The officially official Devuan Forum!

You are not logged in.

#1 2017-09-18 07:10:23

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 140
Website

Strange Bash under grsecurity's exec logging

title: Strange Bash under grsecurity's exec logging
---
I'm almost certain it will happen, because I tried it in my master Air-Gapped system which this systemmodel MBO and most other hardware) is a dd'ed clone of, and very fresh: only browsed https://dev1galaxy.org/ just to send an email and to post (first or only today's post) in
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596
(BTW see there about what exec_logging and audit_chdir features of grsecurity are).

mr@gdOv:~$ cd src/linux-4.9.50
mr@gdOv:~/src/linux-4.9.50$

And now I type, without hitting Tab up to this point "make menucon":

mr@gdOv:~/src/linux-4.9.50$ make menucon

And, sure, I need the complete command, which is "make menuconfig". And I will next hit Tab.

But I'll run my uncenz script, but without going online, to get to the reader very clear understanding (along with the paste of the lines that will appear before viewer's eyes in the /var/log/kern.log, which is being tail'ed to the fore in the terminal on my screen in bottom left with "tail -f".

There. It's 46 seconds of mistery, for me, now... The Screen_170918_0646_gdO.mkv which I get with my uncenz (primitive) program I need to convert to be web-friendly. I'll do it with:

i=Screen_170918_0646_gdO ; ffmpeg -i ${i}.mkv -map 0:v -b:v 200k -c:v libvpx -qmin 0 -qmax 20 -crf 5 ${i}.webm

At second 28 from the start, after I moved the mouse for you to turn your attention where the logs will start to flow, in bottom left, I just, you of course don't see it, but I just hit Tab, while the cursor being positioned right after "make menucon".

Previously you saw me copy the time count of the rsyslog's line, and paste it into the prepared command line that only waited for that input, and it, upon my later hitting Enter on that command, went like this:

root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 >  /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
root@gdOv:/home/mr# cat /var/log/kern.log | grep -aE -A300000  12983.777942 > kern.log_$(date +%y%m%d_%H%M%S)_$(hostname)0
root@gdOv:/home/mr# ls -l kern.log_170918_064755_gdOv0 
-rw-r--r-- 1 root root 97748 2017-09-18 06:47 kern.log_170918_064755_gdOv0
root@gdOv:/home/mr# 

That's a lot of log line isn't it?

And here I'll post it for your perusal, in the next post.

Just, I believe in hashing and timestamping when credibility is necessary with strange events in computing. So, first, before I make the screencast available on https://www.CroatiaFidelis.hr, as well as the kern.log_170918_064755_gdOv0 created above, here's their hashes:

f687eb6412b9880eb5bffe076671e942f2eaa061344dac25e1c88d762138ec8b  Screen_170918_0646_gdO.webm
1d3b3ba803567142c01b9014d9d509802781b31397509950d98a7fa79ce76cfc  kern.log_170918_064755_gdOv0

Till the next post.


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#2 2017-09-18 13:12:38

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 140
Website

Re: Strange Bash under grsecurity's exec logging

I've posted what I promised at:
Strange script planted with Bash 2
https://www.croatiafidelis.hr/foss/cap/ … bash-2.php

I don't believe the possible issue here, and it does seem to me to be something very fishy in there... is related in particular way to Devuan, other than Devuan being a Linux, the vulnerable distro, because the good ways have been rejected because the geniuses that kept patching Mr Linux's kernel were attempted to be ripped off of their code, by Google, and likely in (but that I don't claim) with at least the approval of, if not in cahoots with, the aforesaid mister in charge...

Ah, but grsecurity has been taken the baton of by, I hope to God, competent people, one of them being our own, Devuan's own developer parazyd! I hope miniply, parazyd and friends make it... (Read about it in the link to grsec installation on Devuan below, in post(s) three days ago or so, of mine there.)

Aah...

Use grsecurity:

Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?id=596

It's the only hope left for Linux kernel's security...

Last edited by miroR (2017-09-18 13:15:47)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#3 2017-09-24 11:39:56

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 140
Website

Re: Strange Bash under grsecurity's exec logging

In case there's anybody looking more seriously into these quirks/(exploits?), the system is Asrock Extreme 4
https://www.asrock.com/mb/AMD/970%20Extreme4/
You can also find out more datails at:
Use old amd64 gentoo image on new amd64 hardware, possible?
https://forums.gentoo.org/viewtopic-t-940916.html
That's when I bought those MBO's and most of the other components.


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

Board footer