Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This is the modified cron init-script
diff -u cron_org cron --- cron_org 2008-07-03 04:10:46.000000000 +0200 +++ cron 2008-07-03 04:12:02.000000000 +0200 @@ -23,7 +23,7 @@ case "$1" in start) log_daemon_msg "Starting periodic command scheduler" "crond" - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; stop) log_daemon_msg "Stopping periodic command scheduler" "crond" @@ -32,7 +32,7 @@ ;; restart) log_daemon_msg "Restarting periodic command scheduler" "crond" start-stop-daemon --stop --retry 5 --quiet --pidfile /var/run/crond.pid --name cron - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; reload|force-reload) log_daemon_msg "Reloading configuration files for periodic command scheduler" "crond"
Firstly what to do is, add the jail_flag 'allow-ipc-syslog' (allow-ipc-syslog)
() () ()
All services which send data to the syslog need this, if the syslogd is jailed too.
I stop the service /etc/init.d/cron stop and then I start the service and look on the other terminal.
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
<6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL
search for target_type and request
target_type DEV :: request WRITE_OPEN
The target_type DEV is a jail_flag and on jail_flags you see.
"allow-dev-write": "-D" (this is most close to it)
The rsbac_jail say:
\- wiki display error -D = allow write access on devices
So i add this to the cron-jailfile
(allow-ipc-syslog allow-dev-write) () () ()
And again stop and start the crond.
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- .
On the other terminal i see:
<6>0000001239|rsbac_adf_request(): request READ_OPEN, pid 4653, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32769, result NOT_GRANTED by JAIL
Again search for target_type and request
target_type DEV :: request READ_OPEN
Now i add this
"allow-dev-read": "-d"
The rsbac_jail say:
\- wiki display error -d = allow read access on devices
So add this to the cron-jailfile
(allow-ipc-syslog allow-dev-write allow-dev-read) () () ()
So again the same game, stop and start the crond
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D -d start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
And nothing appears on the security-users terminal. So far ok.
But a cronjob will comming son, with access to thinks wich are not setup in the moment.
For this a speed up the clock (only virtual ) to next cronjobs
Now it is 6:25 am and standard cronjobs is starting and on the terminal i see this.
<6>0000001241|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 4732, ppid 4716, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr none, value none, result NOT_GRANTED by JAIL
always the same, search for target_type
target_type SCD :: request MODIFY_SYSTEM_DATA :: tid rlimit
the target_type change to SCD so now I have to use this scd_flags.
The request says it need MODIFY_SYSTEM_DATA this means the categorie four () and rlimit is need.
The MODIFY_SYSTEM_DATA and GET_SYSTEM_DATA have the same scd_flags only the categories are different. If GET_SYSTEM_DATA is requested then rsbac_jail -G is need otherwise -M for MODIFY.
I add now to cron in categorie four rlimit
(allow-ipc-syslog allow-dev-write allow-dev-read) () () (rlimit)
<6>0000001269|rsbac_adf_request(): request GET_STATUS_DATA, pid 4813, ppid 4807, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL
search for target_type,
target_type DEV :: request GET_STATUS_DATA (tid not important in this case)
rsbac_jail says,
\- stupid wiki -e = allow GET_STATUS_DATA on devices,
this is a jail_flag, so in the first categorie i add 'allow-dev-get-status'
(allow-ipc-syslog allow-dev-write allow-dev-read allow-dev-get-status) () () (rlimit)
<6>0000001300|rsbac_adf_request(): request SEND_SIGNAL, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type PROCESS, tid 4384, attr none, value none, result NOT_GRANTED by JAIL Is never allow in the jail
<7>0000001301|rsbac_adf_request_jail(): process jail 57 does not match IPC object jail 56 -> NOT_GRANTED! <6>0000001302|rsbac_adf_request(): request WRITE, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 10243, attr none, value none, result NOT_GRANTED by JAIL
This have again a jail_flag, and here is the 'allow-external-ipc' needed
(allow-ipc-syslog allow-dev-write allow-dev-read allow-dev-get-status allow-external-ipc) () () (rlimit)
Now i restart the cron.
/etc/init.d/cron restart Restarting periodic command scheduler: crond This is execute now: rsbac_jail -y -D -d -e -i -M rlimit start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --