[Apparmor-general] problem with profiling sshd under OpenSuSE 10.2
ps
ps at icpnet.pl
Tue Feb 6 04:26:09 MST 2007
ps wrote:
> Seth Arnold wrote:
>> On Sat, Feb 03, 2007 at 11:18:02PM +0100, ps wrote:
>>> Hello
>>> I have recently spent few days playing with AppArmor on my OpenSuSE 10.2
>>> box. I wanted to create AppArmor profile for my ssh server. I transfered
>>> usr.sbin.sshd file which is shipped with OpenSuSE 10.2 to /etc/apparmor.d
>>> I reloaded AppArmor(command: rcapparmor restart) and stated ssh server.
>>> It seemed OK but when I tried log in I saw some log trails in
>>> /var/log/audid/audit.log:
>>>
>>> type=APPARMOR msg=audit(1170534772.421:7743): REJECTING access to
>>> capability 'invalid-capability' (sshd(18736) profile /usr/sbin/sshd
>>> active /usr/sbin/sshd)
>> ...
>>> Can anyone explain me what is wrong with this standard profile shipped
>>> with OpeSuSE 10.2 or is there any bug in AppArmor implementation in the
>>> newest OpenSuSE;)
>> Peter, thanks for the report; first, I'd like to note that the profiles
>> in /etc/apparmor/profiles/extras are of varying quality -- they aren't
>> turned on by default for a reason :)
>>
>> That said, you have indeed found a bug in AppArmor in openSUSE 10.2.
>> Hopefully the next kernel update provided by SUSE for 10.2 will include
>> the patch for apparmor necessary to properly report the new
>> capabilities. (The capabilities are CAP_AUDIT_CONTROL and
>> CAP_AUDIT_WRITE, described in capabilities(7).)
>>
>> You can _try_ adding "capability audit_control," and "capability
>> audit_write," to your sshd profile and reload; I have a vague recollection
>> that we may have had the parser-side support for these new capabilities
>> in time for 10.2.
>>
>> (If that doesn't work, then you can try to use our packages provided on
>> the openSUSE build service; I'll look up the URLs for that tomorrow
>> morning when I'm on a less annoying connection. :)
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Apparmor-general mailing list
>> Apparmor-general at forge.novell.com
>> http://forge.novell.com/mailman/listinfo/apparmor-general
> Hello Seth
> Thanks for your answer. Today late evening I will check your advice.
> I will write some notes about results.
>
> Best regards
> _______________________________________________
> Apparmor-general mailing list
> Apparmor-general at forge.novell.com
> http://forge.novell.com/mailman/listinfo/apparmor-general
>
Hello Seth
Today early morning I checked your advice.
When I add capability: CAP_AUDIT_CONTROL and restarted apparmor
everything seemed ok. Adding CAP_AUDIT_WRITE didn't work.
I could log in via ssh and there wasn't any log trails in
/var/log/audid/audit.log
Adding CAP_AUDIT_CONTROL helped but I wonder if adding this capability
is not security violation.
I checked what is written in man capabilities but there is no specific
information about security consideration when using this capability.
In system manual there is only information like this:
"Enable and disable kernel auditing; change auditing filter rules;
retrieve auditing status and filtering rules."
So, using this capability in AppArmor profile for sshd do what? enable
or disable kernel auditing. Judging from absence of log trails in
audid.log I think that adding this capability simply switched off
capability checking. Maybe I'm wrong?
Best regards
More information about the Apparmor-general
mailing list