Cannot login over SSH after enabling LAuS auditing
This document (7001932) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
SUSE Linux Enterprise Server 9
Situation
LAuS Linux Audit-Subsystem -
After enabling the Linux audit subsystem users are unable to login to the server using ssh. Only the console login works. Logs show an error similar to:
kernel: SubDomain: REJECTING rw access to /dev/audit (sshd(6576) profile /usr/sbin/sshd active /usr/sbin/sshd)
After enabling the Linux audit subsystem users are unable to login to the server using ssh. Only the console login works. Logs show an error similar to:
kernel: SubDomain: REJECTING rw access to /dev/audit (sshd(6576) profile /usr/sbin/sshd active /usr/sbin/sshd)
Resolution
The problem is caused by the AppArmor profile not granting sufficient permissions.
To resolve this problem, the profile needs to be updated.
Note: the commands mentioned must be run as the root user.
For SLES 10, there are two ways to do this:
1. From the terminal as root, run
logprof
This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.
OR
2. Edit the profile by hand. To do this open /etc/apparmor.d/usr.sbin.sshd and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for apparmor rules) inside the /usr/sbin/sshd { } block. Save the profile, and then update the profile being enforced by the kernel by either running
rcapparmor restart
or
cat /etc/apparmor.d/usr.sbin.sshd | apparmor_parser -r
or
reboot, as the profile is reloaded as part of the boot process.
For SLES 9, do one of the following (the following commands must be run as the root user):
1. From the terminal as root run
logprof
This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.
OR
2. Edit the profile by hand. To do this open/etc/subdomain.d/usr.sbin.sshd and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for subdomain rules) inside the /usr/sbin/sshd { } block.
save the profile, and then update the profile being enforced by the kernel by either running
rcsubdomain restart
or
cat /etc/subdomain.d/usr.sbin.sshd | subdomain_parser -r
or
reboot, as the profile is reloaded as part of the boot process.
Usually, following the above steps will resolve the problem. However, after doing these steps, the problem may persist. In that case, you may be seeing iterative profile development. It is possible that a PAM module will throw multiple rejection messages, but in most cases it will die as soon as it throws a single message. To resolve this, continue the process of resolving the rejects by running logprof again.
If simply re-running logprof repeatedly doesn't resolve the problem, run genprof. Basically, genprof is just a special front end for logprof. Genprof throws the profile into a complain mode that allows all accesses. Be aware that you have to exercise the program and then scan for events for it to work. The steps are:
1. Run
genprof <some program>
(in this case, genprof /usr/sbin/sshd)
at which point it waits for you to exercise the program.
2. Open another terminal and exercise the program (in this case logging into sshd).
3. Exit the program you ran in step 2. (logout sshd).
4. Go back to the terminal running genprof.
5. Hit "s" to scan for events. Genprof will display a dialog like logprof, asking to allow the events.
6. When all done hit finish to save.
To resolve this problem, the profile needs to be updated.
Note: the commands mentioned must be run as the root user.
For SLES 10, there are two ways to do this:
1. From the terminal as root, run
logprof
This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.
OR
2. Edit the profile by hand. To do this open /etc/apparmor.d/usr.sbin.sshd and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for apparmor rules) inside the /usr/sbin/sshd { } block. Save the profile, and then update the profile being enforced by the kernel by either running
rcapparmor restart
or
cat /etc/apparmor.d/usr.sbin.sshd | apparmor_parser -r
or
reboot, as the profile is reloaded as part of the boot process.
For SLES 9, do one of the following (the following commands must be run as the root user):
1. From the terminal as root run
logprof
This program will scan the log for apparmor rejects and ask for permission to add them to the appropriate profile.
OR
2. Edit the profile by hand. To do this open/etc/subdomain.d/usr.sbin.sshd and add the following two lines:
/dev/audit rw,
capability sys_admin,
somewhere (order does not matter for subdomain rules) inside the /usr/sbin/sshd { } block.
save the profile, and then update the profile being enforced by the kernel by either running
rcsubdomain restart
or
cat /etc/subdomain.d/usr.sbin.sshd | subdomain_parser -r
or
reboot, as the profile is reloaded as part of the boot process.
Usually, following the above steps will resolve the problem. However, after doing these steps, the problem may persist. In that case, you may be seeing iterative profile development. It is possible that a PAM module will throw multiple rejection messages, but in most cases it will die as soon as it throws a single message. To resolve this, continue the process of resolving the rejects by running logprof again.
If simply re-running logprof repeatedly doesn't resolve the problem, run genprof. Basically, genprof is just a special front end for logprof. Genprof throws the profile into a complain mode that allows all accesses. Be aware that you have to exercise the program and then scan for events for it to work. The steps are:
1. Run
genprof <some program>
(in this case, genprof /usr/sbin/sshd)
at which point it waits for you to exercise the program.
2. Open another terminal and exercise the program (in this case logging into sshd).
3. Exit the program you ran in step 2. (logout sshd).
4. Go back to the terminal running genprof.
5. Hit "s" to scan for events. Genprof will display a dialog like logprof, asking to allow the events.
6. When all done hit finish to save.
Additional Information
For SLES9, some of the naming was "subdomain" instead of "apparmor." Profiles are stored in /etc/apparmor.d/ or /etc/subdomain.d. Profiles follow a standard naming convention of taking the fully qualified path name of the program they confine and dropping the leading "/" and substituting "." for all the
others. So the profile file name for the "/usr/sbin/sshd" program is "usr.sbin.sshd". As another example, "/bin/ping" would be "bin.ping".
The currently loaded profiles and their status as to complain etc, can be found by executing the following command:
For SLES9:
cat /subdomain/profiles
For SLES10
cat /apparmor/profiles
For SLES10sp2
cat /sys/kernel/security/apparmor/profiles
To test if subdomain (SLES9) is loaded, use:
lsmod | grep subdomain
To test if apparmor (SLES10) is loaded, use:
lsmod | grep apparmor
rcsubdomain run w/o switches, will return the command line syntax help.
To verify that subdomain (SLES9) is loaded on your system, run
rcsubdomain status
To verify that apparmor (SLES10) is loaded on your system, run
rcapparmor status
others. So the profile file name for the "/usr/sbin/sshd" program is "usr.sbin.sshd". As another example, "/bin/ping" would be "bin.ping".
The currently loaded profiles and their status as to complain etc, can be found by executing the following command:
For SLES9:
cat /subdomain/profiles
For SLES10
cat /apparmor/profiles
For SLES10sp2
cat /sys/kernel/security/apparmor/profiles
To test if subdomain (SLES9) is loaded, use:
lsmod | grep subdomain
To test if apparmor (SLES10) is loaded, use:
lsmod | grep apparmor
rcsubdomain run w/o switches, will return the command line syntax help.
To verify that subdomain (SLES9) is loaded on your system, run
rcsubdomain status
To verify that apparmor (SLES10) is loaded on your system, run
rcapparmor status
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7001932
- Creation Date: 18-Nov-2008
- Modified Date:05-Mar-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
