Page 1 of 2

Problem enabling RBAC

PostPosted: Wed Jun 01, 2011 3:25 am
by skylearner
Hi,

I am trying to enable the RBAC on my system.

When I do gradm -E i am getting the following error.
Code: Select all
Reading access is allowed by role root to /lib/modules, the directory which holds kernel kernel modules.  The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel.

Reading access is allowed by role root to /proc/kallsyms, a pseudo-file that holds a mapping between kernel addresses and symbols.  This information is very useful to an attacker in sophisticated kernel exploits.

There were 2 holes found in your RBAC configuration.  These must be fixed before the RBAC system will be allowed to be enabled.


How do I fix this problem.

In my /etc/grsec/policy file the policy specification for the root is like the following
Code: Select all
role root uG
role_transitions admin
role_allow_ip   0.0.0.0/32
subject /  {
   /            
   /bin            x
   /dev            h
   /dev/.udev         
   /dev/.udev/queue.bin      wd
   /dev/sr0         r
   /etc            r
   /etc/grsec         h
   /etc/ssh         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /var            h
   /var/lib/apt         
   /var/lib/dpkg/status      
   /var/run         
   /var/run/gdm/auth-for-root-9gNbjw/database   r
   /var/run/usplash.pid      r
   /var/spool/cron/crontabs   
   /lib            rx
   /proc            r
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /root            
   /root/.local         
   /root/.recently-used.xbel   r
   /tmp            rwcd
   /usr            
   /usr/local         h
   /usr/local/lib/python2.6/dist-packages   
   /usr/local/share      
   /usr/local/share/icons      
   /usr/share         r
   /usr/bin         x
   /usr/lib         rx
   /usr/src         h
   /sys            h
   /boot            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /bin/bash o {
   /            h
   /bin            h
   /bin/ls            x
   /sbin            h
   /sbin/reboot         x
   /boot            
   /lib            
   /lib/modules         h
   /root            
   /root/.bash_history      ra
   /usr            
   /usr/bin         x
   /usr/lib         
   /usr/src         h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /bin/dash o {
   /            h
   /bin            h
   /bin/cat         x
   /bin/dash         x
   /etc            h
   /etc/default/rcS      r
   /etc/init.d/rc         x
   /etc/ld.so.cache      r
   /lib            h
   /lib/ld-2.10.1.so      x
   /lib/tls/i686/cmov/libc-2.10.1.so   rx
   /sbin            h
   /sbin/hwclock         x
   /sbin/usplash         x
   /usr            h
   /usr/bin/tput         x
   /var            h
   /var/run         
   /var/run/sendsigs.omit      a
   /dev            
   /dev/tty8         w
   /dev/grsec         h
   /dev/mem         h
   /dev/kmem         h
   /dev/port         h
   /dev/log         h
   /proc            
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /bin/rm o {
   /            h
   /bin            h
   /bin/rm            x
   /etc            h
   /etc/ld.so.cache      r
   /lib            h
   /lib/ld-2.10.1.so      x
   /lib/tls/i686/cmov/libc-2.10.1.so   rx
   /var            h
   /var/run/console      
   /var/run/console/root      wd
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /bin/sed o {
   /            h
   /bin            h
   /bin/sed         x
   /etc            h
   /etc/ld.so.cache      r
   /lib            rx
   /lib/modules         h
   /proc            h
   /proc/filesystems      r
   /var            h
   /var/run/console      
   /var/run/console/root      rwcd
   /var/run/console/sedA7fRKV   rwcd
   /selinux         
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /bin/umount o {
   /            h
   /bin            h
   /bin/umount         x
   /lib            rx
   /lib/modules         h
   /usr            h
   /usr/lib         r
   /etc            
   /etc/ld.so.cache      r
   /etc/locale.alias      r
   /etc/mtab         rwcd
   /etc/mtab.tmp         rwcd
   /etc/mtab~         wcdl
   /etc/mtab~4752         wcd
   /etc/grsec         h
   /etc/ssh         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /root            
   -CAP_ALL
   +CAP_SYS_ADMIN
   bind   disabled
   connect   disabled
}

