๐ญ Iโm currently working on ClickHouse, Valkey and a few other hobby projects.
Take a look at my work GitHub profile @aiven-sal.
saractl is the userspace counterpart of the S.A.R.A. LSM.
License: GNU General Public License v3.0
๐ญ Iโm currently working on ClickHouse, Valkey and a few other hobby projects.
Take a look at my work GitHub profile @aiven-sal.
I have following rules which cause SARA: WXP: failed to load rules.
error message when I invoke saractl load
command.
# imagemagick
/usr/bin/animate none
/usr/bin/compare none
/usr/bin/composite none
/usr/bin/conjure none
/usr/bin/convert none
/usr/bin/display none
/usr/bin/identify none
/usr/bin/import none
/usr/bin/mogrify none
/usr/bin/montage none
After downgrading to 0.1 version they work: SARA: WXP: new rules loaded.
I have global flag set to /* MPROTECT,VERBOSE
.
# main.conf
sara_enabled=1 # enable S.A.R.A. LSM
sara_locked=0 # lock S.A.R.A. config
# after it has been loaded
wxprot_enabled=1 # enable WX Protections
wxprot_emutramp_missing_default=none # default option to use
# when emutramp is not
# supported.
# It can be set to "none"
# or "mprotect".
wxprot_xattr_enabled=0 # enable security XATTRs
# support
wxprot_xattr_user_allowed=0 # enable user XATTRs support
cat /proc/config.gz |zgrep SARA
CONFIG_SECURITY_SARA=y
# CONFIG_SECURITY_SARA_DEFAULT_DISABLED is not set
CONFIG_SECURITY_SARA_WXPROT=y
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE_VERBOSE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE is not set
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_NONE=y
# CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP is not set
# CONFIG_SECURITY_SARA_WXPROT_XATTRS_ENABLED is not set
# CONFIG_SECURITY_SARA_WXPROT_DISABLED is not set
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS=0
Side note: it would be nice if SARA log which rules caused failure. I have several hundreds (migrated from pax) rules and it's wasn't easy to find relevant ones.
Side note 2: When I exec saractl -vvv test
it errors with:
Traceback (most recent call last):
File "/usr/bin/saractl", line 11, in <module>
load_entry_point('saractl==0.2', 'console_scripts', 'saractl')()
File "/usr/lib/python3.6/site-packages/sara/main.py", line 33, in main
return _main(argv)
File "/usr/lib/python3.6/site-packages/sara/main.py", line 30, in _main
return cli.do_cmd()
File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 132, in do_cmd
return int(not self._safe_call(self.sara.test))
File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 67, in _safe_call
return fname(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/sara/Sara.py", line 56, in test
if not self.__sml.test_config():
File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 198, in test_config
self.__load_config_objects_binary()
File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 299, in __load_config_objects_binary
extra_files=exf)
File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 109, in __init__
extra_files=extra_files)
File "/usr/lib/python3.6/site-packages/sara/submodules/BaseConfig.py", line 80, in __init__
self.build_dicts_from_binary()
File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 348, in build_dicts_from_binary
raise WXPBinaryException('wrong magic number')
sara.submodules.wxprot.WXPBinaryException: WX protection binary error: wrong magic number.
Currently when run as unprivileged user saractl prints various errors. It would be nice if it can check invoking user and propose rerun as root.
Currently only trailing wildcards are supported in saractl config. It would be nice to have support for wildcard inside path also like: /bin/*/local/xyz
.
For example ubuntu snaps put binaries under /snap/<name>/<revision>/usr/bin/<binary>
where revision
number changes on every update which make it hard to manage with saractl
Hi!
I prepared systemd units for loading saractl config at startup and reloading rules automatically at every config change. I think you can add them to saractl package. All files should be installed to /usr/lib/systemd/system
or /lib/systemd/system
depending on distibution.
