wiki:experiences:igraltist:run-jail:explain-jail-message
=>  Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

=>  Events

No events planned

Back to igraltist's run-jail

First enable jail debugging, if it not done already.

As security user open a second terminal and execut:

echo debug_adf_jail 1 > /proc/rsbac-info/debug

Then visit the log message via proc

cat /proc/rsbac-info/rmsg

or from the log daemon:

tail -f /security/log/security-log

Prepar dhcpd daemon init script

On this stage all files are install. This approach can use on most services too. I use the dhcpd to perform it.

  • Prepare the init script
  • Search for start routine, it could similar to this, depends on your distribution
     start-stop-daemon --start --exec /usr/sbin/dhcpd \
        --pidfile "${DHCPD_CHROOT}/${pidfile}" \
        -- ${DHCPD_OPTS} -q -pf "${pidfile}" \
        -user dhcp -group dhcp \
        ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}
  • Insert into front run-jail pdnsd
     run-jail dhcpd start-stop-daemon --start --exec /usr/sbin/dhcpd \
        --pidfile "${DHCPD_CHROOT}/${pidfile}" \
        -- ${DHCPD_OPTS} -q -pf "${pidfile}" \
        -user dhcp -group dhcp \
        ${DHCPD_CHROOT:+-chroot} ${DHCPD_CHROOT} ${DHCPD_IFACE}

From now on the command below start the daemon in a jail.

/etc/init.d/dhcpd start

Prepar dhcpd jail configuration file

The jail configuration directory is '/etc/rsbac/jail'.
Rename the dhcpd configuration file and start with an empty file.

mv /etc/rsbac/jail/dhcpd /etc/rsbac/jail/dhcpd_orgin

Create an empty jail configuration file:

create-jail -c dhcpd

Open the new file /etc/rsbac/jail/dhcpd with an editor.

;
; RSBAC JAIL definition for dhcpd
; 2012-13-05
;
; test by: Jens Kasten
; run on: Gentoo Base System (2.0.3)
;
 
""
"0.0.0.0"
()
()
()
()

Open a new terminal to observe the log messages.
Now stop and start the daemon and watch the log messages.

A few stop and start with the daemon init script are nessesary to obtain all values. After examine the messages, in your before opened terminal, the dhcpd jail configuration file can look like:

;
; RSBAC JAIL definition for dhcpd 
; 2011-16-11
;
; test by: Jens Kasten
; run on: debian (6.0.3)
;
 
""
"0.0.0.0"
(allow-dev-write
 allow-dev-read
 allow-external-ipc
 allow-all-net-family
 allow-inet-raw)
(net-bind-service
 net-raw
 sys-chroot
 dac-override
 chown
 setgid 
 setuid)
()
()

To check the jail use:

ps-jail -p dhcpd

The output should similar:

|Jail ID: 284| Program: dhcpd| PID: 7309| Jail IP: 0.0.0.0
|Jail Flags: allow-external-ipc, allow-dev-read, allow-inet-raw, allow-all-net-family, allow-dev-write
|Jail Max Caps: setuid, dac-override, net-bind-service, chown, net-raw, setgid, sys-chroot

