Wednesday, 29 January 2014

Using syslog in a chroot jail

If your system uses chroot jails you should enable separate logging within them in order to catch important messages such as break-in attempts.

1. Setup the chroot jail.
The jail requires a dedicated filesystem (in this example “/var/local/chroot”), and a small selection of executables and libraries. These should be copied directly from the installed OS, and updated following each major OS patch or update (There are many scripts available on the web that automate the building of a jail so I won't list all the steps).

mknod /var/local/chroot/dev/null c 2 2
chmod 666 /var/local/chroot/dev/null

cp -p /usr/bin/ksh /var/local/chroot/usr/bin/
cp -p /usr/lib/libcrypt.a /var/local/chroot/usr/lib/
cp -p /usr/lib/libc.a /var/local/chroot/usr/lib/
cp -p /usr/lib/libodm.a /var/local/chroot/usr/lib/
cp -p /usr/lib/libsrc.a /var/local/chroot/usr/lib/

cp -p /usr/sbin/sftp-server /var/local/chroot/usr/sbin
cp -p /usr/sbin/syslogd /var/local/chroot/usr/sbin

2. A chroot’ed syslog daemon is required for each jail in order to enable jailed events to be logged to the global syslog. These processes should be started AFTER the main syslog daemon and thus placed at the end of the “/etc/inittab” as follows:

syslogJAIL:23456789:once:chroot /var/local/chroot /usr/sbin/syslogd -f /etc/chroot.conf -p /dev/log

Note:    The “chroot*.conf” exists within the jailed environment and can be used to send alerts to a remote/central log file e.g.

*.debug;local3.none                 /var/adm/sftp.log               rotate size 1m files 21 compress

3. The sshd daemon runs from within each jail and thus requires its own “sshd_config” file:

Protocol 2
PermitRootLogin no
IgnoreUserKnownHosts yes
PermitEmptyPasswords no
HostbasedAuthentication yes
SyslogFacility AUTH
UsePrivilegeSeparation yes
PasswordAuthentication no
ChallengeResponseAuthentication no
AllowGroups netadm netsadm  sftpgrp
Subsystem      sftp    /usr/sbin/sftp-server -f AUTH -l VERBOSE
#AuthorizedKeysFile     %h/.ssh/authorized_keys

Match User jailed_user
        PasswordAuthentication yes

A login file prevents the jailed users from spawning a shell e.g.


trap "" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
echo "This account may not be used for shell login!";exit 0
trap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

AIX normally knows that user is jailed because they have a "." within there home-directory path in "/etc/passwd". This can create a problem when trying to SSH or SFTP to the parent system as the jailed user. In this case you need to find the AIX chroot patch for your version of SSH, and then recompile it.

No comments:

Post a Comment