wiki:experiences:igraltist:jail_cron
Releases
Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
Events
No events planned
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
|
wiki:experiences:igraltist:jail_cron [2008/07/12 06:08] 127.0.0.1 (old revision restored) |
wiki:experiences:igraltist:jail_cron [2008/07/12 06:35] 127.0.0.1 (old revision restored) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== | + | This is the modified cron init-script |
| - | So now the next is the cron for setup. | + | |
| - | + | ||
| - | I do the same like for the syslogd. | + | |
| - | + | ||
| - | First modify the cron init-script | + | |
| diff -u cron_org cron | diff -u cron_org cron | ||
| --- cron_org 2008-07-03 04:10:46.000000000 +0200 | --- cron_org 2008-07-03 04:10:46.000000000 +0200 | ||
| +++ cron 2008-07-03 04:12:02.000000000 +0200 | +++ cron 2008-07-03 04:12:02.000000000 +0200 | ||
| @@ -23,7 +23,7 @@ | @@ -23,7 +23,7 @@ | ||
| - | |||
| case "$1" in | case "$1" in | ||
| start) log_daemon_msg "Starting periodic command scheduler" "crond" | start) log_daemon_msg "Starting periodic command scheduler" "crond" | ||
| Line 28: | Line 22: | ||
| - | <6>0000001181|rsbac_adf_request(): request GET_STATUS_DATA, pid 4479, ppid 4473, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL | + | Firstly what to do is, add the jail_flag **'allow-ipc-syslog'** |
| - | + | ||
| - | + | ||
| - | After the cron init-script is modified. | + | |
| - | + | ||
| - | + | ||
| - | This first what to do is, add the jail_flag **'allow-ipc-syslog'** | + | |
| (allow-ipc-syslog) | (allow-ipc-syslog) | ||
| () | () | ||
| Line 40: | Line 28: | ||
| () | () | ||
| - | All services need this wich send data to the syslogd. | + | All services which send data to the syslog need this, if the syslogd is jailed too. |
| - | Thatswhy i started with the syslog-jail firstly, remeber add **'allow-ipc-syslog'** to all services wich get entry in the syslog file. Services like 'squid' or 'postfix' | + | |
| - | I stop the service /etc/init.d/cron stop | + | I stop the service /etc/init.d/cron stop and then I start the service and look on the other terminal. |
| - | Then I start the service and look on the other terminal | + | |
| /etc/init.d/cron start | /etc/init.d/cron start | ||
| Line 53: | Line 40: | ||
| <6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL | <6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL | ||
| - | Again search for target_type and request | + | search for target_type and request |
| target_type DEV :: request WRITE_OPEN | target_type DEV :: request WRITE_OPEN | ||
| Line 86: | Line 73: | ||
| "allow-dev-read": "-d" | "allow-dev-read": "-d" | ||
| - | So i add this to the cron-jailfile | + | The rsbac_jail say: |
| + | \- wiki display error | ||
| + | -d = allow read access on devices | ||
| + | |||
| + | So add this to the cron-jailfile | ||
| (allow-ipc-syslog | (allow-ipc-syslog | ||
| allow-dev-write | allow-dev-write | ||
| Line 103: | Line 94: | ||
| And nothing appears on the security-users terminal. | And nothing appears on the security-users terminal. | ||
| So far ok. | So far ok. | ||
| - | **B**ut crond job will comming son, with access to thinks wich are not setup in the moment. | + | |
| + | **B**ut a cronjob will comming son, with access to thinks wich are not setup in the moment. | ||
| For this a speed up the clock (only virtual :-)) to next cronjobs | For this a speed up the clock (only virtual :-)) to next cronjobs | ||
| + | ===== | ||
| + | Now it is 6:25 am and standard cronjobs is starting and on the terminal i see this. | ||
| + | <6>0000001241|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 4732, ppid 4716, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr none, value none, result NOT_GRANTED by JAIL | ||
| + | always the same, search for target_type | ||
| + | target_type SCD :: request MODIFY_SYSTEM_DATA :: tid rlimit | ||
| + | the target_type change to SCD so now I have to use this [[wiki:experiences/igraltist/jail_flags|scd_flags]]. | ||
| + | The request says it need MODIFY_SYSTEM_DATA this means the categorie four () and rlimit is need. | ||
| + | The MODIFY_SYSTEM_DATA and GET_SYSTEM_DATA have the same scd_flags only the categories are different. | ||
| + | If GET_SYSTEM_DATA is requested then rsbac_jail -G is need otherwise -M for MODIFY. | ||
| + | |||
| + | |||
| + | I add now to cron in categorie four rlimit | ||
| + | (allow-ipc-syslog | ||
| + | allow-dev-write | ||
| + | allow-dev-read) | ||
| + | () | ||
| + | () | ||
| + | (rlimit) | ||
| + | |||
| + | <6>0000001269|rsbac_adf_request(): request GET_STATUS_DATA, pid 4813, ppid 4807, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL | ||
| + | |||
| + | search for target_type, | ||
| + | target_type DEV :: request GET_STATUS_DATA (tid not important in this case) | ||
| + | |||
| + | rsbac_jail says, | ||
| + | \- stupid wiki | ||
| + | -e = allow GET_STATUS_DATA on devices, | ||
| + | |||
| + | this is a jail_flag, so in the first categorie i add 'allow-dev-get-status' | ||
| + | (allow-ipc-syslog | ||
| + | allow-dev-write | ||
| + | allow-dev-read | ||
| + | allow-dev-get-status) | ||
| + | () | ||
| + | () | ||
| + | (rlimit) | ||
| + | |||
| + | |||
| + | <6>0000001300|rsbac_adf_request(): request SEND_SIGNAL, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type PROCESS, tid 4384, attr none, value none, result NOT_GRANTED by JAIL | ||
| + | | ||
| + | Is never allow in the jail | ||
| + | | ||
| + | |||
| + | <7>0000001301|rsbac_adf_request_jail(): process jail 57 does not match IPC object jail 56 -> NOT_GRANTED! | ||
| + | <6>0000001302|rsbac_adf_request(): request WRITE, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 10243, attr none, value none, result NOT_GRANTED by JAIL | ||
| + | |||
| + | This have again a jail_flag, and here is the 'allow-external-ipc' needed | ||
| + | (allow-ipc-syslog | ||
| + | allow-dev-write | ||
| + | allow-dev-read | ||
| + | allow-dev-get-status | ||
| + | allow-external-ipc) | ||
| + | () | ||
| + | () | ||
| + | (rlimit) | ||
| + | |||
| + | |||
| + | |||
| + | Now i restart the cron. | ||
| + | /etc/init.d/cron restart | ||
| + | Restarting periodic command scheduler: crond | ||
| + | This is execute now: | ||
| + | rsbac_jail -y -D -d -e -i -M rlimit start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- | ||
wiki/experiences/igraltist/jail_cron.txt · Last modified: 2008/07/12 06:35 by 127.0.0.1