From: Dariusz K. <ta...@ta...> - 2003-08-03 22:29:01
|
Hello, Actually topic says all. I cannot run strace, on processes. This makes more difficult to trace the problem if ruleset is not working. -- Best regards, Dariusz mailto:ta...@ta... SCSA, SCNA, LPI, CCNA, MCP certified |
From: Marcel F. <fa...@di...> - 2003-08-03 22:50:35
|
On Sun, Aug 03, 2003 at 03:28:41PM -0700, Dariusz Kulinski wrote: ->Hello, -> ->Actually topic says all. ->I cannot run strace, on processes. This makes more difficult to trace ->the problem if ruleset is not working. -> Hello. I'm just guessing. Have you loaded restricted-debug.cb ? Are you running = strace as a regular user ? I don't know how strace works, but it could use = SYS_PTRACE or SYS_KTRACE syscalls, which are disallowed by the restricted-d= ebug.cb policy. I can be wrong ;) --=20 Marcel Falkiewicz : fa...@di... "Kto sw=F3j idea=B3 osi=B1ga, ten wyrasta ju=BF tym samym ponad niego." - F. Nietzsche |
From: Dariusz K. <ta...@ta...> - 2003-08-03 22:59:40
|
Hello Marcel, Sunday, August 3, 2003, 3:51:23 PM, you wrote: > Hello. > I'm just guessing. Have you loaded restricted-debug.cb ? Are you > running strace as a regular user ? I don't know how strace works, > but it could use SYS_PTRACE or SYS_KTRACE syscalls, which are > disallowed by the restricted-debug.cb policy. I can be wrong ;) Well strace "works" but doesn't give what I expect. As I remember most of the time is showing execv() of command that I called. Whis happend only when I try to trace something that is monitored by cerb. Anyway I don't have restricted-debug loaded and I'm running strace as root. -- Best regards, Dariusz mailto:ta...@ta... SCSA, SCNA, LPI, CCNA, MCP certified |
From: Marcel F. <fa...@di...> - 2003-08-03 23:15:23
|
On Sun, Aug 03, 2003 at 03:59:22PM -0700, Dariusz Kulinski wrote: [...] ->Well strace "works" but doesn't give what I expect. As I remember most ->of the time is showing execv() of command that I called. ->Whis happend only when I try to trace something that is monitored by ->cerb. -> ->Anyway I don't have restricted-debug loaded and I'm running strace as ->root. Guessing again. Maybe strace shows only successful suscalls, thus it doesn'= t show the syscalls prevented by the policy. If you're crating a new policy= better use CB_PREPARE() instead of userland programs. IMHO it's a bit more= useful than tracing everything. --=20 Marcel Falkiewicz : fa...@di... "Kto sw=F3j idea=B3 osi=B1ga, ten wyrasta ju=BF tym samym ponad niego." - F. Nietzsche |
From: Dariusz K. <ta...@ta...> - 2003-08-03 23:48:19
|
Hello Marcel, Sunday, August 3, 2003, 4:16:12 PM, you wrote: > Guessing again. Maybe strace shows only successful suscalls, thus it > doesn't show the syscalls prevented by the policy. If you're crating > a new policy better use CB_PREPARE() instead of userland programs. > IMHO it's a bit more useful than tracing everything. Maybe this could be helpful to explain the problem: [root@freebsd root]# strace /usr/sbin/sshd execve("/usr/sbin/sshd", ["/usr/sbin/sshd"], [/* 17 vars */] Aug 3 16:37:26 freebsd /kernel: CerbNG:sshd:bind(): Binding to port 22 [ret=0]. (login=root, pid=2655, ruid=22:euid=22:groups=[ 22 ]) [root@freebsd root]# When cerber has rules unloaded strace starts working. Same with truss (but truss doesn't show absolutly anything, it starts command and returns command prompt) I wonder why is cerber conflicting with commands like strace & truss. My guess is that "return" stops and doesn't anything else trace process. Is that intended? Well it could look like a security feature, but it makes everything difficult if existing rules aren't working correctly. -- Best regards, Dariusz mailto:ta...@ta... SCSA, SCNA, LPI, CCNA, MCP certified |
From: Pawel J. D. <ni...@ga...> - 2003-08-22 22:44:57
|
On Sun, Aug 03, 2003 at 03:28:41PM -0700, Dariusz Kulinski wrote: +> Actually topic says all. +> I cannot run strace, on processes. This makes more difficult to trace +> the problem if ruleset is not working. Could you try again with HEAD branch? I've commited other fix, but I think it shoudl solve this problem as well. --=20 Pawel Jakub Dawidek pa...@da... UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net |