Solved tcpdump not working in jails

fred974 · Dec 8, 2014

Hello all,

I am trying to work[]out why my security/ossec agent is not working inside my FreeBSD jail.

I am trying to run tcpdump -i lagg0 port 1514 from inside the jail to see if the packets are reaching the ossec manager in the FreeBSD host but I get the following error:

Code:

tcpdump: (cannot open device) /dev/bpf: No such file or directory

As the command is working fine on the FreeBSD host, I know that the presudo Berkeley packet filter device is not missing.

Is that because of the security implementation in FreeBSD jail?

Is there any other way to see if port 1514 is in use and sending to the FreeBSD host?

Thank you
Fred

wblock@ · Dec 8, 2014

The host must make the device available in the jail. For an ezjail setup, I use this in /etc/devfs.rules:

Code:

[devfsrules_jail_dhcp=5]
add include $devfsrules_jail
add path 'bpf*' unhide

Then it is set in the individual jail configuration with

Code:

export jail_dns1_devfs_ruleset="5"

fred974 · Dec 8, 2014

Hi wblock@,

Thank you for your reply, will implementing your suggestion affect the security of the host of the jail?
Should I remove these entries once I have managed to resolve my problem?

wblock@ · Dec 8, 2014

Making that change means the jail has access to bpf, which could have security implications on the host.

In general, it is like any other permission. If it is not needed, it should not be enabled.

junovitch@ · Dec 16, 2014

It does have security implications. Try it out to see what happens. With bpf the jail can sniff packets on any interface.

fred974 · Dec 16, 2014

Than you guys, I'm not planning to keep the settings once I've managed to work out my issue with ossec

Sebastian Birnbach · Jun 11, 2015

I am working on a similar problem (horde in my case), only that I don't use ezjail but did the setup manually. I would love to follow your solution but I need a little more information to reproduce it:

Could you please explain which "individual jail configuration" file you refer to? Any chance to export the setting outside ezjail mechanisms?
Also, I am unsure what the purpose of the second line in the devfs.rules is.

Any help is highly appreciated.
Kind regards

birnbacs

wblock@ said:
The host must make the device available in the jail. For an ezjail setup, I use this in /etc/devfs.rules:

Code:

[devfsrules_jail_dhcp=5] add include $devfsrules_jail add path 'bpf*' unhide

Then it is set in the individual jail configuration with

Code:

export jail_dns1_devfs_ruleset="5"

fred974 · Jun 11, 2015

Hi,

On my machine all my individual config jails files are in /usr/local/etc/ezjail/ you need to edit your webjail config file for example and add the line:

Code:

## Allow tcpdump inside ezjail
export jail_JAILNAME_devfs_ruleset="5"

Hope this help

Sebastian Birnbach · Jun 11, 2015

Thanks for the response, Robert. Unfortunately that is not much help to me as I know nothing about the ezjail mechanism. Without ezjail I neither have the /usr/local/etc/ezjail nor the webjail files.
I hope that your reference to devfs.rules is the right way, though. I promise to post a solution if I find one for a jail that is not 'ez'.

Kind regards

birnbacs

tobik@ · Jun 11, 2015

Read jail(8) and jail.conf(5). You can add a devfs_ruleset = 5; line in /etc/jail.conf for your jail.

Sebastian Birnbach · Jun 11, 2015

I am a bit confused, maybe you can help me out.

On the host system, I found /etc/devfs.conf, which is boilerplate, i.e. anything meaningful is commented out.

I created /etc/devfs.rules:

Code:

[ruleset=5]
#add include $devfsrules_jail
add path 'bge*' unhide
add path 'bpf*' unhide

I also created file /etc/jail.conf:

Code:

mount.devfs;
max {
  host.hostname = "max";
  devfs_ruleset = 5;
}

For starting and stopping, I normally use the /etc/rc.d/jail command, not /usr/sbin/jail. That is, I don't know if my configuration files go into /etc or /usr/local/etc. To be on the safe side, I added symlinks from the latter to the former.

Now, I have no way of telling if the jails.conf file gets evaluated when I start jail "max". From the symptoms nothing works:

Code:

[develop@max ~]$ sudo tcpdump -i bge0
Password:
tcpdump: (cannot open device) /dev/bpf: No such file or directory

Any clues?

Sebastian Birnbach · Jun 11, 2015

OK, I am a step further.

jails.conf now reads:

Code:

max {
  path = "/mnt/moonpool/jail/max";
  persist;
  host.hostname = "max";
  ip4.addr = 192.168.0.181;
  devfs_ruleset = 5;
}

To start max I do

Code:

jail -c max

. As yet I have no devices in /dev and the jail's services don't get started.

Code:

[develop@max ~]$ sudo apachectl start
sudo: no tty present and no askpass program specified

Kind regards

birnbacs

tobik@ · Jun 11, 2015

See the example at the end of jail.conf(5). You need to setup your jail to start /etc/rc (the exec.* options). You are also now missing the mount.devfs option. Create your jail with jail -v -c max to get more information about what it starts and mounts.

The rc script uses jail(8) under the hood. So you could also start your jail with service jail start max.

kpa · Jun 11, 2015

You need to reload devfs(8) rulesets after modifying them:

# service devfs restart

beebeetles · Aug 24, 2021

@kristof-provost

junovitch@ said:
It does have security implications. Try it out to see what happens. With bpf the jail can sniff packets on any interface.

Does this apply to vnet jails as well? If yes, what command should I use to sniff packets on network interface e.g., re0 on the host from inside the jail where re0 is not visible?

The bpf(4) man page says:

Code:

The packet filter appears as a character special device, /dev/bpf. After
opening the device, the file descriptor must be bound to a specific net-
work interface with the BIOCSETIF ioctl.

Does this mean that as long as the name of the interface is not visible in the vnet jail, the jail cannot sniff on the packets intended for the host?