banning user... until system restart for ... kernel crash w/ Qemu
Posted: Fri Oct 21, 2016 9:27 pm
title (full): "banning user ... until system restart for suspicious kernel crash" with Qemu script. How?
Hi!
Unsure where to ask about this, at Qemu ML, or the KVM folks, or here at
grsecurity Forums.
I decided for grsec because it is the grsecurity that banned the user as line
53 of the log in the next post, for easier viewing, says:
Here's the script GentooVM.sh:
which, looking at it, just now while preparing this for posting, I see that I ran the wrong way!
Notice that "-drive file=$img" is not like in the original script. (Obviously, I'm new to Qemu, and only figuring things out slowly...)
And here's what happened. It's almost all in the log in the next post. I first issued:
to create a shapshot.
Then I issued (and I can't find it in the logs):
and checked it:
(See below why that was wrong in combination with the script.)
Then I chmod'ed the GentooVM.sh script above to 755. Tried to run it, but couldn't because I have the tpe on.
Then I cp'd it to /usr/local/bin and ran it (without "./" w/o quotes).
What did I do wrong?
I should not have created the snapshot, but run it:
https://wiki.gentoo.org/wiki/QEMU/Linux_guest#Host
an instead I edited it the wrong way, and ran it without arguments:
All went blank. Hardware reset I had to do.
The log I'll give in the separate post for easier viewing.
I'm posting this because I'm trying to grasp how did the recursion happen... Anybody figured it out and can tell us?
---
Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)
Hi!
Unsure where to ask about this, at Qemu ML, or the KVM folks, or here at
grsecurity Forums.
I decided for grsec because it is the grsecurity that banned the user as line
53 of the log in the next post, for easier viewing, says:
- Code: Select all
grsec: banning user with uid 1000 until system restart for suspicious kernel crash
Here's the script GentooVM.sh:
- Code: Select all
#!/bin/sh
exec qemu-system-x86_64 -enable-kvm \
-cpu host \
-drive file=$img,if=virtio \
-netdev user,id=vmnic,hostname=gentoovm -device virtio-net,netdev=vmnic
-m 1024M \
-monitor stdio \
-name "Gentoo VM" \
$@
which, looking at it, just now while preparing this for posting, I see that I ran the wrong way!
Notice that "-drive file=$img" is not like in the original script. (Obviously, I'm new to Qemu, and only figuring things out slowly...)
And here's what happened. It's almost all in the log in the next post. I first issued:
- Code: Select all
qemu-img create -f qcow2 -b install-amd64-minimal-20161020.iso install-amd64-minimal-20161020-S.iso
to create a shapshot.
Then I issued (and I can't find it in the logs):
- Code: Select all
$ img=install-amd64-minimal-20161020-S.iso
and checked it:
- Code: Select all
$ echo $img
install-amd64-minimal-20161020-S.iso
$
(See below why that was wrong in combination with the script.)
Then I chmod'ed the GentooVM.sh script above to 755. Tried to run it, but couldn't because I have the tpe on.
Then I cp'd it to /usr/local/bin and ran it (without "./" w/o quotes).
What did I do wrong?
I should not have created the snapshot, but run it:
- Code: Select all
$ GentooVM.sh install-amd64-minimal-20161020-S.iso
https://wiki.gentoo.org/wiki/QEMU/Linux_guest#Host
an instead I edited it the wrong way, and ran it without arguments:
- Code: Select all
$ GentooVM.sh
All went blank. Hardware reset I had to do.
The log I'll give in the separate post for easier viewing.
I'm posting this because I'm trying to grasp how did the recursion happen... Anybody figured it out and can tell us?
---
Regards!
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)