Page 2 of 2

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 8:35 am
by Stephane
Well, I'm sure I can reproduce it, do you want me to do so ?

By the way, one more question Brad, I'm still having problems with my shutdown role, when running "shutdown -h now" the system goes down but cannot unmount my local filesytems...

How can I fix it ?

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 8:52 am
by spender
I haven't yet tested the shutdown role with systemd, so I wouldn't be surprised if it doesn't work.

-Brad

Re: Problem enabling RBAC

PostPosted: Fri Aug 22, 2014 9:03 am
by Stephane
Ok let me know if you write something to make it work with systemd... I'll be interested for sure !

Concerning this ssh problem, I'll try to post you my full logs later when I make another rbac profile on a new vm with other apps...
Thanks !

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 4:21 am
by Stephane
Hi Brad,

Same problem today using full learing mode on a brand new VM and ssh.
role user1 require +CAP_SETUID which is not set by full learning mode whereas I've logged at least twice with this user while learning.

I also have another problem with snmp (I've let the Full learing mode running for 10 minutes...) :
[ 2311.137679] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.300161] grsec: (snmp:U:/) denied access to hidden file /proc/diskstats by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.302511] grsec: (snmp:U:/) denied access to hidden file /proc/partitions by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2313.304621] grsec: (snmp:U:/) denied access to hidden file /proc/stat by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2314.138438] grsec: (snmp:U:/) denied access to hidden file /proc/963/net/dev by /usr/sbin/snmpd[snmpd:963] uid/euid:105/105 gid/egid:112/112, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

And systemd of course like you said :

grsec: (root:U:/lib/systemd/systemd-logind) denied access to hidden file /etc/localtime by /lib/systemd/systemd-logind[systemd-logind:490] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 2316.345456] grsec: (root:U:/lib/systemd/systemd-logind) use of CAP_MAC_OVERRIDE denied for /lib/systemd/systemd-logind[systemd-logind:490] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

This can be fixed by hand of course.
My logs/policy generated are too big to be posted here, so I may email you if you agree.

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 7:15 am
by spender
Hi Stephane,

Yes, please do, thanks!

-Brad

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 8:25 am
by spender
Hi Stephane,

One thing I noticed is that the snmpd accesses are being recorded through the /etc/init.d inherit-learn rule in learn_config. I would recommend instead that you start the full learning after all init scripts have run so that you only record the privilege they need during normal operation. The problem is that when you disable the RBAC system and enable it again, it will lose those inherited subjects and be dropped into the normal snmpd subject that has different privilege.

-Brad

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 8:41 am
by Stephane
Ok this make sense to me, so once it's done, I'll have to place my upstart script running "gradm -E" when everything is already running. This way no need to learn booting/shutdown activities (tell me if I'm wrong)
Ok thanks, I'll keep you in touch.
Let's do it.

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 8:56 am
by spender
As for the CAP_SETUID, I see the problem there now as well, but I'll have to think about about a proper solution. The reason is that I added additional restrictions on the ability to change roles so that they can only be done by processes with CAP_SETUID/CAP_SETGID. sshd is changing real uid to user1, then doing a setresuid to 0. Since that changed the real uid to 0, that would involve a role change to root, requiring my additional CAP_SETUID check. However, since we're in full learning mode, there are no role changes, so it won't log the need for CAP_SETUID in the context of the user1 role. Anyway, as I mentioned, let me give this one some thought.

-Brad

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 9:44 am
by Stephane
Ok, so I started my Full learning after all my init.d scripts have run. No problem except that CAP_SETUID.
My VM (ubuntu 14.04) is running a mysql server, but no role/subject created in the resuting policy (it was running during the learning process)
I'd like my RBAC to be active by default on boot so :
I've figured out I cannot use upstart to order my init scripts (bug with .legacy-bootordering) so I've just put a gradm -E in rc.local which is supposed to start on the latest position, but my mysql-server does not start (no logs about it in dmesg), I just have these logs :

[ 3.897378] grsec: (root:U:/sbin/gradm) grsecurity 3.0 RBAC system loaded by /sbin/gradm[gradm:1070] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.local[rc.local:1068] uid/euid:0/0 gid/egid:0/0
[ 3.899890] grsec: (root:U:/) denied create of /tmp/end for writing by /bin/touch[touch:1071] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.local[rc.local:1068] uid/euid:0/0 gid/egid:0/0
[ 3.902251] grsec: (root:U:/) denied open of /run/utmp for reading by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.903359] grsec: (root:U:/) denied open of /run/utmp for reading by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.910420] grsec: (root:U:/) denied open of /dev/ptmx for reading writing by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.911751] grsec: (root:U:/) denied open of /dev/kmsg for writing by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0
[ 3.913322] grsec: more alerts, logging disabled for 10 seconds
[ 18.193438] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 20.840507] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.853523] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.855600] grsec: (root:U:/) use of CAP_SYSLOG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.857425] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.859144] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.860909] grsec: (root:U:/) use of CAP_SYS_TTY_CONFIG denied for /sbin/plymouthd[plymouthd:210] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 20.862676] grsec: more alerts, logging disabled for 10 seconds
[ 21.960013] random: nonblocking pool is initialized
[ 32.632634] grsec: From 192.23.4.40: (user1:U:/usr/bin/sudo) denied create of /var/lib/sudo/user1/3 for writing by /usr/bin/sudo[sudo:1134] uid/euid:1000/0 gid/egid:1000/1000, parent /bin/bash[bash:1120] uid/euid:1000/1000 gid/egid:1000/1000
[ 33.195508] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 40.448089] grsec: From 192.23.4.40: (root:U:/sbin/gradm) successful change to special role admin (id 1) by /sbin/gradm[gradm:1146] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:1136] uid/euid:0/0 gid/egid:0/0
[ 43.033974] grsec: (root:U:/) denied access to hidden file /sys/devices/system/node by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 43.035552] grsec: (root:U:/) denied access to hidden file /sys/devices/system/cpu by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 43.037067] grsec: (root:U:/) denied access to hidden file /sys/bus/pci/devices by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 53.197235] grsec: (root:U:/) denied open of /run/lock/ntpdate-ifup.lock for reading by /usr/bin/lockfile-create[lockfile-create:862] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:861] uid/euid:0/0 gid/egid:0/0
[ 63.034005] grsec: (root:U:/) denied access to hidden file /sys/devices/system/node by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 63.035944] grsec: (root:U:/) denied access to hidden file /sys/devices/system/cpu by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[ 63.038536] grsec: (root:U:/) denied access to hidden file /sys/bus/pci/devices by /usr/sbin/irqbalance[irqbalance:958] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


Did I missed something ? Do I need to wait more before starting rbac ?
Thx

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 10:01 am
by Stephane
Yes it seems that a simple sleep 10 in my rc.local do the trick.
I still have the above logs, I'll try to fix it...

Re: Problem enabling RBAC

PostPosted: Mon Aug 25, 2014 7:43 pm
by spender
Hi Stephane,

The CAP_SETUID/CAP_SETGID problem will be fixed in the next patches -- thanks for not giving up and seeing it through to a resolution :)

-Brad

Re: Problem enabling RBAC

PostPosted: Tue Aug 26, 2014 3:41 am
by Stephane
You're welcome :) thank you Brad, I'm going to test the new patch today...

Re: Problem enabling RBAC

PostPosted: Tue Aug 26, 2014 7:30 am
by Stephane
It seems to work like a charm !