# /usr/lib/systemd/system/saractl.service
[Unit]
Description=Userspace counterpart of the S.A.R.A. LSM
DefaultDependencies=no
After=systemd-remount-fs.service
Before=sysinit.target
ConditionPathExists=/sys/kernel/security/sara
[Service]
Type=oneshot
ExecStart=/usr/bin/saractl startup
[Install]
WantedBy=sysinit.target
# /usr/lib/systemd/system/saractl-reload.service
[Unit]
Description=Userspace counterpart of the S.A.R.A. LSM
[Service]
Type=oneshot
ExecStart=/usr/bin/saractl load
# /usr/lib/systemd/system/saractl-reload.path
[Unit]
Description=Userspace counterpart of the S.A.R.A. LSM
ConditionPathExists=/sys/kernel/security/sara
[Path]
PathChanged=/etc/sara/wxprot.conf.d/
[Install]
WantedBy=multi-user.target
To enable and start units at system startup run:
systemctl enable saractl.service
systemctl start saractl.service
systemctl enable saractl-reload.path
systemctl start saractl-reload.path
saractl.service.txt
saractl-reload.path.txt
saractl-reload.service.txt
Hi! I hope I'm not annoying you with all those reports. SARA is interesting tool and I'm glad you create it. I'm currently trying to deploy it but I'm not sure about what options are avalaible and their correct syntax. I saw few example options in various places:
$ cat /etc/sara/wxprot.conf.d/99_wxprot.conf
#path flags
#* FULL,COMPLAIN,VERBOSE
$ cat /etc/sara/wxprot.conf.d/10_saratest.conf
/usr/bin/sara-test mprotect,verbose
/usr/lib/sara-test/* mprotect,verbose
/usr/lib/sara-test/procattr mmap,complain,verbose
/usr/lib/sara-test/fake_tramp mprotect,emutramp_or_mprotect,verbose
/usr/lib/sara-test/trampoline* mprotect,emutramp_or_mprotect,verbose
https://github.com/smeso/sara-test/blob/master/README.rst
SOURCE_PATH/bin/* mprotect,relro,verbose
SOURCE_PATH/bin/procattr relro,complain,verbose
SOURCE_PATH/bin/fake_tramp mprotect,emutramp,relro,verbose
SOURCE_PATH/bin/trampoline* mprotect,emutramp,relro,verbose
It would be nice to create list of all available and valid options and simple explanation how they can be used for blacklist or whitelist approach.
EDIT: ok, I found them here https://github.com/smeso/saractl/blob/ec5e9ab13be20d464d9f0286d9854b506fe686cd/sara/submodules/wxprot.py#L124 I'll study it.
# saractl -v startup
'utf-8' codec can't decode byte 0xd0 in position 24: invalid continuation byte
# saractl -v load
'utf-8' codec can't decode byte 0xd0 in position 24: invalid continuation byte
# saractl -v status
SARA: enabled
Configuration: unlocked
WX Protection: enabled
Default: MPROTECT, WXORX, VERBOSE, COMPLAIN
Version: 0
WX Protection: configuration not loaded
Archlinux
Kernel 4.13.2
CONFIG_SECURITY_SARA=y
CONFIG_SECURITY_SARA_DEFAULT_DISABLED=y
CONFIG_SECURITY_SARA_NO_RUNTIME_ENABLE=y
CONFIG_SECURITY_SARA_WXPROT=y
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_COMPLAIN_VERBOSE=y
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE_VERBOSE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_ALL_ENFORCE is not set
# CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS_NONE is not set
CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP=y
# CONFIG_SECURITY_SARA_WXPROT_DISABLED is not set
CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS=0x3f
Sorry for constantly haunting you but I have another minor issue:
sudo saractl -vvv test
Traceback (most recent call last):
File "/usr/bin/saractl", line 11, in <module>
load_entry_point('saractl==0.2', 'console_scripts', 'saractl')()
File "/usr/lib/python3.6/site-packages/sara/main.py", line 33, in main
return _main(argv)
File "/usr/lib/python3.6/site-packages/sara/main.py", line 30, in _main
return cli.do_cmd()
File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 132, in do_cmd
return int(not self._safe_call(self.sara.test))
File "/usr/lib/python3.6/site-packages/sara/CLI.py", line 67, in _safe_call
return fname(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/sara/Sara.py", line 56, in test
if not self.__sml.test_config():
File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 198, in test_config
self.__load_config_objects_binary()
File "/usr/lib/python3.6/site-packages/sara/SubModLoader.py", line 299, in __load_config_objects_binary
extra_files=exf)
File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 111, in __init__
extra_files=extra_files)
File "/usr/lib/python3.6/site-packages/sara/submodules/BaseConfig.py", line 80, in __init__
self.build_dicts_from_binary()
File "/usr/lib/python3.6/site-packages/sara/submodules/wxprot.py", line 355, in build_dicts_from_binary
raise WXPBinaryException('wrong magic number')
sara.submodules.wxprot.WXPBinaryException: WX protection binary error: wrong magic number.
My setup is the same as in #9
Currently if global flags are set like:
* MPROTECT,VERBOSE
SARA logs flag for every started binary + any violations.
If flags are set like:
* MPROTECT
It isn't logging anything.
I would like to have option to log only violations as otherwise logs are extremely cluttered. Maybe "VERBOSE" flag should report only violations by default?
Logging something like this isn't very useful:
SARA: WXP: '/usr/lib/sara-test/trampoline_exstack' run with flags '0x12f'.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.