Interprate log messages

Jail Flags

1. Wed Jan 12 18:06:34 2011 :<6>0000000288|rsbac_adf_request(): request READ_OPEN, pid 8143, ppid 1, prog_name apcupsd, prog_file /sbin/apcupsd, uid 0, target_type DEV, tid char 05:01, attr open_flag, value 33025, result NOT_GRANTED by JAIL
2. Tue Jan 11 15:52:50 2011 :<6>0000000235|rsbac_adf_request(): request WRITE_OPEN, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32770, result NOT_GRANTED by JAIL
3. Tue Jan 11 15:52:50 2011 :<7>0000000236|rsbac_adf_request_jail(): process jail 40 does not match partner process jail 32, parent jail is 0 -> NOT_GRANTED!
4. Tue Jan 11 15:52:50 2011 :<6>0000000238|rsbac_adf_request(): request CREATE, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021a54ad80 INET RAW proto ICMP local 0.0.0.0:1 remote 0.0.0.0:0, attr sock_type, value RAW, result NOT_GRANTED by JAIL
5. Tue Jan 11 16:07:08 2011 :<6>0000000244|rsbac_adf_request(): request CREATE, pid 16620, ppid 16619, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff88021fbcd680 PACKET PACKET, attr sock_type, value PACKET, result NOT_GRANTED by JAIL
6. Wed Jan 12 17:14:26 2011 :<7>0000000266|rsbac_adf_request_jail(): network family is NETLINK and neither allow_netlink nor allow_all_net_family is set -> NOT_GRANTED!
7. Thu Jan 13 07:10:27 2011 :<7>0000000580|jail_check_ip(): local_addr does not match jail_ip -> NOT_GRANTED!
8. Thu Jan 13 07:10:27 2011 :<6>0000000581|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e6c0 INET DGRAM proto UDP local 0.0.0.0:766 remote 0.0.0.0:0, attr sock_type, value DGRAM, result NOT_GRANTED by JAIL
9. Thu Jan 13 07:10:27 2011 :<6>0000000585|rsbac_adf_request(): request BIND, pid 22214, ppid 1, prog_name portmap, prog_file /sbin/portmap, uid 0, remote ip 192.168.1.5, target_type NETOBJ, tid ffff880189d8e900 INET STREAM proto TCP local 0.0.0.0:767 remote 0.0.0.0:0, attr sock_type, value STREAM, result NOT_GRANTED by JAIL
10. Sun Jan 16 14:15:10 2011 :<6>0000000855|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8436, ppid 1, prog_name debian, prog_file /usr/bin/qemu-system-x86_64, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 253:18, attr ioctl_cmd, value 2149581316, result NOT_GRANTED by JAIL
11. Thu Jun 30 08:12:32 2011 :<7>0000000142|rsbac_adf_request_jail(): process jail 4 does not match IPC object jail 9 -> NOT_GRANTED!
Thu Jun 30 08:12:32 2011 :<6>0000000143|rsbac_adf_request(): request RECEIVE, pid 5125, ppid 5124, prog_name syslog-ng, prog_file /usr/sbin/syslog-ng, uid 0, target_type IPC, tid AnonUnix-ID 10959, attr process, value 7075(ntpd,parent=1(init)), result NOT_GRANTED by JAIL


PointRequestTarget typeIdentifierParamater to grantRSBAC
1.READ_OPENDEVattr open_flagallow-dev-read-d
2.WRITE_OPENDEVattr open_flagallow-dev-write-D
3.--does not match partner process jailallow-external-ipc-i
4.CREATENETOBJattr sock_type, value RAWDEVallow-inet-raw-r
5.CREATENETOBJattr sock_type, value PACKETallow-all-net-family-n
6.--network family is NETLINK and neither allow_netlink nor allow_all_net_family is setallow-netlink-K
7.--local_addr does not match jail_ipauto-adjust-ip-address-a
8.-9.is depend on point 6. and is this allow the this disappers--
10.MODIFY_SYSTEM_DATADEVattr ioctl_cmdallow-dev-mod-system-E
11.RECEIVEIPCattr processallow-external-ipc-P


Jail Capabilities

1. Tue Jan 11 15:52:50 2011 :<6>0000000237|rsbac_adf_request(): request CONNECT, pid 16112, ppid 16111, prog_name dhcpd, prog_file /usr/sbin/dhcpd, uid 0, remote ip 192.168.1.5, target_type UNIXSOCK, tid Device 00:05 Inode 20741 Path /dev/log, attr process, value 14437(rsyslogd,parent=1(init)), result NOT_GRANTED by JAIL
2. Tue Jan 11 15:56:19 2011 :<7>0000000240|capable(): pid 16229(dhcpd), uid 0: missing jail_max_cap SYS_CHROOT!
3. Tue Jan 11 16:02:24 2011 :<7>0000000242|capable(): pid 16386(dhcpd), uid 0: missing jail_max_cap DAC_OVERRIDE!
4. Tue Jan 11 16:04:40 2011 :<7>0000000243|capable(): pid 16511(dhcpd), uid 0: missing jail_max_cap CHOWN!
5. Wed Jan 12 16:26:51 2011 :<7>0000000261|capable(): pid 24423(dhcpd), uid 0: missing jail_max_cap NET_BIND_SERVICE!
6. Wed Jan 12 16:28:38 2011 :<7>0000000262|capable(): pid 24540(dhcpd), uid 0: missing jail_max_cap SETGID!
7. Wed Jan 12 16:30:21 2011 :<7>0000000263|capable(): pid 24666(dhcpd), uid 0: missing jail_max_cap SETUID!
8. Thu Jan 13 08:36:30 2011 :<7>0000000691|capable(): pid 17897(master), uid 0: missing jail_max_cap KILL!
9. Sun Jan 16 11:44:57 2011 :<7>0000000799|capable(): pid 5301(debian), uid 0: missing jail_max_cap 
DAC_READ_SEAR
10. Sun Jan 16 11:46:57 2011 :<7>0000000800|capable(): pid 5373(debian), uid 0: missing jail_max_cap NET_ADMIN!


