[nexpose-users] NeXpose in an hardened environment
Chad Loder
Chad_Loder at rapid7.com
Mon Mar 29 12:50:54 PDT 2010
Thomas,
Have you tried blowing away the NeXpose directory and then
reinstalling from scratch with all of your workarounds
applied?
Please note that the PostgreSQL server is run under
a different (non-root) user account that NeXpose creates
automatically when it first runs. Maybe that helps with
your debugging.
Thanks,
c
> -----Original Message-----
> From: nexpose-users-bounces at lists.rapid7.com [mailto:nexpose-users-
> bounces at lists.rapid7.com] On Behalf Of Thomas Möller
> Sent: Friday, March 26, 2010 3:49 AM
> To: nexpose-users at lists.rapid7.com
> Subject: [nexpose-users] NeXpose in an hardened environment
>
> Hi list!
>
> Been using NeXpose Community Ed. for a while having no trouble
> what so ever. However, now I have big problem, but I think I've
> got my head around it and now need to provide some feedback.
>
> I'm running a Hardened Gentoo installation with GrSecurity and
> PaX and everything that comes along with it.
>
> As NeXpose is largely based on Java, it gave me headache from
> the first key punch. I hade to extract the install package and
> run the Setup.jar file separately. However, I was unsuccessful.
> Java as you may know does a lot of just-in-time compiling and
> such which PaX does not like at all!
>
> I then ran the installation in an "vanilla kernel" config and
> then managed to install NeXpose. So far so good. So, at the
> moment I'm working with a fresh install.
>
> Backing to the hardened kernel again I tried to run Nexpose,
> again unsuccessful. I changed the headers of some of the libs
> which are copied to the .DLLCACHE dir in order to satisfy PaX.
>
> Running NeXpose again got me to the point where NeXpose starts
> the postgresql server and fails with repeated:
>
> Nexpose PostgreSQL service status: 0
>
> Running strace on the whole procedure shows that the process
> gets a permission denied on the file:
>
> nxpgsql/pgsql/lib/libpq.so.5
>
> I've been trying to set different flags using paxctl, execstack
> and the like unsuccessfully. However, compiling a fresh copy
> of libpq gave me positive results. Postgresql finds a usable
> copy of libpq.so.5 in /usr/lib. However, copying the file into
>
> nxpgsql/pgsql/lib/
>
> gives me the same permission denied error, which is interesting.
> Does this dir require special rights? Getting this far I
> get another error message no matter kernel used; hardened or
> non-hardened:
>
> postgresql 3/26/10 11:29 AM: Starting up postgresql DB system
> postgresql 3/26/10 11:29 AM: Nexpose PostgreSQL service status: 0
> postgresql 3/26/10 11:29 AM: Nexpose PostgreSQL service status: 1
> postgresql 3/26/10 11:29 AM: Determining whether database nexpose
> exists
> NSC 3/26/10 11:29 AM: PostgreSQL 8.2.7 on i686-pc-linux-gnu,
> compiled by GCC gcc (GCC) 3.3.3 20040412 (Red Hat Linux 3.3.3-7)
> DBUpgrader 3/26/10 11:29 AM: DB_VERSION = 39
> DBUpgrader 3/26/10 11:29 AM: DB_REINDEX = 35
> DBUpgrader 3/26/10 11:29 AM: Verifying database version...
> DBUpgrader 3/26/10 11:29 AM: Failed to upgrade database, rolling back
> to prior format
> NSC 3/26/10 11:29 AM: Failed to upgrade db. This may prevent
> product operation.
> NSC 3/26/10 11:29 AM: Initializing datastore login module...
> NSC 3/26/10 11:29 AM: A critical error occured during
> initialization: java.lang.RuntimeException: Failed to init login
> module: org.postgresql.util.PSQLException: ERROR: relation
> "auth_source" does not exist
> at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
> Caused by: org.postgresql.util.PSQLException: ERROR: relation
> "auth_source" does not exist
> at
> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExec
> utorImpl.java:1531)
> at
> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorIm
> pl.java:1313)
> at
> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java
> :188)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statem
> ent.java:452)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJd
> bc2Statement.java:354)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2S
> tatement.java:258)
> at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
> at
> com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unkn
> own Source)
> ... 5 more
> org.postgresql.util.PSQLException: ERROR: relation "auth_source" does
> not exist
> at
> org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExec
> utorImpl.java:1531)
> at
> org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorIm
> pl.java:1313)
> at
> org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java
> :188)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statem
> ent.java:452)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJd
> bc2Statement.java:354)
> at
> org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2S
> tatement.java:258)
> at com.rapid7.nexpose.datastore.UA.A(Unknown Source)
> at
> com.rapid7.nexpose.datastore.DataStoreManager.authenticationSource(Unkn
> own Source)
> at com.rapid7.nexpose.nsc.NSC.U(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.?(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.run(Unknown Source)
> at com.rapid7.nexpose.nsc.NSC.main(Unknown Source)
> SQLState=42P01, errorCode=0
>
>
> > httpd 3/26/10 11:29 AM: Shutting down socket...
> httpd 3/26/10 11:29 AM: I/O problem fetching client socket:
> Socket closed
> httpd 3/26/10 11:29 AM: Shutting down thread pool...
> httpd 3/26/10 11:29 AM: Reinitializing web server...
> httpd 3/26/10 11:29 AM: NSC/0.6.4 (JVM) bound to port 3780 and
> running...
> NSC 3/26/10 11:29 AM: Accepting web server logins
> NSC 3/26/10 11:29 AM: Found a pending maintenance task:
> NexposeRecovery
> NSC 3/26/10 11:29 AM: Entering maintenance mode, only NeXpose
> administrator logins permitted.
> NexposeRecov3/26/10 11:29 AM: Maintenance Task Started
> NSC 3/26/10 11:29 AM: Secure web interface ready.
> NSC 3/26/10 11:29 AM: Browse to https://localhost:3780/
> NSC 3/26/10 11:29 AM: Server started in 13 seconds
>
>
> strace at first glimpse did not provide me with something useful.
> However, I'll try to compile the other libson my own as well.
>
> Any ideas?
>
> I guess my point also is that the Rapid7 team should try to
> implement NeXpose in an environment like this. For example
> having NeXpose in an hostile environment calls for a secure
> environment. I know that some CentOS people have problems in
> general running PostgreSQL using PaX/Selinux.
>
> Just by compiling the libpq libs using the hardened GCC solved
> some problems.
>
> I believe that the whole thing is doable...or?
>
> Thanks!
>
> Best regards
> /Thomas
>
>
> ____________________________________________________
> Thomas Möller, CISA
> AddPro AB, SE-212 31 MALMÖ
> Cell: +46 73 625 53 30
> Office: +46 40 59 24 00
>
> E-mail: thomas.moller at addpro.se
> web: www.addpro.se
> PGP Fingerprint:
> EC03 FFD9 C3E9 1587 958C 669F 0AC1 4B11 EAAD 373B
> ____________________________________________________
> This e-mail is confidential and is intended for the use of the
> addressee(s) only. If you are
> not its intended recipient you are hereby notified that you must not
> use, copy, disclose or
> otherwise disseminate or take any action based on this e-mail or any
> information herein.
> If you receive this e-mail in error please notify the sender
> immediately by reply e-mail or
> by using the contact details above and then delete this e-mail.
>
> _______________________________________________
> http://community.rapid7.com/redmine/projects/nexpose/wiki
> https://mail.metasploit.com/mailman/listinfo/nexpose-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 809 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/nexpose-users/attachments/20100329/d09b8d06/attachment.pgp>
More information about the nexpose-users
mailing list