jails potential security issue with bastille

Andriy · May 23, 2024

[BUG] bastille rc script should require SERVERS · Issue #698 · BastilleBSD/bastille

On one of my systems I noticed that (host) syslogd stopped logging any kernel messages. I see them at console but they do not get into any logs files (including /var/log/messages). My syslogd confi...

github.com

PSA: if you use bastille, double-check that /dev in jail do not contain entries that they are not supposed to.
Also, check if kernel log messages could be missing from /var/log/messages on the host.

putney · May 29, 2024

if you use bastille, double-check that /dev in jail do not contain entries that they are not supposed to.

I just rebooted a server (14.0-RELEASE, quarterly packages) only to find that each of my jails had a fully-populated /dev/. Following 'service devfs restart' and 'bastille restart www', my www jail then has the expected restricted /dev/ as specified in /etc/devfs.rules (ruleset 13, as per the bastille docs).

So indeed bastille ought to REQUIRE devfs, or something that comes after it like SERVERS.

Andriy · May 30, 2024

Thank you for testing!
Could you please also add a "me too" on Github?

I am surprised that this security issue got so little attention.

jails potential security issue with bastille

Andriy

[BUG] bastille rc script should require SERVERS · Issue #698 · BastilleBSD/bastille

putney

Andriy