Bug 1664648
| Summary: | tcpdump %post creates user and groups unconditionally, raising alerts in corporate environment | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Bleischwitz <ableisch> | |
| Component: | tcpdump | Assignee: | Michal Ruprich <mruprich> | |
| Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 7.7 | CC: | fkrska, mruprich, msekleta, ovasik, psklenar, rhack, thozza | |
| Target Milestone: | rc | Keywords: | EasyFix | |
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | tcpdump-4.9.2-4.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1715420 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:18:54 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2342 |
Description of problem: The current version of tcpdump unconditionally creates a user and a group during upgrade, which triggers alerts in corporate SIEM environments. Version-Release number of selected component (if applicable): tcpdump-4.9.2-3.el7.rpm How reproducible: Always Steps to Reproduce: 1. upgrade tpcdump from previous installation while having auditing enabled 2. 3. Actual results: /var/log/audit/audit.log (and therefore a remote SIEM system) reports: type=ADD_GROUP msg=audit(1547033150.379:79791): pid=6469 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="tcpdump" exe="/usr/sbin/groupadd" hostname=host.example.com addr=? terminal=pts/0 res=failed' type=ADD_USER msg=audit(1547033233.280:79798): pid=7841 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" hostname=host.example.com addr=? terminal=pts/0 res=failed' Expected results: No reports on already existing user and groups Additional info: The %post section of the RPM unconditionally creates user and group: # rpm -q --scripts tcpdump preinstall scriptlet (using /bin/sh): /usr/sbin/groupadd -g 72 tcpdump 2> /dev/null /usr/sbin/useradd -u 72 -g 72 -s /sbin/nologin -M -r \ -d / tcpdump 2> /dev/null exit 0 Adding a "getent passwd tcpdump >/dev/null" or "getent group tcpdump >/dev/null" including a conditional || would prevent the creation of already existing users/groups. /usr/bin/getent group tcpdump >/dev/null || /usr/sbin/groupadd \ -g 72 tcpdump 2> /dev/null /usr/bin/getent passwd tcpdump >/dev/null || /usr/sbin/useradd \ -u 72 -g 72 -s /sbin/nologin -M -r \ -d / tcpdump 2> /dev/null exit 0