subject /etc/init.d o {
   /            
   /bin            rxi
   /etc            rxi
   /etc/grsec         h
   /etc/ssh         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /lib            rxi
   /lib/modules         h
   /root            h
   /root/.local         
   /sbin            xi
   /var            h
   /var/lib/alsa         
   /var/lib/alsa/asound.state   rw
   /var/run         
   /var/run/kerneloops.pid      rwd
   /dev            
   /dev/.initramfs         
   /dev/.initramfs/usplash_fifo   w
   /dev/null         w
   /dev/snd/controlC0      rw
   /dev/tty8         rw
   /dev/grsec         h
   /dev/mem         h
   /dev/kmem         h
   /dev/port         h
   /dev/log         h
   /proc            r
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /usr            
   /usr/lib         rxi
   /usr/local         h
   /usr/local/lib/python2.6/dist-packages   
   /usr/sbin         h
   /usr/sbin/kerneloops      
   /usr/sbin/laptop_mode      
   /usr/bin         xi
   /usr/share         r
   /usr/src         h
   /sys            h
   /boot            h
   -CAP_ALL
   +CAP_DAC_OVERRIDE
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

subject /sbin/hwclock o {
   /            h
   /dev            h
   /dev/rtc0         r
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         r
   /lib            h
   /lib/ld-2.10.1.so      x
   /lib/tls/i686/cmov/libc-2.10.1.so   rx
   /sbin            h
   /sbin/hwclock         x
   -CAP_ALL
   +CAP_SYS_TIME
   bind   disabled
   connect   disabled
}

subject /sbin/init o {
   /            
   /bin            h
   /bin/dash         x
   /dev            h
   /dev/console         w
   /dev/log         rw
   /dev/null         rw
   /proc            
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /etc/grsec         h
   /etc/ssh         h
   /etc/passwd         h
   /etc/shadow         h
   /var/backups         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /var/log         h
   /sys            h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /boot            h
   /lib/modules         h
   /usr/src         h
   -CAP_ALL
   +CAP_KILL
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

subject /sbin/reboot o {
user_transition_allow root

   /            h
   /etc            h
   /etc/ld.so.cache      r
   /etc/locale.alias      r
   /lib            rx
   /lib/modules         h
   /sbin            h
   /sbin/reboot         x
   /sbin/shutdown         x
   /usr            h
   /usr/lib         r
   /usr/share         h
   /usr/share/locale      
   /usr/share/locale-langpack   
   /var            h
   /var/run/utmp         r
   -CAP_ALL
   +CAP_SETUID
   bind   disabled
   connect   disabled
}

subject /sbin/shutdown o {
user_transition_allow root

   /            
   /dev            h
   /dev/pts         w
   /dev/tty7         w
   /lib            rx
   /lib/tls         h
   /lib/tls/i686/cmov/libc-2.10.1.so   rx
   /lib/tls/i686/cmov/libpthread-2.10.1.so   rx
   /lib/tls/i686/cmov/librt-2.10.1.so   rx
   /lib/modules         h
   /sbin            h
   /sbin/shutdown         x
   /usr            h
   /usr/lib         r
   /usr/share         h
   /usr/share/locale      
   /usr/share/locale-langpack   
   /var            h
   /var/log/wtmp         w
   /var/run         
   /var/run/utmp         rw
   /etc            
   /etc/ld.so.cache      r
   /etc/locale.alias      r
   /etc/localtime         r
   /etc/grsec         h
   /etc/ssh         h
   /etc/passwd         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /proc            
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /sys            h
   /boot            h
   -CAP_ALL
   +CAP_SETUID
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

subject /sbin/usplash o {
   /            h
   /dev            h
   /dev/.initramfs         
   /dev/.initramfs/usplash_fifo   rw
   /dev/console         rw
   /dev/fb0         rw
   /dev/tty0         rw
   /dev/tty1         rw
   /dev/tty8         rw
   /etc            h
   /etc/ld.so.cache      r
   /lib            rx
   /lib/tls         h
   /lib/tls/i686/cmov/libc-2.10.1.so   rx
   /lib/tls/i686/cmov/libdl-2.10.1.so   rx
   /lib/modules         h
   /proc            h
   /proc/cmdline         r
   /sbin            h
   /sbin/usplash         x
   /sys            h
   /sys/devices/pci0000:00/0000:00:02.0   
   /sys/devices/pci0000:00/0000:00:02.0/graphics/fb0/virtual_size   r
   /usr            h
   /usr/lib/usplash/usplash-theme-ubuntu.so   rx
   /var            h
   /var/run         
   /var/run/usplash.pid      wc
   -CAP_ALL
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

