[nexpose-users] NeXpose in an hardened environment

Thomas Möller Thomas.Moller at addpro.se
Fri Mar 26 03:49:07 PDT 2010 

Hi list!

Been using NeXpose Community Ed. for a while having no trouble
what so ever. However, now I have big problem, but I think I've
got my head around it and now need to provide some feedback.

I'm running a Hardened Gentoo installation with GrSecurity and
PaX and everything that comes along with it.

As NeXpose is largely based on Java, it gave me headache from
the first key punch. I hade to extract the install package and
run the Setup.jar file separately. However, I was unsuccessful.
Java as you may know does a lot of just-in-time compiling and
such which PaX does not like at all!

I then ran the installation in an "vanilla kernel" config and
then managed to install NeXpose. So far so good. So, at the
moment I'm working with a fresh install.

Backing to the hardened kernel again I tried to run Nexpose,
again unsuccessful. I changed the headers of some of the libs
which are copied to the .DLLCACHE dir in order to satisfy PaX.

Running NeXpose again got me to the point where NeXpose starts
the postgresql server and fails with repeated: 

Nexpose PostgreSQL service status: 0

Running strace on the whole procedure shows that the process
gets a permission denied on the file:

nxpgsql/pgsql/lib/libpq.so.5

I've been trying to set different flags using paxctl, execstack
and the like unsuccessfully. However, compiling a fresh copy
of libpq gave me positive results. Postgresql finds a usable
copy of libpq.so.5 in /usr/lib. However, copying the file into

nxpgsql/pgsql/lib/

gives me the same permission denied error, which is interesting.
Does this dir require special rights? Getting this far I
get another error message no matter kernel used; hardened or
non-hardened:

postgresql  3/26/10 11:29 AM: Starting up postgresql DB system
postgresql  3/26/10 11:29 AM: Nexpose PostgreSQL service status: 0
postgresql  3/26/10 11:29 AM:    Nexpose PostgreSQL service status: 1
postgresql  3/26/10 11:29 AM: Determining whether database nexpose exists
NSC         3/26/10 11:29 AM: PostgreSQL 8.2.7 on i686-pc-linux-gnu, compiled by GCC gcc (GCC) 3.3.3 20040412 (Red Hat Linux 3.3.3-7)
DBUpgrader  3/26/10 11:29 AM: DB_VERSION = 39
DBUpgrader  3/26/10 11:29 AM: DB_REINDEX = 35
DBUpgrader  3/26/10 11:29 AM: Verifying database version...
DBUpgrader  3/26/10 11:29 AM: Failed to upgrade database, rolling back to prior format
NSC         3/26/10 11:29 AM: Failed to upgrade db. This may prevent product operation.
NSC         3/26/10 11:29 AM: Initializing datastore login module...
NSC         3/26/10 11:29 AM: A critical error occured during initialization: java.lang.RuntimeException: Failed to init login module: org.postgresql.util.PSQLException: ERROR: relation "auth_source" does not exist
        at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
Caused by: org.postgresql.util.PSQLException: ERROR: relation "auth_source" does not exist
        at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:1531)
        at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1313)
        at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:188)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:452)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:354)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:258)
        at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
        at com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unknown Source)
        ... 5 more
org.postgresql.util.PSQLException: ERROR: relation "auth_source" does not exist
        at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:1531)
        at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1313)
        at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:188)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:452)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:354)
        at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:258)
        at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
        at com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
        at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
  SQLState=42P01, errorCode=0


> httpd       3/26/10 11:29 AM: Shutting down socket...
httpd       3/26/10 11:29 AM: I/O problem fetching client socket: Socket closed
httpd       3/26/10 11:29 AM: Shutting down thread pool...
httpd       3/26/10 11:29 AM: Reinitializing web server...
httpd       3/26/10 11:29 AM: NSC/0.6.4 (JVM) bound to port 3780 and running...
NSC         3/26/10 11:29 AM: Accepting web server logins
NSC         3/26/10 11:29 AM: Found a pending maintenance task: NexposeRecovery
NSC         3/26/10 11:29 AM: Entering maintenance mode, only NeXpose administrator logins permitted.
NexposeRecov3/26/10 11:29 AM: Maintenance Task Started
NSC         3/26/10 11:29 AM: Secure web interface ready.
NSC         3/26/10 11:29 AM: Browse to https://localhost:3780/
NSC         3/26/10 11:29 AM: Server started in 13 seconds


strace at first glimpse did not provide me with something useful.
However, I'll try to compile the other libson my own as well.

Any ideas?

I guess my point also is that the Rapid7 team should try to
implement NeXpose in an environment like this. For example
having NeXpose in an hostile environment calls for a secure
environment. I know that some CentOS people have problems in
general running PostgreSQL using PaX/Selinux.

Just by compiling the libpq libs using the hardened GCC solved
some problems.

I believe that the whole thing is doable...or?

Thanks!

Best regards
/Thomas


____________________________________________________ 
Thomas Möller, CISA
AddPro AB, SE-212 31 MALMÖ
Cell: +46 73 625 53 30
Office: +46 40 59 24 00

E-mail: thomas.moller at addpro.se
web: www.addpro.se
PGP Fingerprint:
EC03 FFD9 C3E9 1587 958C  669F 0AC1 4B11 EAAD 373B
____________________________________________________ 
This e-mail is confidential and is intended for the use of the addressee(s) only. If you are
not its intended recipient you are hereby notified that you must not use, copy, disclose or
otherwise disseminate or take any action based on this e-mail or any information herein.
If you receive this e-mail in error please notify the sender immediately by reply e-mail or
by using the contact details above and then delete this e-mail.

More information about the nexpose-users mailing list