hw-health-charm

hw-health not working on CIS hardened system

Bug #1904045 reported by Michał Ajduk
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hw-health-charm
Fix Released
High
Alvaro Uria
hw-health-charm 21.02

Bug Description

hw-health charm does not work on CIS hardened system. Reason is the hardening changes umask and the /var/lib/nagios/ipmi_sensors.out is not readable.

On non-hardened system:
root@sto1az3cz203206xd:~# ls -la /var/lib/nagios/ipmi_sensors.out
-rw-r--r-- 1 root root 1387 Nov 12 18:50 /var/lib/nagios/ipmi_sensors.out

On hardened system:
root@cmp2az1cz20300kvj:~# ls -la /var/lib/nagios/ipmi_sensors.out
-rw-r----- 1 root root 1414 Nov 12 18:55 /var/lib/nagios/ipmi_sensors.out

The file is read by nagios user so it should be (due to security concerns) chowned to that user after creation and not world readable - CIS hardening prevents this.

Related branches

~guoqiao/charm-nrpe:LP1906991-chown-nagios-dirs
Xav Paice (community): Approve
Andrea Ieri: Approve
Diff: 25 lines (+14/-0)
1 file modified
hooks/nrpe_utils.py (+14/-0)
~canonical-is-bootstack/charm-hw-health:bug/1904045
BootStack Reviewers: Pending requested
Diff: 29 lines (+5/-2)
2 files modified
src/lib/hwhealth/hwdiscovery.py (+4/-1)
src/lib/hwhealth/tools.py (+1/-1)
Alvaro Uria (aluria)
Changed in charm-hw-health:
importance: Undecided → High
assignee: nobody → Alvaro Uria (aluria)
Alvaro Uria (aluria)
Changed in charm-hw-health:
status: New → In Progress
Revision history for this message
Alvaro Uria (aluria) wrote :

class Ipmi(Tool) has a couple of methods that call _install_cron_job in a different way:
"""
    def configure_nrpe_check(self, nrpe_setup):
        # extra options for check_ipmi_sensors Perl script are configured in
        # the cronjob
        self._install_cronjob()
        super().configure_nrpe_check(nrpe_setup)

    def install(self):
        # Install the sudoer file
        self._install_sudoer()
        # Install Perl script called by the (Python) cronjob
        self._install_nrpe_helper_plugin()
        self._install_cronjob(cron_user="nagios")

        # Install the Python script called by check_nrpe
        super().install()
"""

The cronjob is set up to run as nagios user and it is later overwritten to run as nagios user.

Testing on the affected environment (CIS hardened) and a patch are on the way. The call to self._install_cronjob() needs to specify: cron_user="nagios"

Revision history for this message
Alvaro Uria (aluria) wrote :

Fix released at cs:~llama-charmers-next/hw-health-13

Changed in charm-hw-health:
status: In Progress → Fix Committed
milestone: none → 21.02
Revision history for this message
Michael Skalka (mskalka) wrote :

Dropping the crit subscription as a fix as been made available.

Revision history for this message
Michał Ajduk (majduk) wrote :

Marking as new as the fix does not fix the issue.

charm: cs:~llama-charmers-next/hw-health-13

Tested the fix in the environment:
ubuntu@con1az1cz202904rw:~$ ls -la /var/lib/nagios/ipmi_sensors.out
-rw-r--r-- 1 root root 1388 Nov 23 05:16 /var/lib/nagios/ipmi_sensors.out

cronjob:
root@con1az1cz202904rw:~# cat /etc/cron.d/hwhealth_ipmi
0,5,10,15,20,25,30,35,40,45,50,55 * * * * nagios /usr/local/lib/nagios/plugins/cron_ipmi_sensors.py

The file is created as user root and the cronjob is running as user nagios, so it is not able to update the file:
root@con1az1cz202904rw:~# sudo -u nagios /usr/local/lib/nagios/plugins/cron_ipmi_sensors.py
Cannot write output file /var/lib/nagios/ipmi_sensors.out.tmp, error [Errno 13] Permission denied: '/var/lib/nagios/ipmi_sensors.out.tmp'

Changed in charm-hw-health:
status: Fix Committed → New
Drew Freiberger (afreiberger)
Changed in charm-hw-health:
status: New → Fix Committed
Revision history for this message
Xav Paice (xavpaice) wrote :

See LP:#1906991

Revision history for this message
Joe Guo (guoqiao) wrote :

This bug is similar to #1906991, a new patch created:

https://code.launchpad.net/~guoqiao/charm-hw-health/+git/charm-hw-health/+merge/397397

Review & suggestion appreciated.

Changed in charm-hw-health:
status: Fix Committed → In Progress
Revision history for this message
Peter Sabaini (peter-sabaini) wrote :

I've left a comment on MR#397397 above wrt to this -- I'm a bit wary of chowning directories we do not own. The /var/lib/nagios directory is created by the nagios-nrpe-server package at install time and I'm not sure of the security impact there if this suddenly becomes writable by the nagios user.

Wondering if it wouldn't be a cleaner pattern overall to use a dir the charm owns for these files and not mess around with another packages homedir

Alvaro Uria (aluria)
Changed in charm-hw-health:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.