subject /usr/bin/Xorg o {
   /            h
   /dev/tty0         w
   /dev/tty7         w
   /tmp            wd
   /var/run/gdm/auth-for-gdm-8zWy3u/database   
   -CAP_ALL
   +CAP_CHOWN
   +CAP_SYS_ADMIN
   bind   disabled
   connect   disabled
}

subject /usr/bin/gedit o {
   /            
   /etc            h
   /etc/ld.so.cache      r
   /etc/locale.alias      r
   /etc/nsswitch.conf      r
   /etc/passwd         r
   /lib            rx
   /lib/modules         h
   /proc            h
   /proc/filesystems      r
   /var            h
   /var/run         
   /var/run/gdm/auth-for-root-9gNbjw/database   r
   /home            
   /home/karthik         
   /home/karthik/tutorial      
   /home/karthik/tutorial/applicationspecificsettings6   rw
   /home/karthik/tutorial/gradm   r
   /root            rwcd
   /root/.local         h
   /root/.local/share      
   /root/.config         
   /root/.themes         
   /tmp            rw
   /usr            
   /usr/bin         h
   /usr/bin/gedit         x
   /usr/lib         rx
   /usr/local         h
   /usr/local/share      
   /usr/local/share/icons      
   /usr/share         r
   /usr/src         h
   /dev/grsec         h
   /dev/mem         h
   /dev/kmem         h
   /dev/port         h
   /dev/log         h
   /sys            h
   /boot            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/bin/nautilus o {
   /            h
   /dev            h
   /dev/null         r
   /etc            h
   /etc/gnome/defaults.list   
   /etc/localtime         
   /home            h
   /home/karthik/tutorial/applicationspecificsettings6   
   /usr            h
   /usr/bin         h
   /usr/bin/gedit         x
   /usr/local         h
   /usr/local/share      
   /usr/local/share/applications   
   /usr/local/share/icons      
   /usr/share         r
   /proc            
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /root            rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/bin/seahorse-daemon o {
   /            h
   /dev/log         rw
   /tmp            rwd
   /usr/share/locale      
   /usr/share/locale-langpack   
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/bin/vim.tiny o {
   /            h
   /boot            h
   /boot/grub         
   /boot/grub/.grub.cfg.swp   rwcd
   /boot/grub/.grub.cfg.swx   rwcd
   /boot/grub/grub.cfg      rw
   /boot/grub/grub.cfz~      wcd
   /etc            rwcd
   /etc/ssh         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /lib            rx
   /lib/modules         h
   /proc            h
   /proc/filesystems      r
   /usr            h
   /usr/bin/vim.tiny      x
   /usr/lib         r
   /usr/share/vim         
   /var            h
   /var/run         
   /root            r
   /selinux         
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/lib/bonobo-activation/bonobo-activation-server o {
   /            
   /dev            h
   /dev/log         rw
   /dev/null         rw
   /dev/urandom         r
   /etc            r
   /etc/bonobo-activation      h
   /etc/bonobo-activation/bonobo-activation-config.xml   r
   /etc/grsec         h
   /etc/ssh         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/ppp/chap-secrets      h
   /etc/ppp/pap-secrets      h
   /etc/samba/smbpasswd      h
   /lib            rx
   /lib/modules         h
   /usr            h
   /usr/lib         rx
   /usr/share         h
   /usr/share/locale      
   /usr/share/locale-langpack   
   /var            h
   /var/run         
   /tmp            rwcd
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   /sys            h
   /boot            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/lib/gdm/gdm-simple-slave o {
   /            h
   /tmp            
   /var/log/wtmp         w
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/lib/gvfs/gvfs-fuse-daemon o {
user_transition_allow root