PointRequestTarget or IdentifierParamater to grantRSBAC
1.CONNECTtarget UNIXSOCK, attr PROCESSnet-rawNET_RAW
2.SYS_CHROOTmissing jail_max_capsys-chrootSYS_CHROOT
3.DAC_OVERRIDEmissing jail_max_capdac-overrideDAC_OVERRIDE
4.CHOWNmissing jail_max_capchownCHOWN
5.NET_BIND_SERVICEmissing jail_max_capnet-bind-serviceNET_BIND_SERVICE
6.SETGIDmissing jail_max_capsetgidSETGID
7.SETUIDmissing jail_max_capsetuidSETUID
8.KILLmissing jail_max_capkillKILL
9.DAC_READ_SEARCHmissing jail_max_capdac-read-searchDAC_OVERRIDE
10.NET_ADMINmissing jail max_capnet-adminNET_ADMIN


Jaill SCD READ

1. Wed Jan 12 17:58:47 2011 :<6>0000000284|rsbac_adf_request(): request GET_STATUS_DATA, pid 32316, ppid 1, prog_name rklogd, prog_file /usr/local/sbin/rklogd, uid 400, remote ip 192.168.1.5, target_type SCD, tid rsbac_log, attr none, value none, result NOT_GRANTED by JAIL


PointRequestTarget typeIdentifierParamater to grantRSBAC
1.GET_STATUS_DATASCDrsbac_logrsbac-logrsbac_log


Jail SCD Modify

1. Thu Jan 13 06:53:01 2011 :<6>0000000555|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 0, remote ip 192.168.1.5, target_type SCD, tid time_strucs, attr none, value none, result NOT_GRANTED by JAIL
2. Thu Jan 13 06:53:02 2011 :<6>0000000579|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 21351, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, remote ip 192.168.1.5, target_type SCD, tid capability, attr none, value none, result NOT_GRANTED by JAIL
3. Thu Jan 13 08:33:05 2011 :<6>0000000689|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 17313, ppid 1, prog_name master, prog_file /usr/lib64/postfix/master, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr rlimit, value 7:1024:1024, result NOT_GRANTED by JAIL
4. Sat Jan 15 17:30:30 2011 :<6>0000000108|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 8498, ppid 1, prog_name ntpd, prog_file /usr/sbin/ntpd, uid 123, target_type SCD, tid clock, attr none, value none, result NOT_GRANTED by JAIL


PointRequestTarget or IdentifierParamater to grantRSBAC
1.MODIFY_SYSTEM_DATAtarget SCD, tid time_strucstime-strucsTIME_STRUCS
2.MODIFY_SYSTEM_DATAtarget SCD, tid capabilitycapabilityCAPABILITY
3.MODIFY_SYSTEM_DATAtarget SCD, tid rlimitrlimitRLIMIT
4.MODIFY_SYSTEM_DATAtarget SCD, tid clockclockCLOCK
//
wiki/experiences/igraltist/run-jail/explain-jail-message.txt · Last modified: 2012/05/13 05:42 by 127.0.0.1

wiki/experiences/igraltist/run-jail/explain-jail-message.txt · Last modified: 2012/05/13 05:42 by 127.0.0.1
This website is kindly hosted by m-privacy