My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

Cannot login over SSH after enabling LAuS auditing

This document (7001932) is provided subject to the disclaimer at the end of this document.

Environment

Novell SUSE Linux Enterprise Server 9
Novell SUSE Linux Enterprise Server 10
LAuS Linux Audit-Subsystem

Situation

After enabling the Linux audit subsystem users are unable to login to the server using ssh. Only the console login works. Logs show an error similar to:

kernel: SubDomain: REJECTING rw access to /dev/audit (sshd(6576) profile /usr/sbin/sshd active /usr/sbin/sshd)

Resolution

The problem is caused by the AppArmor profile not granting sufficient permissions.
To resolve this problem, the profile needs to be updated.

Note: the commands mentioned must be run as the root user.

For SLES 10, there are two ways to do this:

1. From the terminal as root, run
logprof

This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.

OR

2. Edit the profile by hand. To do this open /etc/apparmor.d/usr.sbin.sshd  and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for apparmor rules) inside the /usr/sbin/sshd {  } block. Save the profile, and then update the profile being enforced by the kernel by either running
rcapparmor restart
or
cat /etc/apparmor.d/usr.sbin.sshd | apparmor_parser -r
or
reboot, as the profile is reloaded as part of the boot process.

For SLES 9, do one of the following (the following commands must be run as the root user):

1. From the terminal as root run
logprof

This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.

OR

2. Edit the profile by hand. To do this open/etc/subdomain.d/usr.sbin.sshd and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for subdomain rules) inside the /usr/sbin/sshd {  } block.
save the profile, and then update the profile being enforced by the kernel by either running
rcsubdomain restart
or
cat /etc/subdomain.d/usr.sbin.sshd | subdomain_parser -r

or
reboot, as the profile is reloaded as part of the boot process.


Usually, following the above steps will resolve the problem. However, after doing these steps, the problem may persist. In that case, you may be seeing iterative profile development. It is possible that a PAM module will throw multiple rejection messages, but in most cases it will die as soon as it throws a single message. To resolve this, continue the process of resolving the rejects by running logprof again.

If simply re-running logprof repeatedly doesn't resolve the problem, run genprof. Basically, genprof is just a special front end for logprof. Genprof throws the profile into a complain mode that allows all accesses. Be aware that you have to exercise the program and then scan for events for it to work. The steps are:

1. Run
genprof <some program>
(in this case, genprof /usr/sbin/sshd)
at which point it waits for you to exercise the program.

2. Open another terminal and exercise the program (in this case logging into sshd).

3. Exit the program you ran in step 2. (logout sshd).

4. Go back to the terminal running genprof.

5. Hit "s" to scan for events. Genprof will display a dialog like logprof, asking to allow the events.

6. When all done hit finish to save.

Additional Information

For  SLES9, some of the naming was "subdomain" instead of "apparmor." Profiles are stored in /etc/apparmor.d/ or  /etc/subdomain.d. Profiles follow a standard naming convention of taking the fully qualified path name of the program they confine and dropping the leading "/" and substituting "." for all the
others.  So  the profile file name for the "/usr/sbin/sshd" program is "usr.sbin.sshd". As another example, "/bin/ping" would be "bin.ping".

The currently loaded profiles and their status as to complain etc, can be found by executing the following command:

For SLES9:
cat /subdomain/profiles

For SLES10
cat /apparmor/profiles

For SLES10sp2
cat /sys/kernel/security/apparmor/profiles

To test if subdomain (SLES9) is loaded, use:
lsmod | grep subdomain
To test if apparmor (SLES10) is loaded, use:
lsmod | grep apparmor

rcsubdomain
run w/o switches, will return the command line syntax help.

To verify that subdomain (SLES9) is loaded on your system, run
rcsubdomain status
To verify that apparmor (SLES10) is loaded on your system, run
rcapparmor status

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7001932
  • Creation Date:18-NOV-08
  • Modified Date:27-APR-12
    • SUSESUSE Linux Enterprise Server

Did this document solve your problem? Provide Feedback

< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center