   /            h
   /bin/umount         x
   /etc/ld.so.cache      r
   /etc/mtab         
   /lib/libgcc_s.so.1      rx
   -CAP_ALL
   +CAP_SETUID
   bind   disabled
   connect   disabled
}

subject /usr/lib/libgconf2-4/gconfd-2 o {
   /            h
   /root            
   /root/.gconfd         
   /root/.gconfd/saved_state   rwcd
   /root/.gconfd/saved_state.orig   rwcd
   /root/.gconfd/saved_state.tmp   rwcd
   /tmp            wd
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/lib/libvte9/gnome-pty-helper o {
   /            h
   /var/log/wtmp         w
   /var/run/utmp         rw
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/sbin/NetworkManager o {
   /            h
   /dev/log         rw
   /var/run         
   /var/run/NetworkManager.pid   wd
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/sbin/acpid o {
   /            h
   /dev/console         w
   /dev/log         rw
   -CAP_ALL
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

subject /usr/sbin/console-kit-daemon o {
   /            h
   /dev            h
   /dev/log         rw
   /dev/null         r
   /etc            h
   /etc/ConsoleKit/run-session.d   
   /lib            h
   /lib/udev/udev-acl      x
   /usr            h
   /usr/lib/ConsoleKit/run-session.d   
   /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck   x
   /proc            
   /proc/kcore         h
   /proc/sys         h
   /proc/bus         h
   /proc/slabinfo         h
   /proc/modules         h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

subject /usr/sbin/gdm-binary o {
   /            h
   /var/run         wd
   /var/run/gdm         
   /var/run/gdm/auth-for-gdm-8zWy3u   wd
   /var/run/gdm/auth-for-root-9gNbjw   wd
   -CAP_ALL
   +CAP_FOWNER
   bind   disabled
   connect   disabled
}

subject /usr/sbin/modem-manager o {
   /            h
   /dev/console         w
   /dev/log         rw
   -CAP_ALL
   +CAP_SYS_TTY_CONFIG
   bind   disabled
   connect   disabled
}

Re: Problem enabling RBAC

PostPosted: Wed Jun 01, 2011 10:26 am
by spender
It looks as though you were performing administrative tasks while in the root role. These should only be done within the admin role. I'd advise you to restart the learning, as otherwise an attacker than gains uid 0 will be able to modify items in /boot/grub as is allowed by your current policy. To fix the errors on policy enabling, you need to add:

/lib/modules h
/proc/kallsyms h

below the "subject / {" line for the root role. If you could do me a favor as well, could you grep your learning log file for "/lib/modules" and "/proc/kallsyms" and paste the results here? You can remove any IP addresses that exist.

-Brad

Re: Problem enabling RBAC

PostPosted: Tue Jun 07, 2011 8:15 pm
by spender
As a followup, the version of gradm uploaded today includes a new directive, "read-protected-path", for learn_config. This directive tells the learning process to create subjects for processes that access certain sensitive information. I've filled up learn_config with a good set of default values for this that you should adopt into your own config. Using it will ensure you won't get similar error messages as you received previously. Thanks for reporting this!

-Brad

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 6:40 am
by Stephane
Hi Spender & all,

I'm experiencing the same issue here enabeling rbac.

"Reading access is allowed by role root to /lib/modules, the directory which holds kernel kernel modules. The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel.

Reading access is allowed by role user1 to /lib/modules, the directory which holds kernel kernel modules. The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel."

I actually start the learning mode while booting my virtual machine with "exec gradm -F -L /etc/grsec/gradm.initial.learning.log" (in an upstart script).
When done, I log with my user1 account via ssh then "sudo su" and "gradm -a admin" and "gradm -D" to stop the learning mode.

cat policy | grep module
/proc/modules h
/lib/modules hs
/lib64/modules hs
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache r
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h
/proc/modules h

cat policy | grep "/proc/kallsyms"
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h
/proc/kallsyms h

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 7:38 am
by spender
Hi Stephane,

Is your learn_config file updated to the latest from gradm? When installing new versions it doesn't overwrite your existing file.

