1 |
I run learning while RBAC is disabled. So without gradm -E. |
2 |
I'm not sure what's wrong with your setup, but learning mode does not |
3 |
require the RBAC to be active. |
4 |
-- |
5 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
6 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
7 |
|
8 |
2014.Február 23.(V) 10:20 időpontban John Tate ezt írta: |
9 |
> How does it learn about the gradm -E before I've ran it. Running it |
10 |
> kills the system, whereupon there is no /etc/grsec to write any rules |
11 |
> to. I've thought of this, and it doesn't work. |
12 |
> |
13 |
> On Tue, Feb 18, 2014 at 10:06 PM, "Tóth Attila" <atoth@××××××××××.hu> |
14 |
> wrote: |
15 |
>> Just give gradm learning a try without a prior gradm -E. |
16 |
>> After you can generate an initial set of rules for your policy, you can |
17 |
>> start fine-tuning it for some specific applications. |
18 |
>> -- |
19 |
>> dr Tóth Attila, Radiológus, 06-20-825-8057 |
20 |
>> Attila Toth MD, Radiologist, +36-20-825-8057 |
21 |
>> |
22 |
>> 2014.Február 17.(H) 23:26 időpontban John Tate ezt írta: |
23 |
>>> BTW, I was supposed to delete the first two lines of that email. |
24 |
>>> |
25 |
>>> On Tue, Feb 18, 2014 at 9:25 AM, John Tate <john@××××××××.org> wrote: |
26 |
>>>> What should that stuff be so gradm works. I tried add |
27 |
>>>> |
28 |
>>>> Also the wiki instructs me to issue gradm -E before putting it in |
29 |
>>>> learning mode. |
30 |
>>>> |
31 |
>>>> I've tried adding some lines to the admin role myself but the same |
32 |
>>>> problem occurs, and gradm can no longer find /dev/grsec.. |
33 |
>>>> |
34 |
>>>> role admin sA |
35 |
>>>> subject / rvka |
36 |
>>>> / rwcdmlxi |
37 |
>>>> subject /sbin/gradm |
38 |
>>>> /etc/grsec rwx |
39 |
>>>> /dev/grsec rw |
40 |
>>>> +CAP_DAC_OVERRIDE |
41 |
>>>> |
42 |
>>>> It would be good if you could just help me get started by giving |
43 |
>>>> enough so that gradm -D will work so I can still work on the system |
44 |
>>>> without a reboot. At this point it is tedious. |
45 |
>>>> |
46 |
>>>> Also either the Wiki page is out of date and the advise no longer |
47 |
>>>> works, or the problem is actually some kernel option I've enabled: |
48 |
>>>> https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart |
49 |
>>>> |
50 |
>>>> |
51 |
>>>> On Tue, Feb 18, 2014 at 7:03 AM, "Tóth Attila" <atoth@××××××××××.hu> |
52 |
>>>> wrote: |
53 |
>>>>> I think you should not issue gradm -E before activating learning |
54 |
>>>>> mode. |
55 |
>>>>> Also make sure to populate your policy with at least some default |
56 |
>>>>> stuff |
57 |
>>>>> for the admin role before enabling it. The example policy file gives |
58 |
>>>>> a |
59 |
>>>>> starting point. |
60 |
>>>>> -- |
61 |
>>>>> dr Tóth Attila, Radiológus, 06-20-825-8057 |
62 |
>>>>> Attila Toth MD, Radiologist, +36-20-825-8057 |
63 |
>>>>> |
64 |
>>>>> 2014.Február 17.(H) 20:29 időpontban John Tate ezt írta: |
65 |
>>>>>> I am new to grsecurity I am having a problem when I enable RBAC, |
66 |
>>>>>> where |
67 |
>>>>>> grsecurity denies gradm and certain directories such as /etc/grsec |
68 |
>>>>>> are |
69 |
>>>>>> inaccessible, and even /dev/grsec. |
70 |
>>>>>> |
71 |
>>>>>> gentoo ~ # gradm -E |
72 |
>>>>>> gentoo ~ # gradm -F -L /etc/grsec/learning.log |
73 |
>>>>>> Could not open /dev/grsec. |
74 |
>>>>>> open: Permission denied |
75 |
>>>>>> |
76 |
>>>>>> /var/log/messages contains this... |
77 |
>>>>>> Feb 16 22:40:56 gentoo kernel: [ 659.863486] grsec: From |
78 |
>>>>>> 192.168.0.3: |
79 |
>>>>>> (default:D:/sbin/gradm) use of CAP_DAC_OVERRIDE denied for |
80 |
>>>>>> /sbin/gradm[gradm:3315] uid/euid:0/0 gid/egid:0/0, parent |
81 |
>>>>>> /bin/bash[bash:1876] uid/euid:0/0 gid/egid:0/0 |
82 |
>>>>>> |
83 |
>>>>>> CONFIG_GRKERNSEC=y |
84 |
>>>>>> # CONFIG_GRKERNSEC_CONFIG_AUTO is not set |
85 |
>>>>>> CONFIG_GRKERNSEC_CONFIG_CUSTOM=y |
86 |
>>>>>> CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=101 |
87 |
>>>>>> CONFIG_GRKERNSEC_KMEM=y |
88 |
>>>>>> CONFIG_GRKERNSEC_IO=y |
