learning nothing

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

learning nothing

Postby ShenXianMountain » Mon Nov 14, 2016 9:25 pm

my learn_config
[code]always-reduce-path /dev/pts
always-reduce-path /var/spool/qmailscan/tmp
always-reduce-path /var/spool/exim4
always-reduce-path /var/run/screen
always-reduce-path /usr/share/locale
always-reduce-path /usr/share/zoneinfo
always-reduce-path /usr/share/terminfo
always-reduce-path /usr/portage
always-reduce-path /tmp
always-reduce-path /var/tmp

high-reduce-path /dev/.udev
high-reduce-path /dev/mapper
high-reduce-path /dev/snd
high-reduce-path /proc
high-reduce-path /lib
high-reduce-path /lib32
high-reduce-path /libx32
high-reduce-path /lib64
high-reduce-path /lib/tls
high-reduce-path /lib32/tls
high-reduce-path /libx32/tls
high-reduce-path /lib64/tls
high-reduce-path /lib/security
high-reduce-path /lib/modules
high-reduce-path /lib32/modules
high-reduce-path /lib64/modules
high-reduce-path /usr/lib
high-reduce-path /usr/lib32
high-reduce-path /usr/libx32
high-reduce-path /usr/lib64
high-reduce-path /usr/lib/tls
high-reduce-path /usr/lib32/tls
high-reduce-path /usr/libx32/tls
high-reduce-path /usr/lib64/tls
high-reduce-path /usr/lib64/openoffice
high-reduce-path /var/lib
high-reduce-path /usr/bin
high-reduce-path /usr/sbin
high-reduce-path /sbin
high-reduce-path /bin
high-reduce-path /usr/local/share
high-reduce-path /usr/local/bin
high-reduce-path /usr/local/sbin
high-reduce-path /usr/local/etc
high-reduce-path /usr/local/lib
high-reduce-path /usr/share
high-reduce-path /usr/X11R6/lib
high-reduce-path /var/lib/openldap-data
high-reduce-path /var/lib/krb5kdc

dont-reduce-path /
dont-reduce-path /home
dont-reduce-path /dev
dont-reduce-path /usr
dont-reduce-path /var
dont-reduce-path /opt

protected-path /etc
protected-path /lib
protected-path /boot
protected-path /run
protected-path /usr
protected-path /opt
protected-path /var
protected-path /dev/log
protected-path /root
protected-path /sys

read-protected-path /etc/ssh
read-protected-path /proc/kallsyms
read-protected-path /proc/kcore
read-protected-path /proc/slabinfo
read-protected-path /proc/modules
read-protected-path /lib/modules
read-protected-path /lib64/modules
read-protected-path /boot
read-protected-path /etc/shadow
read-protected-path /etc/shadow-
read-protected-path /etc/gshadow
read-protected-path /etc/gshadow-
read-protected-path /sys

high-protected-path /etc/ssh
high-protected-path /proc/kcore
high-protected-path /proc/sys
high-protected-path /proc/bus
high-protected-path /proc/slabinfo
high-protected-path /proc/modules
high-protected-path /proc/kallsyms
high-protected-path /etc/passwd
high-protected-path /etc/shadow
high-protected-path /var/backups
high-protected-path /etc/shadow-
high-protected-path /etc/gshadow
high-protected-path /etc/gshadow-
high-protected-path /var/log
high-protected-path /dev/mem
high-protected-path /dev/kmem
high-protected-path /dev/port
high-protected-path /dev/log
high-protected-path /sys
high-protected-path /etc/ppp
high-protected-path /etc/samba/smbpasswd

high-protected-path /boot
high-protected-path /lib/modules
high-protected-path /lib64/modules
high-protected-path /usr/src

inherit-learn /etc/cron.d
inherit-learn /etc/cron.hourly
inherit-learn /etc/cron.daily
inherit-learn /etc/cron.weekly
inherit-learn /etc/cron.monthly
inherit-learn /usr/sbin/sshd

inherit-no-learn /etc/cron.daily/apt

inherit-learn /etc/init.d
inherit-learn /etc/rc.d/init.d[/code]

the learned policy
[code]# policy generated from full system learning

define grsec_denied {
/boot h
/dev/grsec h
/dev/kmem h
/dev/mem h
/dev/port h
/etc/grsec h
/proc/kcore h
/proc/slabinfo h
/proc/modules h
/proc/kallsyms h
/lib/modules hs
/lib64/modules hs
/etc/ssh h
}

role admin sA
subject / rvka
/ rwcdmlxi

role shutdown sARG
subject / rvka
/
/dev
/dev/urandom r
/dev/random r
/etc r
/bin rx
/sbin rx
/lib rx
/lib64 rx
/usr rx
/proc r
$grsec_denied
-CAP_ALL
connect disabled
bind disabled

role default
subject /
/ h
-CAP_ALL
connect disabled
bind disabled[/code]

There're nothing in the learning.logs,so I log the strace of gradm,it seems that it did no call the grlearn process,anything goes wrong ?