-Brad

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 7:42 am
by Stephane
I added :
lib/modules h
in subject of root role and policy seems to be accepted now but my user1 cannot connect with ssh :

grsec: From ip: (user1:U:/) use of CAP_SETUID denied for /usr/sbin/sshd[sshd:1336] uid/euid:1000/0 gid/egid:1000/0, parent /usr/sbin/sshd[sshd:848] uid/euid:0/0 gid/egid:0/0
[ 488.384529] grsec: From ip: (user1:U:/) use of CAP_SETUID denied for /usr/sbin/sshd[sshd:1336] uid/euid:0/0 gid/egid:1000/0, parent /usr/sbin/sshd[sshd:848] uid/euid:0/0 gid/egid:0/0
[ 488.386445] grsec: From ip: (user1:U:/) denied access to hidden file /run/utmp by /usr/sbin/sshd[sshd:1336] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:848] uid/euid:0/0 gid/egid:0/0
[ 488.388292] grsec: From ip: (user1:U:/) denied access to hidden file /run/utmp by /usr/sbin/sshd[sshd:1336] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:848] uid/euid:0/0 gid/egid:0/0
[ 488.390007] grsec: From ip: (user1:U:/) denied access to hidden file /dev/log by /usr/sbin/sshd[sshd:1336] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:848] uid/euid:0/0 gid/egid:0/0

And I also have several problems with ntp and snmp :

(root:U:/sbin/gradm) grsecurity 3.0 RBAC system loaded by /sbin/gradm[gradm:1328] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1226] uid/euid:0/0 gid/egid:0/0
[ 432.950370] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 433.751269] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 433.751422] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 433.751608] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 435.952697] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 438.754178] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 438.756505] grsec: more alerts, logging disabled for 10 seconds
[ 450.962892] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.696063] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.698437] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/if_inet6 by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.755344] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.757498] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.759337] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 453.963170] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 456.966310] grsec: more alerts, logging disabled for 10 seconds
[ 468.760336] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 468.762706] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 468.764858] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 468.973328] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 471.976468] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 473.760486] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 473.762768] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 473.764966] grsec: more alerts, logging disabled for 10 seconds
[ 485.086182] grsec: (ntp:U:/) denied connect() to 192.24.0.95 port 123 sock type dgram protocol udp by /usr/sbin/ntpd[ntpd:1296] uid/euid:103/103 gid/egid:109/109, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 486.986648] grsec: (snmp:U:/) denied access to hidden file /proc/945/net/dev by /usr/sbin/snmpd[snmpd:945] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 7:44 am
by Stephane
Hi Brad,

Cool thanks for your reply...
My gradm is the last one I guess, downloaded yesterday from your website & no previous install made before on this vm.. I may post it here if you want...
dont-learn-allowed-ips is just uncommented
kernel version : 3.14.17
gradm version : gradm-3.0-201407222118.tar.gz

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 8:05 am
by spender
Did you run learning long enough to exercise that functionality? Do you see accesses to those files at all in the learning logs?

-Brad

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 8:07 am
by Stephane
# Role: root
subject /usr/sbin/sshd o {
group_transition_allow nogroup user1 root

/
/bin h
/bin/bash
/bin/dash x
/boot h
/dev h
/dev/log rw
/dev/null rw
/dev/ptmx rw
/dev/pts rw
/dev/urandom r
/etc r
/etc/grsec h
/etc/gshadow h
/etc/gshadow- h
/etc/ppp h
/etc/samba/smbpasswd h
/etc/shadow- h
/home
/home/user1
/home/user1/.ssh
/home/user1/.ssh/authorized_keys r
/lib rx
/lib/modules h
/lib64/modules h
/proc rw
/proc/bus h
/proc/filesystems r
/proc/kallsyms h
/proc/kcore h
/proc/modules h
/proc/slabinfo h
/proc/sys/kernel/ngroups_max r
/run rwcd
/run/dbus h
/run/dbus/system_bus_socket rw
/run/user h
/run/user/1000
/sys h
/usr h
/usr/lib rx
/usr/sbin/sshd x
/var h
/var/log
/var/log/lastlog rw
/var/log/wtmp w
-CAP_ALL
+CAP_CHOWN
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE
+CAP_SYS_CHROOT
+CAP_SYS_RESOURCE
+CAP_AUDIT_WRITE
+CAP_MAC_OVERRIDE
bind 0.0.0.0/32:22 stream tcp
connect disabled
sock_allow_family netlink
}

role sshd u
# Role: sshd
subject / {
/ h
-CAP_ALL
bind disabled
connect disabled
}

