TechQA.

Root user doesn't have permission to setgid when command executed by auditd event handler

54 views Asked by At

I'm investigating an issue running an auditd plugin on RHEL 8, whereby it fails to setgid & setuid eventhough plugin is running as root.

As a side note, I decided to use strace to help pinpoint why it's failing, and surprisingly or perhaps not surprisingly, strace failed with error:

strace: test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: ptrace(PTRACE_TRACEME, ...): Permission denied

Elsewhere it was suggested to check the boolean value deny_ptrace, but that is turned off, in addition to: kernel.yama.ptrace_scope:

# /sbin/getsebool deny_ptrace
deny_ptrace --> off

# sysctl kernel.yama.ptrace_scope
kernel.yama.ptrace_scope = 0

The script works fine when running manually as root. It's just that when it's executed through the auditd event handler, the root user somehow doesn't have the relevant permissions.

Any idea what else to check, or what other tools to use to troubleshoot this further?

** Update

I've also tried to override the config settings of the service in systemd to no avail:

# cat /etc/systemd/system/auditd.service.d/override.conf
RestrictSUIDSGID=false
MemoryDenyWriteExecute=false
LockPersonality=false
ProtectControlGroups=false
ProtectKernelModules=false
RestrictRealtime=false

Below is the test setup:

Plugin conf

# cat /etc/audit/plugins.d/strace.conf
active = yes
direction = out
path = /usr/bin/bash
type = always
args = /tmp/strace.sh
format = string

/tmp/strace.sh:

/sbin/getsebool deny_ptrace > /tmp/test.txt 2>&1
/sbin/sysctl kernel.yama.ptrace_scope >> /tmp/test.txt 2>&1

whoami >> /tmp/test.txt 2>&1

#strace -o /tmp/trace.root.log /usr/bin/python3 /tmp/listener.py >> /tmp/test.txt 2>&1
/usr/bin/python3 /tmp/listener.py >> /tmp/test.txt 2>&1

And a simple test python listener to illustrate the issue:

import os, sys

print("Starting Python listener")

os.setgid(500)

Output when run through the auditd event handler:

# cat test.txt
deny_ptrace --> off
kernel.yama.ptrace_scope = 0
root
Starting Python listener
Traceback (most recent call last):
  File "/tmp/listener.py", line 6, in <module>
    os.setgid(500)
PermissionError: [Errno 1] Operation not permitted

But when run manually as root:

# /usr/bin/bash /tmp/strace.sh

# cat test.txt
deny_ptrace --> off
kernel.yama.ptrace_scope = 0
root
Starting Python listener
unix redhat audit strace rhel8
Original Q&A
1

There are 1 answers

0
Maikol On

Turns out issue was that SELinux was enabled.

Checked status with:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing

And set to permissive state with:

# setenforce permissive
# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing

Related Questions in UNIX

Related Questions in REDHAT

Related Questions in AUDIT

Related Questions in STRACE

Related Questions in RHEL8

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions