+++ This bug was initially created as a clone of Bug #1664648 +++ Description of problem: The current version of tcpdump unconditionally creates a user and a group during upgrade, which triggers alerts in audit. Version-Release number of selected component (if applicable): tcpdump-4.9.2-3.el7.rpm How reproducible: Always Steps to Reproduce: 1. upgrade tpcdump from previous installation while having auditing enabled 2. 3. Actual results: /var/log/audit/audit.log (and therefore a remote SIEM system) reports: type=ADD_GROUP msg=audit(1547033150.379:79791): pid=6469 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="tcpdump" exe="/usr/sbin/groupadd" hostname=host.example.com addr=? terminal=pts/0 res=failed' type=ADD_USER msg=audit(1547033233.280:79798): pid=7841 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" hostname=host.example.com addr=? terminal=pts/0 res=failed' Expected results: No reports on already existing user and groups Additional info: The %post section of the RPM unconditionally creates user and group: # rpm -q --scripts tcpdump preinstall scriptlet (using /bin/sh): /usr/sbin/groupadd -g 72 tcpdump 2> /dev/null /usr/sbin/useradd -u 72 -g 72 -s /sbin/nologin -M -r \ -d / tcpdump 2> /dev/null exit 0 Adding a "getent passwd tcpdump >/dev/null" or "getent group tcpdump >/dev/null" including a conditional || would prevent the creation of already existing users/groups. /usr/bin/getent group tcpdump >/dev/null || /usr/sbin/groupadd \ -g 72 tcpdump 2> /dev/null /usr/bin/getent passwd tcpdump >/dev/null || /usr/sbin/useradd \ -u 72 -g 72 -s /sbin/nologin -M -r \ -d / tcpdump 2> /dev/null exit 0
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31.
FEDORA-2019-d64bb18a10 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d64bb18a10
tcpdump-4.9.2-8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e93330201
tcpdump-4.9.2-9.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d64bb18a10
*** Bug 1698005 has been marked as a duplicate of this bug. ***
tcpdump-4.9.2-9.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
tcpdump-4.9.2-8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.