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 8:11 am
by Stephane
Ok, that's the point I guess I was probably too fast yes.
I'll try again waiting a bit and I'll also try to login with ssh several times with my user1 to be sure...
I keep you in touch as soon as it's done.
Thanks

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 8:38 am
by Stephane
Ok so I converted my fresh log into policies :

gradm -F -L gradm.initial.learning.log -O policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user messagebus...done.
Beginning full learning subject reduction for user user1...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user ntp...done.
Beginning full learning subject reduction for user sshd...done.
Beginning full learning subject reduction for user www-data...done.
Beginning full learning subject reduction for user snmp...done.
Beginning full learning subject reduction for user daemon...done.
Beginning full learning subject reduction for user syslog...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /usr/bin/sudo...done.
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /bin/bash...done.
Beginning full learning object reduction for subject /bin/chgrp...done.
Beginning full learning object reduction for subject /bin/chmod...done.
Beginning full learning object reduction for subject /bin/chown...done.
Beginning full learning object reduction for subject /bin/dash...done.
Beginning full learning object reduction for subject /bin/dmesg...done.
Beginning full learning object reduction for subject /bin/gzip...done.
Beginning full learning object reduction for subject /bin/mkdir...done.
Beginning full learning object reduction for subject /bin/mv...done.
Beginning full learning object reduction for subject /bin/plymouth...done.
Beginning full learning object reduction for subject /bin/rm...done.
Beginning full learning object reduction for subject /bin/su...done.
Beginning full learning object reduction for subject /bin/touch...done.
Beginning full learning object reduction for subject /etc/init.d...done.
Beginning full learning object reduction for subject /lib/systemd/systemd-logind...done.
Beginning full learning object reduction for subject /sbin/getty...done.
Beginning full learning object reduction for subject /sbin/init...done.
Beginning full learning object reduction for subject /sbin/initctl...done.
Beginning full learning object reduction for subject /sbin/plymouthd...done.
Beginning full learning object reduction for subject /sbin/setvtrgb...done.
Beginning full learning object reduction for subject /sbin/upstart-socket-bridge...done.
Beginning full learning object reduction for subject /usr/bin/lockfile-create...done.
Beginning full learning object reduction for subject /usr/bin/lockfile-remove...done.
Beginning full learning object reduction for subject /usr/bin/lockfile-touch...done.
Beginning full learning object reduction for subject /usr/bin/savelog...done.
Beginning full learning object reduction for subject /usr/bin/sudo...done.
Beginning full learning object reduction for subject /usr/sbin/acpid...done.
Beginning full learning object reduction for subject /usr/sbin/atd...done.
Beginning full learning object reduction for subject /usr/sbin/cron...done.
Beginning full learning object reduction for subject /usr/sbin/irqbalance...done.
Beginning full learning object reduction for subject /usr/sbin/ntpdate...done.
Beginning full learning object reduction for subject /usr/sbin/sshd...done.
Beginning full learning object reduction for subject /etc/init.d...done.
Beginning full learning object reduction for subject /etc/init.d...done.
Beginning full learning object reduction for subject /etc/init.d...done.
Beginning full learning object reduction for subject /usr/sbin/atd...done.
Beginning full learning object reduction for subject /usr/sbin/rsyslogd...done.
Full learning complete.



