/wireshark)
exec of /usr/bin/wireshark (wireshark -o nameres.network_name: TRUE
dump_160531_1210_g0n.pcap ) by /usr/bin/wireshark[bash:30939]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4941]
uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:03 g0n kernel: [169153.752980] grsec: (miro:U:/usr/bin/wireshark)
denied access to hidden file /usr/bin by /usr/bin/wireshark[wireshark:30939]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:4941]
uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:04 g0n kernel: [169154.331393] grsec: (:::kernel::::S:/) exec of
/bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-16-family-nl80211
grsec_modharden_normal1000_ ) by /bin/kmod[kworker/u8:1:30944] uid/euid:0/0
gid/egid:0/0, parent /[kworker/u8:1:30764] uid/euid:0/0 gid/egid:0/0

May 31 12:26:05 g0n kernel: [169155.173490] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -D -Z none ) by
/usr/bin/dumpcap[wireshark:30945] uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/wireshark[wireshark:30939] uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:05 g0n kernel: [169155.183728] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:30945] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:30939]
uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:05 g0n kernel: [169155.225991] grsec: (miro:U:/) exec of
/usr/bin/dumpcap (/usr/bin/dumpcap -S -Z none ) by
/usr/bin/dumpcap[wireshark:30946] uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/wireshark[wireshark:30939] uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:05 g0n kernel: [169155.232802] grsec: (miro:U:/) denied
socket(netlink,raw,0) by /usr/bin/dumpcap[dumpcap:30946] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/wireshark[wireshark:30939]
uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:05 g0n kernel: [169155.304631] grsec: (miro:U:/usr/bin/wireshark)
denied connect() to 127.0.0.1 port 53 sock type dgram protocol udp by
/usr/bin/wireshark[wireshark:30939] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:4941] uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:26:05 g0n kernel: [169155.304647] grsec: more alerts, logging
disabled for 10 seconds

May 31 12:27:09 g0n kernel: [169219.338403] traps: wireshark[30939] general
protection ip:3e643a8f0b7 sp:3f842b90c30 error:0 in
libglib-2.0.so.0.4800.0[3e643a70000+15a000]

May 31 12:27:09 g0n kernel: [169219.338459] grsec: (miro:U:/usr/bin/wireshark)
Segmentation fault occurred at            (nil) in
/usr/bin/wireshark[wireshark:30939] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:4941] uid/euid:1000/1000 gid/egid:1000/1000

May 31 12:27:09 g0n kernel: [169219.338546] grsec: (miro:U:/usr/bin/wireshark)
denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for
/usr/bin/wireshark[wireshark:30939] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:4941] uid/euid:1000/1000 gid/egid:1000/1000

And how it happens is, just start wireshark and load a traffic dump, and, say, follow some SSL stream. As soon as I close the window that had opened with the SSL stream, Wireshark crashes.

And I still wonder why would Wireshark need access to entire /usr/bin ? And it shouldn't have access to the entire /usr in the first place, of course.

I can't easily solve the " port 0 " issue, and I can't present much of a case with old testing packages either...

Hard choice here.

Regards,

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to RBAC policy development

cron