[lxc-users] lxc-security: iptables audit with nflog not working with default settings (insecure)

Fiedler Roman Roman.Fiedler at ait.ac.at
Wed Mar 18 15:19:22 UTC 2015


> Von: lxc-users [mailto:lxc-users-bounces at lists.linuxcontainers.org] Im 
> Auftrag von Fajar A. Nugraha
>
> On Wed, Mar 11, 2015 at 8:03 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at>
> wrote:
> > But the current issue is different: The guest can snoop on the NFLOG
> messages
> > generated on host and destined for the host and hence can get knowledge
> of ANY
> > NFLOGed connection of host or any guest, no matter if on same bridge or
> > another one.
>
> Ah, sorry I misunderstood your problem.
>
> All I can say is that it works for me on my simple test. I have ulogd2
> on both host and guest, and if you look at my iptables command on the
> host and guest, they are almost identical (including nflog group)
> except for chain names (forward/input/output). The logged packets are
> from the correct one (the one inside the container has in/out=eth0,
> while the one on the host has in/out=br0).
>
> That was on Ubuntu 14.10 (kernel 3.16) with lxc-1.1 from daily ppa, so
> you might want to try that before filing a bug report to ubuntu.

OK, I think I understand it now:

On my setup, the packets captured by iptables firewall use the correct NFLOG 
group and make it to the ulogd on the host BUT the log lines end up in kernel 
message ring buffer (dump with dmesg) and those messages can be 
read/manipulated by both host AND guest.

As there is a rsyslog running in guest, extracting messages from kernel 
message buffer from time to time, this will consume those messages and write 
it to the guest logs.

With that information, I found report [1] suggesting to use "echo 1 > 
/proc/sys/kernel/dmesg_restrict", but that somehow fails.

At least we can now change the subject to "dmesg insecure with default 
settings"

Roman


[1] http://unix.stackexchange.com/questions/103576/container-lockdown
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150318/ca5bf4a0/attachment.bin>


More information about the lxc-users mailing list