Duplicate subject found for "/usr/bin/lockfile-remove" in role root, on line 857 of /etc/grsec/policy.
"/usr/bin/lockfile-remove" references the same object as "/usr/bin/lockfile-create" specified on an earlier line.
Fixed by merging the 3 following subjects :

# Role: root
subject /usr/bin/lockfile-create o {
/ h
/run/lock/.lk008672ubuntu-1404-15G-apache wcdl
/run/lock/ntpdate-ifup.lock r
-CAP_ALL
bind disabled
connect disabled
}

# Role: root
subject /usr/bin/lockfile-remove o {
/ h
/etc h
/etc/ld.so.cache r
/lib h
/lib/x86_64-linux-gnu/ld-2.19.so x
/lib/x86_64-linux-gnu/libc-2.19.so rx
/run h
/run/lock
/run/lock/ntpdate-ifup.lock wd
/usr h
/usr/bin/lockfile-remove x
/usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 rx
-CAP_ALL
bind disabled
connect disabled
}

# Role: root
subject /usr/bin/lockfile-touch o {
/ h
/etc h
/etc/ld.so.cache r
/lib h
/lib/x86_64-linux-gnu/ld-2.19.so x
/lib/x86_64-linux-gnu/libc-2.19.so rx
/run h
/run/lock/ntpdate-ifup.lock w
/usr h
/usr/bin/lockfile-touch x
/usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 rx
-CAP_ALL
bind disabled
connect disabled
}



by :

# Role: root
subject /usr/bin/lockfile-create o {
/ h
/run/lock/.lk008672ubuntu-1404-15G-apache wcdl
/run/lock/ntpdate-ifup.lock rwd
/etc h
/etc/ld.so.cache r
/lib h
/lib/x86_64-linux-gnu/ld-2.19.so x
/lib/x86_64-linux-gnu/libc-2.19.so rx
/run h
/run/lock
/usr h
/usr/bin/lockfile-remove x
/usr/lib/x86_64-linux-gnu/liblockfile.so.1.0 rx
/usr/bin/lockfile-touch x
-CAP_ALL
bind disabled
connect disabled
}


Then :
Reading access is allowed by role root to /lib/modules, the directory which holds kernel kernel modules. The ability to read these images provides an attacker with very useful information for launching "ret-to-libc" style attacks against the kernel.

Warning: permission for symlink /usr/lib/x86_64-linux-gnu/libcap-ng.so.0 in role root, subject /usr/sbin/irqbalance does not match that of its matching target object /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0. Symlink is specified on line 1082 of /etc/grsec/policy.

/usr/lib/x86_64-linux-gnu/libcap-ng.so.0 rx -> solved by adding rx here
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 rx


and
lib/modules h added to "role root subject"


gradm -E ok great !

Same problem :(
I promise you I've been logging with ssh at least 5 times with user1

[ 1029.099956] grsec: From 172.23.4.40: (user1:U:/) use of CAP_SETUID denied for /usr/sbin/sshd[sshd:1780] uid/euid:1000/0 gid/egid:1000/0, parent /usr/sbin/sshd[sshd:913] uid/euid:0/0 gid/egid:0/0
[ 1029.102060] grsec: From 172.23.4.40: (user1:U:/) use of CAP_SETUID denied for /usr/sbin/sshd[sshd:1780] uid/euid:0/0 gid/egid:1000/0, parent /usr/sbin/sshd[sshd:913] uid/euid:0/0 gid/egid:0/0
[ 1029.103998] grsec: From 172.23.4.40: (user1:U:/) denied access to hidden file /run/utmp by /usr/sbin/sshd[sshd:1780] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:913] uid/euid:0/0 gid/egid:0/0
[ 1029.105753] grsec: more alerts, logging disabled for 10 seconds
[ 1042.291427] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1042.658499] grsec: From 172.23.4.40: (root:U:/sbin/gradm) successful change to special role admin (id 4) by /sbin/gradm[gradm:1784] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1746] uid/euid:0/0 gid/egid:0/0
[ 1043.818925] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1043.821201] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1043.823142] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1045.292994] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1048.296084] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1048.819507] grsec: more alerts, logging disabled for 10 seconds
[ 1060.303357] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1063.306464] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1063.821558] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1063.823817] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1063.825863] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1066.309070] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1068.614854] grsec: (ntp:U:/) denied connect() to 192.23.0.195 port 123 sock type dgram protocol udp by /usr/sbin/ntpd[ntpd:1297] uid/euid:103/103 gid/egid:109/109, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1068.824167] grsec: more alerts, logging disabled for 10 seconds
[ 1081.320068] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.652958] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/snmp by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.655150] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/snmp6 by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.656967] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev_snmp6 by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.662843] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.664760] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/if_inet6 by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.825164] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1083.827281] grsec: more alerts, logging disabled for 10 seconds

