1664648 – tcpdump %post creates user and groups unconditionally, raising alerts in corporate environment

Bug 1664648 - tcpdump %post creates user and groups unconditionally, raising alerts in corporate environment

Summary: tcpdump %post creates user and groups unconditionally, raising alerts in corp...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tcpdump
Sub Component:
Version:	7.7
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	Robin Hack
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-09 11:39 UTC by Andreas Bleischwitz
Modified:	2019-08-06 13:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:	tcpdump-4.9.2-4.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1715420 (view as bug list)
Environment:
Last Closed:	2019-08-06 13:18:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:2342	0	None	None	None	2019-08-06 13:18:55 UTC

Description Andreas Bleischwitz 2019-01-09 11:39:09 UTC

Description of problem:
The current version of tcpdump unconditionally creates a user and a group during upgrade, which triggers alerts in corporate SIEM environments.

Version-Release number of selected component (if applicable):
tcpdump-4.9.2-3.el7.rpm

How reproducible:
Always

Steps to Reproduce:
1. upgrade tpcdump from previous installation while having auditing enabled
2. 
3.

Actual results:
/var/log/audit/audit.log (and therefore a remote SIEM system) reports:
type=ADD_GROUP msg=audit(1547033150.379:79791): pid=6469 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="tcpdump" exe="/usr/sbin/groupadd" hostname=host.example.com addr=? terminal=pts/0 res=failed'
type=ADD_USER msg=audit(1547033233.280:79798): pid=7841 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" hostname=host.example.com addr=? terminal=pts/0 res=failed'


Expected results:
No reports on already existing user and groups

Additional info:
The %post section of the RPM unconditionally creates user and group:

# rpm -q --scripts tcpdump
preinstall scriptlet (using /bin/sh):
/usr/sbin/groupadd -g 72 tcpdump 2> /dev/null
/usr/sbin/useradd -u 72 -g 72 -s /sbin/nologin -M -r \
	-d / tcpdump 2> /dev/null
exit 0

Adding a "getent passwd tcpdump >/dev/null" or "getent group tcpdump >/dev/null" including a conditional || would prevent the creation of already existing users/groups.

/usr/bin/getent group tcpdump >/dev/null || /usr/sbin/groupadd \
        -g 72 tcpdump 2> /dev/null
/usr/bin/getent passwd tcpdump >/dev/null || /usr/sbin/useradd \
        -u 72 -g 72 -s /sbin/nologin -M -r \
	-d / tcpdump 2> /dev/null
exit 0

Comment 17 errata-xmlrpc 2019-08-06 13:18:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2342

Note You need to log in before you can comment on or make changes to this bug.