Mod-security (mlogc) problem

Arthur Dent misc.lists at blueyonder.co.uk
Thu Apr 8 08:40:41 UTC 2010 

On Thu, 2010-04-08 at 08:42 +0200, Dominick Grift wrote:

[snip]
> 
> I gather that these access vectors denials are caused by the actual mod_security module. Since the source in the interaction is the httpd programs.
> 
> This brings us to a security issue need to consider and deal with.
> 
> As you can see: httpd_t is not allowed to create directories with type httpd_log_t and is not allowed to write to files with type httpd_log_t. This is because normally it does not need this permissions.
> 
> Httpd_t writing to its log file is a bad idea. Consider for example a cracker compromizing the web server trying to erase his audit trail by removing entries from the httpd log files.
> 
> So how can we deal with this? Well there are something we should investigate.
> 
> Can we configure mod_security to use a custom location for its log files?
> Maybe we do not have to:
> 
> Can you tell me which directories in /var/log/httpd are owned by mod_security?

OK - Here is the story:

I have been using mod-security for some time now with none of theses
shenanigans...

Normally mod-security writes its logs to /var/log/httpd/ (the same place
as the apache logs) and there are only 2 files:
/var/log/httpd/modsec_audit.log
/var/log/httpd/modsec_debug.log

The audit log being the main workhorse where each individual mod-sec
action was recorded.
 
All of that was fine. mlogc was not involved.

Recently, I decided to start using the Mod-Security Community Console, a
(java-based I think) web app for viewing, and giving more user-friendly
detail of, all the alerts produced by mod-sec.

This requires a different approach to logging and this is where mlogc
comes in.

Mod-security has two logging modes, serial and concurrent. "Serial"
places all alerts in the above mod-sec.audit.log. "Concurrent" logging,
on the other hand, places log files in separate directories
corresponding to the time that the log was generated. This is what is
required by the Console app.

This is configured from
the /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file with
the following directives:

For Concurrent logging:-
SecAuditLogType Concurrent #(sets logging type)
SecDataDir /var/log/httpd/modsec_data # Sets log location
SecAuditLogStorageDir /var/log/httpd/mlogc/data # Location for for detailed logs
SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" # Pipes the alerts to mlogc

For Serial Logging:-
#SecAuditLogType Serial
#SecAuditLog logs/modsec_audit.log

Mlogc has its own configuration:
/etc/mlogc.conf

I reproduce it in full here:


# cat /etc/mlogc.conf
##########################################################################
# Required configuration
#   At a minimum, the items in this section will need to be adjusted to
#   fit your environment.  The remaining options are optional.
##########################################################################

# Points to the root of the installation. All relative
# paths will be resolved with the help of this path.
CollectorRoot       "/var/log/httpd/mlogc"

# ModSecurity Console receiving URI. You can change the host
# and the port parts but leave everything else as is.
ConsoleURI          "https://127.0.0.1:8888/rpc/auditLogReceiver"

# Sensor credentials
SensorUsername      "MCS"
SensorPassword      "mypassword"

# Base directory where the audit logs are stored.  This can be specified
# as a path relative to the CollectorRoot, or a full path.
LogStorageDir       "data"

# Transaction log will contain the information on all log collector
# activities that happen between checkpoints. The transaction log
# is used to recover data in case of a crash (or if Apache kills
# the process).
TransactionLog      "mlogc-transaction.log"

# The file where the pending audit log entry data is kept. This file
# is updated on every checkpoint.
QueuePath           "mlogc-queue.log"

# The location of the error log.
ErrorLog            "mlogc-error.log"

# The location of the lock file.
LockFile            "mlogc.lck"

# Keep audit log entries after sending? (0=false 1=true)
# NOTE: This is required to be set in SecAuditLog mlogc config if you
# are going to use a secondary console via SecAuditLog2.
KeepEntries         0


##########################################################################
# Optional configuration
##########################################################################

# The error log level controls how much detail there
# will be in the error log. The levels are as follows:
#   0 - NONE
#   1 - ERROR
#   2 - WARNING
#   3 - NOTICE
#   4 - DEBUG
#   5 - DEBUG2
#
ErrorLogLevel       3

# How many concurrent connections to the server
# are we allowed to open at the same time? Log collector uses
# multiple connections in order to speed up audit log transfer.
# This is especially needed when the communication takes place
# over a slow link (e.g. not over a LAN).
MaxConnections      10

# How many requests a worker will process before recycling itself.
# This is to help prevent problems due to any memory leaks that may
# exists.  If this is set to 0, then no maximum is imposed. The default
# is 1000 requests per worker (the number of workers is controlled by
the
# MaxConnections limit).
MaxWorkerRequests   1000

# The time each connection will sit idle before being reused,
# in milliseconds. Increase if you don't want ModSecurity Console
# to be hit with too many log collector requests.
TransactionDelay    50