89 |
>>>>>> CONFIG_GRKERNSEC_PERF_HARDEN=y |
90 |
>>>>>> CONFIG_GRKERNSEC_RAND_THREADSTACK=y |
91 |
>>>>>> CONFIG_GRKERNSEC_PROC_MEMMAP=y |
92 |
>>>>>> CONFIG_GRKERNSEC_BRUTE=y |
93 |
>>>>>> CONFIG_GRKERNSEC_MODHARDEN=y |
94 |
>>>>>> CONFIG_GRKERNSEC_HIDESYM=y |
95 |
>>>>>> CONFIG_GRKERNSEC_KERN_LOCKOUT=y |
96 |
>>>>>> # CONFIG_GRKERNSEC_NO_RBAC is not set |
97 |
>>>>>> CONFIG_GRKERNSEC_ACL_HIDEKERN=y |
98 |
>>>>>> CONFIG_GRKERNSEC_ACL_MAXTRIES=3 |
99 |
>>>>>> CONFIG_GRKERNSEC_ACL_TIMEOUT=60 |
100 |
>>>>>> CONFIG_GRKERNSEC_PROC=y |
101 |
>>>>>> CONFIG_GRKERNSEC_PROC_USER=y |
102 |
>>>>>> CONFIG_GRKERNSEC_PROC_ADD=y |
103 |
>>>>>> CONFIG_GRKERNSEC_LINK=y |
104 |
>>>>>> # CONFIG_GRKERNSEC_SYMLINKOWN is not set |
105 |
>>>>>> CONFIG_GRKERNSEC_FIFO=y |
106 |
>>>>>> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y |
107 |
>>>>>> # CONFIG_GRKERNSEC_ROFS is not set |
108 |
>>>>>> CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y |
109 |
>>>>>> CONFIG_GRKERNSEC_CHROOT=y |
110 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_MOUNT=y |
111 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_DOUBLE=y |
112 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_PIVOT=y |
113 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHDIR=y |
114 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_CHMOD=y |
115 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_FCHDIR=y |
116 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_MKNOD=y |
117 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_SHMAT=y |
118 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_UNIX=y |
119 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_FINDTASK=y |
120 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_NICE=y |
121 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_SYSCTL=y |
122 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_CAPS=y |
123 |
>>>>>> CONFIG_GRKERNSEC_AUDIT_GROUP=y |
124 |
>>>>>> CONFIG_GRKERNSEC_AUDIT_GID=100 |
125 |
>>>>>> CONFIG_GRKERNSEC_EXECLOG=y |
126 |
>>>>>> CONFIG_GRKERNSEC_RESLOG=y |
127 |
>>>>>> CONFIG_GRKERNSEC_CHROOT_EXECLOG=y |
128 |
>>>>>> CONFIG_GRKERNSEC_AUDIT_PTRACE=y |
129 |
>>>>>> CONFIG_GRKERNSEC_AUDIT_CHDIR=y |
130 |
>>>>>> CONFIG_GRKERNSEC_AUDIT_MOUNT=y |
131 |
>>>>>> CONFIG_GRKERNSEC_SIGNAL=y |
132 |
>>>>>> CONFIG_GRKERNSEC_FORKFAIL=y |
133 |
>>>>>> CONFIG_GRKERNSEC_TIME=y |
134 |
>>>>>> CONFIG_GRKERNSEC_PROC_IPADDR=y |
135 |
>>>>>> CONFIG_GRKERNSEC_RWXMAP_LOG=y |
136 |
>>>>>> CONFIG_GRKERNSEC_DMESG=y |
137 |
>>>>>> CONFIG_GRKERNSEC_HARDEN_PTRACE=y |
138 |
>>>>>> CONFIG_GRKERNSEC_PTRACE_READEXEC=y |
139 |
>>>>>> # CONFIG_GRKERNSEC_SETXID is not set |
140 |
>>>>>> CONFIG_GRKERNSEC_TPE=y |
141 |
>>>>>> CONFIG_GRKERNSEC_TPE_ALL=y |
142 |
>>>>>> # CONFIG_GRKERNSEC_TPE_INVERT is not set |
143 |
>>>>>> CONFIG_GRKERNSEC_TPE_GID=101 |
144 |
>>>>>> CONFIG_GRKERNSEC_RANDNET=y |
145 |
>>>>>> CONFIG_GRKERNSEC_BLACKHOLE=y |
146 |
>>>>>> CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y |
147 |
>>>>>> # CONFIG_GRKERNSEC_SOCKET is not set |
148 |
>>>>>> # CONFIG_GRKERNSEC_DENYUSB is not set |
149 |
>>>>>> CONFIG_GRKERNSEC_SYSCTL=y |
150 |
>>>>>> # CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set |
151 |
>>>>>> CONFIG_GRKERNSEC_SYSCTL_ON=y |
152 |
>>>>>> # CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set |
153 |
>>>>>> CONFIG_GRKERNSEC_FLOODTIME=10 |
154 |
>>>>>> CONFIG_GRKERNSEC_FLOODBURST=6 |
155 |
>>>>>> |
156 |
>>>>>> Help would really be appreciated to get this working, because I'm |
157 |
>>>>>> quite new to this and I have no idea what I've missed. |
158 |
>>>>>> |
159 |
>>>>>> -- |
160 |
>>>>>> www.johntate.org |
161 |
>>>>>> |
162 |
>>>>> |
163 |
>>>>> |
164 |
>>>>> |
165 |
>>>> |
166 |
>>>> |
167 |
>>>> |
168 |
>>>> -- |
169 |
>>>> www.johntate.org |
170 |
>>> |
171 |
>>> |
172 |
>>> |
173 |
>>> -- |
174 |
>>> www.johntate.org |
175 |
>>> |
176 |
>>> |
177 |
>> |
178 |
>> |
179 |
>> |
180 |
> |
181 |
> |
182 |
> |
183 |
> -- |
184 |
> www.johntate.org |
185 |
> |
186 |
> |