store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Wed Apr 23, 2014 12:56 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 20 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Tue Feb 15, 2011 5:37 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
This is a minor update from .27 to .28, primarily focused on maintaining congruence with Upstream. The full changelog is available here:

http://www.kernel.org/pub/linux/kernel/ ... -2.6.32.28

Changelog:
* Update to 2.6.32.28
* Update grsecurity to 201102121148
* Dazuko modules rebuilt for this release
* Open-v-tools updated to 301124

To upgrade:
yum upgrade kernel

or

yum upgrade kernel-PAE


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 20, 2011 10:15 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I can't find the link right now, but does this kernel require a special setting if you're running Plesk like .27 did? (I hope I'm making sense.)

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 20, 2011 2:59 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Do you mean the ptrace protections? Yes, you will have to disable that protection if you get the ptrace messages with Plesk (most plesk users will not need to do this, only if you get the ptrace messages):

https://www.atomicorp.com/wiki/index.ph ... _ptrace_of

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 20, 2011 3:36 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
mikeshinn wrote:
Do you mean the ptrace protections?


Ah yes, I believe I do.

mikeshinn wrote:
Yes, you will have to disable that protection if you get the ptrace messages with Plesk (most plesk users will not need to do this, only if you get the ptrace messages):

https://www.atomicorp.com/wiki/index.ph ... _ptrace_of


Thanks for that link. Can you tell me which users will need to do this? I would like to avoid having to reboot servers after getting those ptrace messages, but if I don't need to disable the protections I'd rather not disable them of course.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 27, 2011 9:04 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
*bump*

Is there any way to determine beforehand whether we'll need to disable the ptrace protections when upgrading to the latest ASL kernel? Currently still on 2.6.32.21-3.art which doesn't have the ptrace protections AFAIK.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 27, 2011 10:34 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Its hard to say, we dont use the Plesk products that have this bug, it seems to only effect certain Plesk products and not PSA, for example. So PSA 8, 9 and 10 don't have this bug, perhaps its some add on from Parallels that is broken.

The safest approach (not most secure) is to just disable these protections if you aren't sure. However, if you leave it enabled its a harmless condition, if you are unlucky enough to have one of the Parallels products with this bug, the ptrace protections will NOT effect your users or domains, it just seems to a bug in the License manager for for some tangential add on if memory serves (Dr. Web maybe, or some other add I forget). In every case, no one reported any adverse effects, just a question about what the message meant. So, you might even be able to live with it.

In short, if you dont see the ptrace protection message, then you don't have one of products from Parallels that has this bug and you can be safe and secure. If you aren't sure, then disable the protection. And if you do have one of the Buggy Parallels Products then unfortunately you will not be able to protect your system from that kind of attack (because apparently Parallels needs that kind of capability on your system).

I hope this helps.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Feb 27, 2011 10:47 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Thanks. I thought a plain PSA install might also trigger these messages, but apparently that's not the case, so I'll just leave the ptrace protections enabled then.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sat Mar 12, 2011 11:51 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I get a couple of messages like this every five minutes in /var/log/messages after upgrading to the 2.6.32.28-1 ASL kernel:

Quote:
Mar 13 04:22:02 hostname kernel: grsec: process /usr/bin/sw-engine(sw-engine:3360) attached to via ptrace by /usr/bin/sw-engine[sw-engine:3363] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/sw-engine[sw-engine:3360] uid/euid:0/0 gid/egid:0/0


I don't see this message discussed in the FAQ. What does this mean exactly? Do I need to disable the ptrace protections to get rid of this or is nothing wrong?

_________________
Lemonbit Internet Dedicated Server Management


Last edited by breun on Sun Mar 13, 2011 1:47 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Sun Mar 13, 2011 10:44 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7779
Location: earth
Thats the auditing for ptrace, its just saying something worth noting is happening with ptrace. You can turn that off in proc, the device is called:

/proc/sys/kernel/grsecurity/audit_ptrace


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Mon Mar 14, 2011 5:01 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
https://www.atomicorp.com/wiki/index.ph ... _ptrace_by

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Tue Mar 22, 2011 3:45 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I just encountered a client's Plesk installation where the Plesk License Manager page throws a 500 Internal Server error since running a kernel with ptrace protections. According to /var/log/messages this is a case of 'denied ptrace of /usr/bin/sw-engine-cgi'.

I don't understand why this server apparently needs the ptrace protections to be disabled and others don't. I'd like to be able to predict (or know, actually) whether a server needs this to be off, because now I need to go and reboot a production server.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Tue Mar 22, 2011 11:08 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
I wish we could say. As I'm sure you know its a "feature" in some Parallels products thats causes the 500 error, and we have no idea either which of their products they have added it to or will add it to next. You may want to ask Parallels which of their products includes this "feature".

If you arent sure, you could just assume Parallels has added this bug into all their products, in which case just turn off this protection on all your systems.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Wed Mar 23, 2011 3:54 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I have just checked and the License Manager pages on all of our Plesk 9.5.4 servers aren't working because of the ptrace protections. Guess I'll have to disable them everywhere then.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Wed Mar 23, 2011 4:26 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 839
Location: Germany
Maybe this (sptrace) could help by integrating it into ASL?
Just an idea. So instead of checking that ptrace is called it could be limited to specific users and the check from ASL could be changed?
I don't know if useful and secure enough or not. Just an idea...

http://scripts.top4download.com/sptrace/ltdgu.html


Top
 Profile  
 
 Post subject: Re: [asl-2.0] kernel 2.6.32.28
Unread postPosted: Wed Mar 23, 2011 7:11 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I just found out that ptrace protections can actually be disabled without a reboot, so that makes things less bad. Indeed disabling ptrace protections make the License Manager page in Plesk (9.5.4) work again.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group