Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
First enable jail debugging, if it not done already.
As security user open a second terminal and execut:
echo debug_adf_jail 1 > /proc/rsbac-info/debug
Then visit the log message via proc
cat /proc/rsbac-info/rmsg
or from the log daemon:
tail -f /security/log/security-log
On this stage all files are install. This approach can use on most services too. I use the dhcpd to perform it.
start-stop-daemon --start --exec /usr/sbin/dhcpd \ --pidfile "${DHCPD_CHROOT}/${pidfile}" \ -- ${DHCPD_OPTS} -q -pf "${pidfile}" \ -user dhcp -group dhcp \ ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}
run-jail dhcpd start-stop-daemon --start --exec /usr/sbin/dhcpd \ --pidfile "${DHCPD_CHROOT}/${pidfile}" \ -- ${DHCPD_OPTS} -q -pf "${pidfile}" \ -user dhcp -group dhcp \ ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}
From now on the command below start the daemon in a jail.
/etc/init.d/dhcpd start
The jail configuration directory is '/etc/rsbac/jail'.
Rename the dhcpd configuration file and start with an empty file.
mv /etc/rsbac/jail/dhcpd /etc/rsbac/jail/dhcpd_orgin
Create an empty jail configuration file:
create-jail -c dhcpd
Open the new file /etc/rsbac/jail/dhcpd with an editor.
; ; RSBAC JAIL definition for dhcpd ; 2012-13-05 ; ; test by: Jens Kasten ; run on: Gentoo Base System (2.0.3) ; "" "0.0.0.0" () () () ()
Open a new terminal to observe the log messages.
Now stop and start the daemon and watch the log messages.
A few stop and start with the daemon init script are nessesary to obtain all values. After examine the messages, in your before opened terminal, the dhcpd jail configuration file can look like:
; ; RSBAC JAIL definition for dhcpd ; 2011-16-11 ; ; test by: Jens Kasten ; run on: debian (6.0.3) ; "" "0.0.0.0" (allow-dev-write allow-dev-read allow-external-ipc allow-all-net-family allow-inet-raw) (net-bind-service net-raw sys-chroot dac-override chown setgid setuid) () ()
To check the jail use:
ps-jail -p dhcpd
The output should similar:
|Jail ID: 284| Program: dhcpd| PID: 7309| Jail IP: 0.0.0.0 |Jail Flags: allow-external-ipc, allow-dev-read, allow-inet-raw, allow-all-net-family, allow-dev-write |Jail Max Caps: setuid, dac-override, net-bind-service, chown, net-raw, setgid, sys-chroot
Jail Flags
1. Wed Jan 12 18:06:34 2011 :<6>0000000288|rsbac_adf_request(): request READ_OPEN, pid 8143, ppid 1, prog_name apcupsd, prog_file /sbin/apcupsd, uid 0, target_type DEV, tid char 05:01, attr open_flag, value 33025, result NOT_GRANTED by JAIL 2. Tue Jan 11 15:52:50 2011 :<6>0000000235|rsbac_adf_request(): request WRITE_OPEN, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32770, result NOT_GRANTED by JAIL 3. Tue Jan 11 15:52:50 2011 :<7>0000000236|rsbac_adf_request_jail(): process jail 40 does not match partner process jail 32, parent jail is 0 -> NOT_GRANTED! 4. Tue Jan 11 15:52:50 2011 :<6>0000000238|rsbac_adf_request(): request CREATE, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021a54ad80 INET RAW proto ICMP local 0.0.0.0:1 remote 0.0.0.0:0, attr sock_type, value RAW, result NOT_GRANTED by JAIL 5. Tue Jan 11 16:07:08 2011 :<6>0000000244|rsbac_adf_request(): request CREATE, pid 16620, ppid 16619, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021fbcd680 PACKET PACKET, attr sock_type, value PACKET, result NOT_GRANTED by JAIL 6. Wed Jan 12 17:14:26 2011 :<7>0000000266|rsbac_adf_request_jail(): network family is NETLINK and neither allow_netlink nor allow_all_net_family is set -> NOT_GRANTED! 7. Thu Jan 13 07:10:27 2011 :<7>0000000580|jail_check_ip(): local_addr does not match jail_ip -> NOT_GRANTED! 8. Thu Jan 13 07:10:27 2011 :<6>0000000581|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e6c0 INET DGRAM proto UDP local 0.0.0.0:766 remote 0.0.0.0:0, attr sock_type, value DGRAM, result NOT_GRANTED by JAIL 9. Thu Jan 13 07:10:27 2011 :<6>0000000585|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e900 INET STREAM proto TCP local 0.0.0.0:767 remote 0.0.0.0:0, attr sock_type, value STREAM, result NOT_GRANTED by JAIL 10. Sun Jan 16 14:15:10 2011 :<6>0000000855|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8436, ppid 1, prog_name debian, prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 253:18, attr ioctl_cmd, value 2149581316, result NOT_GRANTED by JAIL 11. Thu Jun 30 08:12:32 2011 :<7>0000000142|rsbac_adf_request_jail(): process jail 4 does not match IPC object jail 9 -> NOT_GRANTED! Thu Jun 30 08:12:32 2011 :<6>0000000143|rsbac_adf_request(): request RECEIVE, pid 5125, ppid 5124, prog_name syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC, tid AnonUnix-ID 10959, attr process, value 7075(ntpd,parent=1(init)), result NOT_GRANTED by JAIL
