[nexpose-users] NeXpose in an hardened environment
Richard Li
Richard_Li at rapid7.com
Mon Mar 29 06:53:39 PDT 2010
Have you tried manually connecting to Postgres over JDBC or using psql? Does that work?
> -----Original Message-----
> From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-
> bounces at lists.rapid7.com] On Behalf Of Thomas Möller
> Sent: Friday, March 26, 2010 6:49 AM
> To: nexpose-users at lists.rapid7.com
> Subject: [nexpose-users] NeXpose in an hardened environment
>
> Hi list!
>
> Been using NeXpose Community Ed. for a while having no trouble
> what so ever. However, now I have big problem, but I think I've
> got my head around it and now need to provide some feedback.
>
> I'm running a Hardened Gentoo installation with GrSecurity and
> PaX and everything that comes along with it.
>
> As NeXpose is largely based on Java, it gave me headache from
> the first key punch. I hade to extract the install package and
> run the Setup.jar file separately. However, I was unsuccessful.
> Java as you may know does a lot of just-in-time compiling and
> such which PaX does not like at all!
>
> I then ran the installation in an "vanilla kernel" config and
> then managed to install NeXpose. So far so good. So, at the
> moment I'm working with a fresh install.
>
> Backing to the hardened kernel again I tried to run Nexpose,
> again unsuccessful. I changed the headers of some of the libs
> which are copied to the .DLLCACHE dir in order to satisfy PaX.
>
> Running NeXpose again got me to the point where NeXpose starts
> the postgresql server and fails with repeated:
>
> Nexpose PostgreSQL service status: 0
>
> Running strace on the whole procedure shows that the process
> gets a permission denied on the file:
>
> nxpgsql/pgsql/lib/libpq.so.5
>
> I've been trying to set different flags using paxctl, execstack
> and the like unsuccessfully. However, compiling a fresh copy
> of libpq gave me positive results. Postgresql finds a usable
> copy of libpq.so.5 in /usr/lib. However, copying the file into
>
> nxpgsql/pgsql/lib/
>
> gives me the same permission denied error, which is interesting.
> Does this dir require special rights? Getting this far I
> get another error message no matter kernel used; hardened or
> non-hardened:
>
> postgresql 3/26/10 11:29 AM: Starting up postgresql DB system
> postgresql 3/26/10 11:29 AM: Nexpose PostgreSQL service status: 0
> postgresql 3/26/10 11:29 AM: Nexpose PostgreSQL service status: 1
> postgresql 3/26/10 11:29 AM: Determining whether database nexpose
> exists
> NSC 3/26/10 11:29 AM: PostgreSQL 8.2.7 on i686-pc-linux-gnu,
> compiled by GCC gcc (GCC) 3.3.3 20040412 (Red Hat Linux 3.3.3-7)
> DBUpgrader 3/26/10 11:29 AM: DB_VERSION = 39
> DBUpgrader 3/26/10 11:29 AM: DB_REINDEX = 35
> DBUpgrader 3/26/10 11:29 AM: Verifying database version...
> DBUpgrader 3/26/10 11:29 AM: Failed to upgrade database, rolling back
> to prior format
> NSC 3/26/10 11:29 AM: Failed to upgrade db. This may prevent
> product operation.
> NSC 3/26/10 11:29 AM: Initializing datastore login module...
> NSC 3/26/10 11:29 AM: A critical error occured during
> initialization: java.lang.RuntimeException: Failed to init login
> module: org.postgresql.util.PSQLException: ERROR: relation
> "auth_source" does not exist
> at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
> Caused by: org.postgresql.util.PSQLException: ERROR: relation
> "auth_source" does not exist
> at
> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExec
> utorImpl.java:1531)
> at
> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorIm
> pl.java:1313)
> at
> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java
> :188)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statem
> ent.java:452)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJd
> bc2Statement.java:354)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2S
> tatement.java:258)
> at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
> at
> com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unkn
> own Source)
> ... 5 more
> org.postgresql.util.PSQLException: ERROR: relation "auth_source" does
> not exist
> at
> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExec
> utorImpl.java:1531)
> at
> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorIm
> pl.java:1313)
> at
> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java
> :188)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statem
> ent.java:452)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJd
> bc2Statement.java:354)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2S
> tatement.java:258)
> at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
> at
> com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unkn
> own Source)
> at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
> SQLState=42P01, errorCode=0
>
>
> > httpd 3/26/10 11:29 AM: Shutting down socket...
> httpd 3/26/10 11:29 AM: I/O problem fetching client socket:
> Socket closed
> httpd 3/26/10 11:29 AM: Shutting down thread pool...
> httpd 3/26/10 11:29 AM: Reinitializing web server...
> httpd 3/26/10 11:29 AM: NSC/0.6.4 (JVM) bound to port 3780 and
> running...
> NSC 3/26/10 11:29 AM: Accepting web server logins
> NSC 3/26/10 11:29 AM: Found a pending maintenance task:
> NexposeRecovery
> NSC 3/26/10 11:29 AM: Entering maintenance mode, only NeXpose
> administrator logins permitted.
> NexposeRecov3/26/10 11:29 AM: Maintenance Task Started
> NSC 3/26/10 11:29 AM: Secure web interface ready.
> NSC 3/26/10 11:29 AM: Browse to https://localhost:3780/
> NSC 3/26/10 11:29 AM: Server started in 13 seconds
>
>
> strace at first glimpse did not provide me with something useful.
> However, I'll try to compile the other libson my own as well.
>
> Any ideas?
>
> I guess my point also is that the Rapid7 team should try to
> implement NeXpose in an environment like this. For example
> having NeXpose in an hostile environment calls for a secure
> environment. I know that some CentOS people have problems in
> general running PostgreSQL using PaX/Selinux.
>
> Just by compiling the libpq libs using the hardened GCC solved
> some problems.
>
> I believe that the whole thing is doable...or?
>
> Thanks!
>
> Best regards
> /Thomas
>
>
> ____________________________________________________
> Thomas Möller, CISA
> AddPro AB, SE-212 31 MALMÖ
> Cell: +46 73 625 53 30
> Office: +46 40 59 24 00
>
> E-mail: thomas.moller at addpro.se
> web: www.addpro.se
> PGP Fingerprint:
> EC03 FFD9 C3E9 1587 958C 669F 0AC1 4B11 EAAD 373B
> ____________________________________________________
> This e-mail is confidential and is intended for the use of the
> addressee(s) only. If you are
> not its intended recipient you are hereby notified that you must not
> use, copy, disclose or
> otherwise disseminate or take any action based on this e-mail or any
> information herein.
> If you receive this e-mail in error please notify the sender
> immediately by reply e-mail or
> by using the contact details above and then delete this e-mail.
>
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
More information about the nexpose-users
mailing list