[code]execve("/usr/sbin/gradm", ["gradm", "-F", "-L", "/etc/grsec/learning.logs", "-O", "/etc/grsec/policy.new"], [/* 26 vars */]) = 0
brk(0) = 0x6bc118fb50
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56af2000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=53013, ...}) = 0
mmap(NULL, 53013, PROT_READ, MAP_PRIVATE, 3, 0) = 0x27a56ae5000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2112384, ...}) = 0
mmap(NULL, 3936832, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x27a56512000
mprotect(0x27a566c9000, 2097152, PROT_NONE) = 0
mmap(0x27a568c9000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b7000) = 0x27a568c9000
mmap(0x27a568cf000, 16960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x27a568cf000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56ae4000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56ae2000
arch_prctl(ARCH_SET_FS, 0x27a56ae2740) = 0
mprotect(0x27a568c9000, 16384, PROT_READ) = 0
mprotect(0x6bc0fc0000, 4096, PROT_READ) = 0
mprotect(0x27a56af5000, 4096, PROT_READ) = 0
munmap(0x27a56ae5000, 53013) = 0
geteuid() = 0
getuid() = 0
uname({sys="Linux", node="grsec", ...}) = 0
setrlimit(RLIMIT_CORE, {rlim_cur=0, rlim_max=0}) = 0
brk(0) = 0x6bc118fb50
brk(0x6bc11b0b50) = 0x6bc11b0b50
brk(0) = 0x6bc11b0b50
brk(0x6bc11b1000) = 0x6bc11b1000
getcwd("/etc/grsec", 4095) = 11
mlock(0x3c849ed3840, 264) = 0
open("/etc/grsec/learning.logs", O_RDONLY) = 3
mmap(NULL, 16781312, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a55511000
stat("/etc/grsec/policy.new", {st_mode=S_IFREG|0644, st_size=576, ...}) = 0
open("/etc/grsec/policy.new", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
open("/etc/grsec/learn_config", O_RDONLY) = 5
ioctl(5, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2e20) = -1 ENOTTY (Inappropriate ioctl for device)
fstat(5, {st_mode=S_IFREG|0600, st_size=7102, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56af1000
read(5, "#This configuration file aids th"..., 8192) = 7102
read(5, "", 4096) = 0
read(5, "", 8192) = 0
ioctl(5, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2e20) = -1 ENOTTY (Inappropriate ioctl for device)
close(5) = 0
munmap(0x27a56af1000, 4096) = 0
umask(077) = 022
fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56af1000
write(4, "# policy generated from full sys"..., 576) = 576
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x27a56af0000
write(1, "Beginning full learning 1st pass"..., 35) = 35
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2e10) = -1 ENOTTY (Inappropriate ioctl for device)
read(3, "", 16777216) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2e10) = -1 ENOTTY (Inappropriate ioctl for device)
write(1, "done.\n", 6) = 6
write(1, "Beginning full learning role red"..., 41) = 41
write(1, "done.\n", 6) = 6
lseek(3, 0, SEEK_SET) = 0
write(1, "Beginning full learning 2nd pass"..., 35) = 35
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2de0) = -1 ENOTTY (Inappropriate ioctl for device)
read(3, "", 16777216) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, 0x3c849ed2de0) = -1 ENOTTY (Inappropriate ioctl for device)
write(1, "done.\n", 6) = 6
write(1, "Full learning complete.\n", 24) = 24
close(3) = 0
exit_group(0) = ?
+++ exited with 0 +++[/code]
ShenXianMountain
 
Posts: 1
Joined: Sun Oct 23, 2016 9:55 pm

Re: learning nothing

Postby spender » Thu Nov 24, 2016 2:43 pm

Learning is enabled by using -F -L. By adding the -O argument, you're telling it to parse the already-generated learning log and produce the policy. Remove the -O argument and learning will be enabled properly.

-Brad
spender
 
Posts: 2183
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development