# The time to wait before initialization on startup in milliseconds.
# Increase if mlogc is starting faster then termination when the
# sensor is reloaded.
StartupDelay        5000

# How often is the pending audit log entry data going to be written
# to a file. The default is 15 seconds.
CheckpointInterval  15

# If the server fails all threads will back down until the
# problem is sorted. The management thread will periodically
# launch a thread to test the server. The default is to test
# once in 60 seconds.
ServerErrorTimeout  60

# The following two parameters are not used yet, but
# reserved for future expansion.
# KeepAlive         150
# KeepAliveTimeout  300

#################################################################################

I think most of that is self-explanatory. Note especially the ConsoleURI
"https://127.0.0.1:8888/rpc/auditLogReceiver" directive. This punts the
alerts into the Console which listens on port 8888, and this is the
answer to one of your later questions.

Note however that I am also experimenting with another Console app (also
Java based, which does exactly the same thing in the same way) but in
this case listens on port 8443.

> 
> I am think about creating a file type transition from the generic log files type or httpd log files type to a mlogc log files type to be created by us.
> This will benefit security as:
> 
> 1. Hopefully mlogc_t will no longer need to manage files with type httpd_log_t.
> 2. httpd_t (mod_security) will no longer need to create directories wuth type httpd_log_t and will no longer need to write to files with type httpd_log_t.
> 
> We must try to find the best solution to the above securities issue so again: two questions:
> 
> 1. does mod_security (mayve its configuration file) allow us to specify a location to store mod_security log files?
> 2. if the answer to 1. is no, then can you tell me which directories in /var/log/httpd are used (owned) by mod_security for logging?

The answer to 1 is yes as you can see above.
> 
> > Raw Audit Messages :
> > 
> > node=troodos.org.uk type=AVC msg=audit(1270679720.128:45085): avc: denied { name_connect } for pid=1869 comm="mlogc" dest=8888 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 
> > node=troodos.org.uk type=SYSCALL msg=audit(1270679720.128:45085): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=b62fa910 a2=4cb9a8 a3=0 items=0 ppid=937 pid=1869 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> 
> The mlogc program tries to tcp network connect to port 8888, which currently is labeled with a generic port type.
> 
> 1. Why is it connecting to the network?
> 2. What is listening on tcp:8888 on the other side?

That's the Console app as described above.

> 
> We have to find some answers before we can start implementing a proper solution.

[snip]

> The above denials were what actually caused your issue in the first place. The only difference now is that instead of httpd_t, now mlogc_t need the access.
> 
> Add the following to your mlogc.te file:
> 
> pcscd_read_pub_files(mlogc_t)
> 
> That should allow mlogc_t to read pcscd pid files.

Done that - thanks..

> 
> > 
> > 
> > And as I was copying the above, this one came in...
> > 
> > Raw Audit Messages :
> > 
> > node=troodos.org.uk type=AVC msg=audit(1270680011.472:45102): avc: denied { dac_override } for pid=952 comm="mlogc" capability=1 scontext=unconfined_u:system_r:mlogc_t:s0 tcontext=unconfined_u:system_r:mlogc_t:s0 tclass=capability 
> > node=troodos.org.uk type=SYSCALL msg=audit(1270680011.472:45102): arch=40000003 syscall=5 success=yes exit=6 a0=b76fd170 a1=82c1 a2=1b6 a3=856 items=0 ppid=937 pid=952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mlogc" exe="/usr/bin/mlogc" subj=unconfined_u:system_r:mlogc_t:s0 key=(null) 
> > 
> > 
> 
> The above means that root/mlogc is overriding traditional security. For example accessing a location not owned by root. We should figure out which location it is that mlogc tries to access that is not owned by root. Once we determine this, we can make the right security decision.
> 
> 
> Now we are getting into the harder aspect of writing policy. 
> Writing a template for a new domain and just allowing access is not so hard. 
> What is harder is: making solid security decisions. 
> 
> 
> What is it doing
> why is it doing it
> who is doing it to who
> Is this a threat
> why is it a threat
> how can we neutralize it?
> 
> fun!

For you maybe ;)

OK - I hope the above helps...

By the way since my last message I have had another 71 AVcs - too many
to post, and doubtless many duplicates, but here is what audit2allow has
to say about them:

# ausearch -m AVC -ts today | audit2allow -R

require {
	type mlogc_t;
	type httpd_t;
	class capability { sys_nice dac_override };
	class process { setsched signal getsched };
	class sem { read write create unix_write destroy };
}

#============= httpd_t ==============
allow httpd_t mlogc_t:process signal;

#============= mlogc_t ==============
allow mlogc_t self:capability { sys_nice dac_override };
allow mlogc_t self:process { setsched getsched };
allow mlogc_t self:sem { read write create unix_write destroy };
files_rw_etc_files(mlogc_t)
miscfiles_rw_localization(mlogc_t)



Thanks again for all your help!

Cheers

Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100408/a19c882e/attachment-0001.bin

More information about the selinux mailing list