Picon

Re: rsbac_auditor_rol

Well, this doesn't work as expected, I had to switch AUTH_ROLE  to
secoff to make it work.
Didn''t suppose that it's granted to auditor role too?

2009/1/31 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
> It get's solved with: marking audit user with AUTH ROLE auditor and
> rc_def_role syslog role, granted to this rol FS_MASK CAP min set, and
> marking syslog-ng binary as SETUID audit:root owner of syslog-ng.
>
> 2009/1/31 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
>> Well, seems that this is controlled by "AUTH Role" for USER, I think
>> it would be useful to put this flag in roles too and not only in
>> users. I have for example one force role that makes all logging
>> granted to syslog-ng. If I'm not wrong AUTH search if this flag is
>> switched to secoff or auditor to grant the access to rsbac_log. It
>> depend of the existance of a user with this switch. Adding it to roles
>> instead users would be better in my opinion.
>>
>> 2009/1/31 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
>>> Hi, I have seen in the logs that access to GET_STATUS_DATA to SCD
>>> target rsbac_log is denied by AUTH. As seen in the source code in
>>> auth_main.c is hardcoded that only the roles of auditor or secoff has
>>> this rights granted. I think it would be useful to have a switch in
>>> the kernel that we could select the auditor role "number" (as the
>>> secoff uid in .config) and not depend on name at first (if someone
>>> create one role with the same name I think it could be dangerous). Now
>>> I can make an rc_copy_rol from my syslog role (8)  to auditor one (3)
>>> but I think that other solution could be more proper.
>>>
>>
(Continue reading)

ago | 3 Feb 16:51 2009
Picon

Auto-reply

Tisztelt Hölgyem/Uram!

2009. február 9-ig szabadságon vagyok. Hiba esetén jelezze azt a minden ügyfelünk számára
biztosított support felületen, a megadott felhasználónév/jelszó párossal. Ajánlatkérés
vagy egyéb üzleti levelezés esetén írjon Tóth László vagy Szüts Attila kollegámnak, a
toth.laszlo <at> lsc.hu illetve az aszuts <at> lsc.hu címre. Köszönettel,
Deim Ágoston
Gergely Lónyai | 5 Feb 16:43 2009
Picon

Request: rsbac_disable_MODULE

Hi,

Please add the rsbac_disable_MODULE kernel parameter option like rsbac_softmode_MODULE
kernelparameter. 

Aleph
ago | 5 Feb 16:51 2009
Picon

Auto-reply

Tisztelt Hölgyem/Uram!

2009. február 9-ig szabadságon vagyok. Hiba esetén jelezze azt a minden ügyfelünk számára
biztosított support felületen, a megadott felhasználónév/jelszó párossal. Ajánlatkérés
vagy egyéb üzleti levelezés esetén írjon Tóth László vagy Szüts Attila kollegámnak, a
toth.laszlo <at> lsc.hu illetve az aszuts <at> lsc.hu címre. Köszönettel,
Deim Ágoston
Picon

Re: rsbac_auditor_rol

Well, it works perfectly, without any bit suid turned on. With
syslog-ng rights changed to 755 (syslog-ng binary has it's own
rc_type) I have switched AUTH_ROLE to auditor to user audit, granted
CAP_SYS_ADMIN and CAP_DAC_OVERRIDE as minimum capabilities to
syslog-ng binary, added the capabilty of user audit to
start-stop-daemon and modify gentoo /etc/init.d/syslog-ng to make
syslog be started as user/gid audit. As all scripts needs access to
/var/lib/init.d the rc_type_fd of this dir is different and I make
that the necessary roles make all files under this dir of
/var/lib/init.d type (with def_ind_fd_type). SCD rights to rsbac_log
and syslog are changed accord to syslog role. I think this is the more
proper/secure solution don't you think?

2009/2/3 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
> Well, this doesn't work as expected, I had to switch AUTH_ROLE  to
> secoff to make it work.
> Didn''t suppose that it's granted to auditor role too?
>
> 2009/1/31 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
>> It get's solved with: marking audit user with AUTH ROLE auditor and
>> rc_def_role syslog role, granted to this rol FS_MASK CAP min set, and
>> marking syslog-ng binary as SETUID audit:root owner of syslog-ng.
>>
>> 2009/1/31 Javier J. Martínez Cabezón <tazok.id0 <at> gmail.com>:
>>> Well, seems that this is controlled by "AUTH Role" for USER, I think
>>> it would be useful to put this flag in roles too and not only in
>>> users. I have for example one force role that makes all logging
>>> granted to syslog-ng. If I'm not wrong AUTH search if this flag is
>>> switched to secoff or auditor to grant the access to rsbac_log. It
>>> depend of the existance of a user with this switch. Adding it to roles
(Continue reading)

Picon

min_caps and scripts

Hi folks, I suppose that capabilities assigned to shell scripts are
ignored, and it happens too with min_caps.
The problem is that I have removed all maximum capabilities to root,
and assigned min_caps to the required binaries (as agetty, login
etc.), the problem comes with a gentoo bash script /sbin/rc that
between others, makes a touch to /var/log/wtmp which is owned by my
user audit, the same happened with the file /var/run/syslog-ng.pid
which is owned by the same user. The problem is that root has not
CAP_DAC_OVERRIDE at all, since /sbin/rc is a shell script min_caps are
not honored (so doesn't work at all).

