[grsec] Re: grsecurity Digest, Vol 17, Issue 6

Christian Piva Franzen cpfranzen at gmail.com
Fri Nov 25 14:33:59 EST 2005 

Hi Kurt,

    I just finished my course conclusion work on Grsecurity and Lids.
After you reboot your brand new system, you should put it to learn.

    In this mode, grsec will learn the way each application works and
create a new policy file

Learning:

244 gradm -F -L /etc/grsec/learning.logs	# start learning.
245 cd /etc/cron.daily/		# Crontab commands
246 ls –l			# Crontab commands
249 ./find			# Crontab commands
250 ./logrotate		# Crontab commands
...
281 gradm –D		# Finish learning.

Creating the new policy:

grsec:/home/sysadm# mv /etc/grsec/policy /etc/grsec/policy.old
grsec:/home/sysadm# gradm -F -L ./learning.logs -O /etc/grsec/policy
Beginning full learning 1st pass...done.
Beginning full learning role reduction...done.
Beginning full learning 2nd pass...done.
Beginning full learning subject reduction for user root...done.
Beginning full learning subject reduction for user postfix...done.
...
Beginning full learning object reduction for subject /...done.
Beginning full learning object reduction for subject /usr/bin/mutt...done.
Beginning full learning object reduction for subject
/usr/bin/mutt_dotlock...done.
...


    When you start the learning, each fault the system generates will
be logged in /etc/grsec/learning.logs. So you must use your system the
way you always do, starting and using your programs, saving your
files, etc.

    When you think it's done, you use the gradm -D to disable the
learning. Then you must save your previous policy and use gradm -F -L
./learning.logs -O /etc/grsec/policy to create a new one.

    To enable rbac again, use gradm -E

    To use xwindows in grsec you must use:

chpax -sp /usr/X11R6/bin/XFree86 to disable segmexec and pageexec
enforcing in xfree.

    Below there is an example for email client mutt

01 - subject /usr/bin/mutt o {
...
02 -	/usr					h
03 -	/usr/bin/mutt			x
04 -	/usr/sbin/sendmail		x
05 -	/var					h
06 - #/var/mail/sysadm			rw
07 -	/var/mail/				rw
08 -	/home/				r
09 -	/home/*/mbox			rwcd
10 -	/home/*/postponed			rwcd
11 -	/tmp				rwcd
12 -	-CAP_ALL
13 -	bind	disabled
14 -	connect	disabled
}

    As you can see in 06, it just logged as rw /var/mail/sysadm. I
changed it to /var/mail, so each new user that uses mutt will work
automaticaly. The same with 09 and 10.

    This document (http://www.grsecurity.net/gracldoc.pdf) was very
usefull, but some options aren't there, but in the original policy, so
you must copy them to this document, just after object modes.

Hope it helps,
Christian Franzen


2005/11/25, grsecurity-request at grsecurity.net
<grsecurity-request at grsecurity.net>:
> Send grsecurity mailing list submissions to
>        grsecurity at grsecurity.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> or, via email, send a message with subject or body 'help' to
>        grsecurity-request at grsecurity.net
>
> You can reach the person managing the list at
>        grsecurity-owner at grsecurity.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of grsecurity digest..."
>
>
> Today's Topics:
>
>   1. After Reading Quick Start...then what? (Kurt Pomeroy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Nov 2005 09:19:43 -0330
> From: Kurt Pomeroy <kpomeroy at lakecrest.ca>
> Subject: [grsec] After Reading Quick Start...then what?
> To: grsecurity at grsecurity.net
> Message-ID: <20051124124943.GA880 at lakecrest.ca>
> Content-Type: text/plain; charset=us-ascii
>
> Hey guys,
>        Im new to grsec but not new to the idea of MAC's. I was a LIDS user for a few years but when I read an article
> on linuxsecurity.com about the new grsec i decided to check it out. Ive downloaded, installed, patched and rebooted
> my new 2.6.14.2 grsec kernel. I chose the "custom" option and read through and implemented the options from the
> quick start guide.
>
>        I then put the system into full learning mode and let it run for a few days, careful not to do anything
> thta would require root access.
>
>        When I enable (-E) the ststem, and check my logs, I notice that klogd needs CAP_SYS_ADMIN to read/write to
> /proc, im sure there are other errors, which will be taken care as they show up, but my question is what files
> do I edit to tweak the policy to remove errors such as the one listed above?
>
>        The quick start quide is great, but then the user is left on his own at that point. Why not add to the quick
> start guide (or write a new guide) that starts off just after you haev rebooted and enabled the system.
>
>        An explination of the policy synthax etc would help as well. I haev checked out /etc/grsec/
> and there indeed is a file called "policy" but how to we tweak the policy? or add new rules? or remove rules?
> what if we install a new daemon and it needs to do something that requires more privlidges then the current policy
> allows? how do we go about changing it?
>
>        thanks for reading guys, appreciate any and all comments
>
>        P.S - im REALLY liking grsecurity and I will be using this sytem now was my MAC of choice. So thanks GRSEC,
> perhaps now i can sleep at nite lol
>
>
>
>
> --
> Kurt Pomeroy
> Systems Administrator / IT Technician
> Lakecrest - St. John's Independent School
> 58 Patrick Street
> St. John's, Newfoundland, Canada, A1E 2S7
> Phone: (709) 738-1212
> Facsimile: (709) 738-1701
> Website: www.lakecrest.ca
>
> GnuPG Key: www.lakecrest.ca/kpomeroy.asc
> Key fingerprint = 7D02 411B E89A 82E1 C278  B131 54BB 02AA BBB2 C1DF
>
>
>
> ------------------------------
>
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>
>
> End of grsecurity Digest, Vol 17, Issue 6
> *****************************************
>


--

Abraços
Christian

More information about the grsecurity mailing list