Re: Problem enabling RBAC

PostPosted: Thu Aug 21, 2014 9:07 am
by Stephane
Moreover in my log generated by Full learning mode I can see many references to ssh and user1 :

[*]
Code: Select all
cat gradm.initial.learning.log | grep user1
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        17      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1     16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh        16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.cache/motd.legal-displayed 16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.cache/motd.legal-displayed 16      myip
default 68      1000    1000    /usr/sbin/sshd  /       1       1       /home/user1     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.profile    16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.profile    17      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bashrc     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bashrc     17      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_history       16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_history       17      myip
default 68      1000    1000    /bin/lesspipe   /       1       1       /home/user1     16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1     16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   17      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1     16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   20      myip
default 68      0       0       /bin/bash       /       1       1       /home/user1     16      myip
default 68      0       0       /bin/lesspipe   /       1       1       /home/user1     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_logout        16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_logout        17      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        17      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1     16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh        16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.cache/motd.legal-displayed 16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.cache/motd.legal-displayed 16      myip
default 68      1000    1000    /usr/sbin/sshd  /       1       1       /home/user1     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.profile    16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.profile    17      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bashrc     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bashrc     17      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_history       16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_history       17      myip
default 68      1000    1000    /bin/lesspipe   /       1       1       /home/user1     16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1     16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   16      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   17      myip
default 68      1000    1000    /usr/bin/sudo   /       1       1       /var/lib/sudo/user1/0   20      myip
default 68      0       0       /bin/bash       /       1       1       /home/user1     16      myip
default 68      0       0       /bin/lesspipe   /       1       1       /home/user1     16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_logout        16      myip
default 68      1000    1000    /bin/bash       /       1       1       /home/user1/.bash_logout        17      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh/authorized_keys        17      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1     16      myip
default 68      0       0       /usr/sbin/sshd  /       1       1       /home/user1/.ssh        16      myip

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 3:41 am
by Stephane
Ok, my ssh problem is fixed now. I just added
+CAP_SETUID to my user1 role.

I also changed my snmp role like that (hope it's not too permissive, let me know):
role snmp u
# Role: snmp
subject / {
/ h
/proc h
/proc/stat r
/proc/*/net/dev r
/proc/diskstats r
/proc/partitions r
/proc/stat r
/proc/*/net/* r
-CAP_ALL
bind disabled
connect disabled
}

But I still have these logs in dmesg :

[ 1821.572330] grsec: From myip: (root:U:/sbin/gradm) grsecurity 3.0 RBAC system loaded by /sbin/gradm[gradm:2254] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1990] uid/euid:0/0 gid/egid:0/0
[ 1823.689473] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1826.692560] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1828.935657] grsec: From 172.23.4.40: (root:U:/sbin/gradm) successful change to special role admin (id 11) by /sbin/gradm[gradm:2255] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1990] uid/euid:0/0 gid/egid:0/0
[ 1829.693737] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1832.696847] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1836.611801] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1837.797047] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1839.612840] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1842.615866] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1845.618019] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1846.915011] grsec: (ntp:U:/) denied connect() to 192.23.0.194 port 123 sock type dgram protocol udp by /usr/sbin/ntpd[ntpd:1299] uid/euid:103/103 gid/egid:109/109, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 1848.619042] grsec: (snmp:U:/) denied socket(inet,dgram,ip) by /usr/sbin/snmpd[snmpd:965] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

How can i fix these two problems ? I actually need snmp to work correctly for monitoring purposes of course...

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 5:13 am
by Stephane
Ok, if it may help, all my problems are gone using the "Process and Role-Based Learning" for both role snmp and role ntp and replacing the old subjects by the new ones !
Cool, I realize this mode is really usefull !!

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 7:50 am
by spender
It's still unusual if you said you logged in through SSH multiple times but it didn't pick up the correct accesses. I'll try doing some testing here to see if I can reproduce it. I've seen a few other posts before specifically about being unable to SSH in after full learning, but have never been able to reproduce it myself and I never get the full logs to investigate it.

-Brad