FAPOLICYD in RHEL8.6 - Blocking SSHD

rgsurfs

New Member
Joined
Jun 14, 2021
Messages
2
Reaction score
0
Credits
58
### I disabled FIPS mode and rebooted.
### I set fapolicyd to permissive mode.
### I made three three rules:

echo 'allow perm=any dir=execdirs : all trust=0' > /etc/fapolicyd/rules.d/80-my-rules.rules
echo 'allow perm=any dir=systemdirs : all trust=0' >> /etc/fapolicyd/rules.d/80-my-rules.rules
echo 'deny_syslog perm=any all : all' >> /etc/fapolicyd/rules.d/80-my-rules.rules

### I restarted services
fapolicyd-cli --update
systemctl restart fapolicyd

### watching logs
tail -f /var/log/messages

### I went to another server and tried to SSH in
### shows somethings are being logged as if they would be blocked.
### I get an error about nessus_agent
Mar 14 16:35:09 robertttttt fapolicyd[1806]: rule=15 dec=deny_syslog perm=open auid=-1 pid=1281 exe=/opt/nessus_agent/sbin/nessus-agent-module : path=/opt/nessus_agent/lib/nessus/plugins/known_CA.inc ftype=text/plain trust=0

### I add a new rule to allow nessus_agent and move the deny rule to the end of the list
echo 'allow perm=any dir=/opt/nessus_agent/ : all trust=0' >> /etc/fapolicyd/rules.d/80-my-rules.rules

### I restart services and tail the log with a grep for nessus
### block has cleared

### I tail the log for sshd
### I get the sshd block message:
Mar 14 16:38:17 robertttttt fapolicyd[1938]: rule=15 dec=deny_syslog perm=open auid=1000 pid=2108 exe=/usr/sbin/sshd : path=/usr/bin/bash ftype=application/x-executab
le trust=1

### I add a rule to allow sshd and move the deny rule to the end of the list
echo 'allow perm=open exe=/usr/sbin/sshd : dir=/usr/bin/ ftype=application/x-executable trust=1' >> /etc/fapolicyd/rules.d/80-my-rules.rules

### I restart services and the sshd blocked message clears:
### now I get all kinds of block messages about /etc/, /home/usr/lib/...

Mar 14 16:44:35 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2497 exe=/usr/bin/basename : path=/usr/lib/locale/en_US.utf8/LC_CTYPE fty
pe=application/octet-stream trust=1
Mar 14 16:44:35 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2465 exe=/usr/bin/bash : path=/etc/profile.d/sh.local ftype=text/plain tr
ust=0
Mar 14 16:44:35 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2465 exe=/usr/bin/bash : path=/etc/bashrc ftype=text/plain trust=0
Mar 14 16:44:35 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2465 exe=/usr/bin/bash : path=/home/rttttd/.bash_profile ftype=text/pl
ain trust=0
Mar 14 16:44:36 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2465 exe=/usr/bin/bash : path=/home/rttttd/.bashrc ftype=text/plain tr
ust=0
Mar 14 16:44:36 robertttttt fapolicyd[2454]: rule=17 dec=deny_syslog perm=open auid=1000 pid=2465 exe=/usr/bin/bash : path=/etc/bashrc ftype=text/plain trust=0

### Am I supposed to just keep stepping through these blocks, one x one x one ?????? Seems like there should be an easier way???

### When I take FAPOLICYD out of permissive mode and restart the service.
### I can SSH to the server but can't do much:
-bash: /etc/profile: Operation not permitted
-bash: /home/rttttd/.bash_profile: Operation not permitted

### Here is my rule dump:
-> %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/ja
vascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-sc
ript.guile,text/x-tcl,text/x-luatex,text/x-systemtap
1. allow perm=any uid=0 : dir=/var/tmp/
2. allow perm=any uid=0 trust=1 : all
3. allow perm=open exe=/usr/bin/rpm : all
4. allow perm=open exe=/usr/libexec/platform-python3.6 comm=dnf : all
5. deny_audit perm=any pattern=ld_so : all
6. deny_audit perm=any all : ftype=application/x-bad-elf
7. allow perm=open all : ftype=application/x-sharedlib trust=1
8. deny_audit perm=open all : ftype=application/x-sharedlib
9. allow perm=execute all : trust=1
10. allow perm=open all : ftype=%languages trust=1
11. deny_audit perm=any all : ftype=%languages
12. allow perm=any all : ftype=text/x-shellscript
13. allow perm=any dir=execdirs : all trust=0
14. allow perm=any dir=systemdirs : all trust=0
15. allow perm=any dir=/opt/nessus_agent/ : all trust=0
16. allow perm=open exe=/usr/sbin/sshd : dir=/usr/bin/ ftype=application/x-executable trust=1
17. deny_syslog perm=any all : all
18. deny_audit perm=execute all : all
19. allow perm=open all : all
[root@robertttttt rules.d]#


Robert
 


FIXED

These rules are not working for me.
allow perm=any dir=execdirs : all
allow perm=any dir=systemdirs : all

I had to set my 80-my-rules.rules file to this and now I can SSH again:
allow perm=any dir=/usr/bin : all
allow perm=any dir=/usr/sbin : all
allow perm=any dir=/bin/ : all
allow perm=any dir=/sbin/ : all
allow perm=any dir=/usr/lib/systemd/ : all
deny perm=any all : all
 
FIXED

These rules are not working for me.
allow perm=any dir=execdirs : all
allow perm=any dir=systemdirs : all

I had to set my 80-my-rules.rules file to this and now I can SSH again:
allow perm=any dir=/usr/bin : all
allow perm=any dir=/usr/sbin : all
allow perm=any dir=/bin/ : all
allow perm=any dir=/sbin/ : all
allow perm=any dir=/usr/lib/systemd/ : all
deny perm=any all : all
Welcome to the forum!
 

Members online


Top