Point | Request | Target type | Identifier | Paramater to grant | RSBAC |
---|---|---|---|---|---|
1. | READ_OPEN | DEV | attr open_flag | allow-dev-read | -d |
2. | WRITE_OPEN | DEV | attr open_flag | allow-dev-write | -D |
3. | - | - | does not match partner process jail | allow-external-ipc | -i |
4. | CREATE | NETOBJ | attr sock_type, value RAW | DEVallow-inet-raw | -r |
5. | CREATE | NETOBJ | attr sock_type, value PACKET | allow-all-net-family | -n |
6. | - | - | network family is NETLINK and neither allow_netlink nor allow_all_net_family is set | allow-netlink | -K |
7. | - | - | local_addr does not match jail_ip | auto-adjust-ip-address | -a |
8.-9. | is depend on point 6. and is this allow the this disappers | - | - | ||
10. | MODIFY_SYSTEM_DATA | DEV | attr ioctl_cmd | allow-dev-mod-system | -E |
11. | RECEIVE | IPC | attr process | allow-external-ipc | -P |
Jail Capabilities
1. Tue Jan 11 15:52:50 2011 :<6>0000000237|rsbac_adf_request(): request CONNECT, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type UNIXSOCK, tid Device 00:05 Inode 20741 Path /dev/log, attr process, value 14437(rsyslogd,parent=1(init)), result NOT_GRANTED by JAIL 2. Tue Jan 11 15:56:19 2011 :<7>0000000240|capable(): pid 16229(dhcpd), uid 0: missing jail_max_cap SYS_CHROOT! 3. Tue Jan 11 16:02:24 2011 :<7>0000000242|capable(): pid 16386(dhcpd), uid 0: missing jail_max_cap DAC_OVERRIDE! 4. Tue Jan 11 16:04:40 2011 :<7>0000000243|capable(): pid 16511(dhcpd), uid 0: missing jail_max_cap CHOWN! 5. Wed Jan 12 16:26:51 2011 :<7>0000000261|capable(): pid 24423(dhcpd), uid 0: missing jail_max_cap NET_BIND_SERVICE! 6. Wed Jan 12 16:28:38 2011 :<7>0000000262|capable(): pid 24540(dhcpd), uid 0: missing jail_max_cap SETGID! 7. Wed Jan 12 16:30:21 2011 :<7>0000000263|capable(): pid 24666(dhcpd), uid 0: missing jail_max_cap SETUID! 8. Thu Jan 13 08:36:30 2011 :<7>0000000691|capable(): pid 17897(master), uid 0: missing jail_max_cap KILL! 9. Sun Jan 16 11:44:57 2011 :<7>0000000799|capable(): pid 5301(debian), uid 0: missing jail_max_cap DAC_READ_SEAR 10. Sun Jan 16 11:46:57 2011 :<7>0000000800|capable(): pid 5373(debian), uid 0: missing jail_max_cap NET_ADMIN!
Point | Request | Target or Identifier | Paramater to grant | RSBAC |
---|---|---|---|---|
1. | CONNECT | target UNIXSOCK, attr PROCESS | net-raw | NET_RAW |
2. | SYS_CHROOT | missing jail_max_cap | sys-chroot | SYS_CHROOT |
3. | DAC_OVERRIDE | missing jail_max_cap | dac-override | DAC_OVERRIDE |
4. | CHOWN | missing jail_max_cap | chown | CHOWN |
5. | NET_BIND_SERVICE | missing jail_max_cap | net-bind-service | NET_BIND_SERVICE |
6. | SETGID | missing jail_max_cap | setgid | SETGID |
7. | SETUID | missing jail_max_cap | setuid | SETUID |
8. | KILL | missing jail_max_cap | kill | KILL |
9. | DAC_READ_SEARCH | missing jail_max_cap | dac-read-search | DAC_OVERRIDE |
10. | NET_ADMIN | missing jail max_cap | net-admin | NET_ADMIN |
Jaill SCD READ
1. Wed Jan 12 17:58:47 2011 :<6>0000000284|rsbac_adf_request(): request GET_STATUS_DATA, pid 32316, ppid 1, prog_name rklogd, prog_file /usr/local/sbin/rklogd, uid 400, remote ip 192.168.1.5, target_type SCD, tid rsbac_log, attr none, value none, result NOT_GRANTED by JAIL
Point | Request | Target type | Identifier | Paramater to grant | RSBAC |
---|---|---|---|---|---|
1. | GET_STATUS_DATA | SCD | rsbac_log | rsbac-log | rsbac_log |
Jail SCD Modify
1. Thu Jan 13 06:53:01 2011 :<6>0000000555|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 0, remote ip 192.168.1.5, target_type SCD, tid time_strucs, attr none, value none, result NOT_GRANTED by JAIL 2. Thu Jan 13 06:53:02 2011 :<6>0000000579|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, remote ip 192.168.1.5, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by JAIL 3. Thu Jan 13 08:33:05 2011 :<6>0000000689|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 17313, ppid 1, prog_name master, prog_file /usr/lib64/postfix/master, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr rlimit, value 7:1024:1024, result NOT_GRANTED by JAIL 4. Sat Jan 15 17:30:30 2011 :<6>0000000108|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8498, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, target_type SCD, tid clock, attr none, value none, result NOT_GRANTED by JAIL
Point | Request | Target or Identifier | Paramater to grant | RSBAC |
---|---|---|---|---|
1. | MODIFY_SYSTEM_DATA | target SCD, tid time_strucs | time-strucs | TIME_STRUCS |
2. | MODIFY_SYSTEM_DATA | target SCD, tid capability | capability | CAPABILITY |
3. | MODIFY_SYSTEM_DATA | target SCD, tid rlimit | rlimit | RLIMIT |
4. | MODIFY_SYSTEM_DATA | target SCD, tid clock | clock | CLOCK |