When i start gradm - i have no control more ... :\

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

When i start gradm - i have no control more ... :\

Postby Stefan » Fri Apr 26, 2002 5:35 am

Hello GR Users!

I have installed grsec and selected the following settings:

# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Buffer Overflow Protection
#
CONFIG_GRKERNSEC_PAX=y
CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
CONFIG_GRKERNSEC_PAX_MPROTECT=y
CONFIG_GRKERNSEC_MMAPFIXED=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_KMEM=y

#
# Access Control Lists
#
CONFIG_GRKERNSEC_ACL=y
# CONFIG_GR_DEBUG is not set
CONFIG_GRKERNSEC_ACL_CAPLOG=y
CONFIG_GRADM_PATH="/sbin/gradm"
CONFIG_GR_MAXTRIES=2
CONFIG_GR_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_FD=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_SIG=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_PTRACE=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_KBMAP=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_SUID=y
CONFIG_GRKERNSEC_TIME=y

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_IPC is not set
CONFIG_GRKERNSEC_TTYROOT=y
# CONFIG_GRKERNSEC_TTYROOT_PHYS is not set
CONFIG_GRKERNSEC_TTYROOT_SERIAL=y
# CONFIG_GRKERNSEC_TTYROOT_PSEUDO is not set
CONFIG_GRKERNSEC_FORKBOMB=y
CONFIG_GRKERNSEC_FORKBOMB_GID=100
CONFIG_GRKERNSEC_FORKBOMB_SEC=40
CONFIG_GRKERNSEC_FORKBOMB_MAX=20

# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_GROUP=y
CONFIG_GRKERNSEC_PTRACE_GID=10

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
CONFIG_GRKERNSEC_RANDPING=y
CONFIG_GRKERNSEC_RANDTTL=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Miscellaneous Features
#
CONFIG_GRKERNSEC_FLOODTIME=20
# CONFIG_GRKERNSEC_COREDUMP is not set

- I have took spenders ACL files from the
ACL development forum. If i try to start
gradm with "gradm -E" - my box is out of my
control NOHTING works more - i can only
do a hardware reset. I use slackware 8 on my box.

I have installed IP tables too - maybe ACL fight
with grsec and this is the reason?

Here is a port from the log ( i have removed the
lins for programs that i have not installed in the
acl files - i paste the nox in a 2 posting ).

Can anyone help me please?
Stefan
 
Posts: 3
Joined: Fri Apr 26, 2002 5:21 am

Postby Stefan » Fri Apr 26, 2002 5:40 am

The lines which let me know that programes are
not there have i removed in acl files

grsec: Duplicate entries in config file /etc/grsec/proc.acl at line 21
grsec: more duplicate entries, logging disabled for 20 seconds
grsec: Unable to locate file /var/log/httpd on line 7 of /etc/grsec/file.acl
grsec: more , logging disabled for 20 seconds
grsec: Loaded grsecurity 2.0
grsec: attempt to mmap 32059 771 executableby (bash:14800) UID(508) EUID(508), parent (sshd:14799) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to mmap 228923 771 executableby (gradm:14803) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: attempt to access hidden file with inode 357447 dev 771 by (bash:14763) UID(0) EUID(0), parent (sshd:14762) UID(0) EUID(0)
grsec: exec of /bin/sh by (perl:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0) attempted to use 1 malicious environment(s)
attempt to mmap 32059 771 executableby (sh:14806) UID(0) EUID(0), parent (perl:14805) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: more malicious environments, logging disabled for 20 seconds
grsec: attempt to mmap 32082 771 executableby (ls:14881) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds
grsec: exec of /bin/sh by (perl:14882) UID(0) EUID(0), parent (perl:14879) UID(0) EUID(0) attempted to use 1 malicious environment(s)
grsec: attempt to mmap 224791 771 executableby (reboot:15005) UID(0) EUID(0), parent (bash:14763) UID(0) EUID(0)
grsec: more mmap exec attempts, logging disabled for 20 seconds

I hope anyone can help me please ...

Regards,
Stefan
Stefan
 
Posts: 3
Joined: Fri Apr 26, 2002 5:21 am

Postby spender » Fri Apr 26, 2002 11:26 am

i'm not sure what the problem could be...most likely it's an error in the configuration (the mmap logs usually only show up when the process acl does not have permission to execute itself)

1.9.5 should fix all your problems, since the parsing has a much greater level of error handling and acl analysis to make sure nothing goes wrong.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

problems

Postby michaeld » Fri Apr 26, 2002 4:01 pm

Mail me your configuration files if you don't want to wait until 1.9.5 and I'll fix them up (michael@grsecurity.net)
michaeld
 
Posts: 37
Joined: Mon Feb 25, 2002 12:32 am

Fixed ;]

Postby Stefan » Sun Apr 28, 2002 10:55 pm

The problem was that there
was a few programs in acl files
and not on my system.

Thanks for your help michaeld 8)
Stefan
 
Posts: 3
Joined: Fri Apr 26, 2002 5:21 am

Post here the fixed and the non-fixed ACL's pls :)

Postby Sea-you » Tue Apr 30, 2002 8:55 am

Post here the fixed and the non-fixed ACL's pls :) We should learn from that :)
Sea-you
 
Posts: 10
Joined: Thu Apr 11, 2002 12:48 pm


Return to grsecurity support