I protected /sbin/rc against unwanted read/execution/write assigning
it to a special RC type, only accesed by roles 999999 and secoff one,
so min_caps shouldn't be a security hole in this case.

I don't think that granting this capabilities to /bin/mv and
/bin/touch between others used in this script should be a proper
solution, and make another copy of this binaries to assign it other
binary type sounds too tricky since it needs script modification to
work.

Do you know any way to make this caps working in a shell-script? Any suggestion?
Picon

change chroot syscall by rsbac_jail one

Hi, I was thinking why don't you change directly the chroot syscall
(NR_61 in svn) by the rsbac syscall_jail one?

You could add a config option CONFIG_CHANGE_CHROOT_BY_JAIL, if defined
all chroots calls will "jump" to rsbac_jail one.
I think that userspace programs will use rsbac_jail without knowing
the change since they still calling sys_chroot.

So I think you can do the same as some rootkits do...change syscall_table :).

Configuration of the jail could be done using data from kerneland, by
default the behaviour (parameters) of rsbac_jail could be the same as
chroot, only changing / dir but with all restrictions of rsbac_jail,
we could for example indicate later which will be the maximum
capabilities, IP etc...

I think with this one problem could be solved (people don't want to
change software source code to use jails) making it transparent for
the user.

What do you think?
Alexey Zaytsev | 24 Feb 15:52 2009
Picon

[PATCH] Fix extern includes in include/rsbac/aci_data_structures.h

	They are simply not needed here.

Signed-off-by: Alexey Zaytsev <zaytsev <at> altell.ru>
---
 include/rsbac/aci_data_structures.h |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/rsbac/aci_data_structures.h b/include/rsbac/aci_data_structures.h
index c6d6ee6..1c4a4ed 100644
--- a/include/rsbac/aci_data_structures.h
+++ b/include/rsbac/aci_data_structures.h
 <at>  <at>  -1769,33 +1769,33  <at>  <at>  extern struct semaphore rsbac_write_sem;
 /*              Locks                         */
 /**********************************************/

-extern inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
+static inline void rsbac_read_lock(rwlock_t * lock_p, u_long * flags_p)
 {
 	read_lock(lock_p);
 };

-extern inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
+static inline void rsbac_read_unlock(rwlock_t * lock_p, u_long * flags_p)
 {
 	read_unlock(lock_p);
 };

-extern inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
+static inline void rsbac_write_lock(rwlock_t * lock_p, u_long * flags_p)
 {
(Continue reading)

Jens Kasten | 2 Mar 13:42 2009

segfault with dazuko

hi list,
i try the dazuko with clamav and this i get:
Pid: 13683, comm: emerge Tainted: G      D    2.6.28.4-rsbac-2.0-sec #2
RIP: 0010:[<ffffffff802e3f1e>]  [<ffffffff802e3f1e>] kfree+0xbe/0xd0
RSP: 0018:ffff8801520f7a18  EFLAGS: 00010246
RAX: 8000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000702f01 RSI: ffffe20003817808 RDI: 00000001006b7361
RBP: ffff8801006b7361 R08: ffff8801520f7ae8 R09: 0000000000000001
R10: ffff880152c7b898 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000002 R14: 0000000000000001 R15: 0000000000000000
FS:  0000758dd6ea56f0(0000) GS:ffffffff808dc040(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000cf8c2ad4024 CR3: 0000000152247000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process emerge (pid: 13683, threadinfo ffff8801520f6000, task
ffff8801536015c0)
Stack:
 ffff8801520f7b78 0000000000000000 ffff8801520f7b78 ffffffff8026e3e9
 0000000000000000 ffffffff802733e1 00000000ffffffff ffff8801006b7361
 0000000000000011 0000000000000002 0000000000000000 ffffffff8026ec4e
Call Trace:
 [<ffffffff8026e3e9>] ? xp_id_free+0x9/0x10
 [<ffffffff802733e1>] ? dazuko_sys_check+0xa1/0x140
 [<ffffffff8026ec4e>] ? rsbac_adf_request_daz+0x30e/0x6f0
 [<ffffffff8035ec25>] ? __put_nfs_open_context+0x35/0x100
 [<ffffffff8022bbd6>] ? rsbac_get_vset+0x76/0x90
 [<ffffffff802bb455>] ? sync_page+0x35/0x60
 [<ffffffff805ca4fb>] ? __wait_on_bit_lock+0x6b/0x80
(Continue reading)


Gmane