Bug 1150534 - AUDIT-1: cacti: review of cron job file(s): /etc/cron.d/cacti
AUDIT-1: cacti: review of cron job file(s): /etc/cron.d/cacti
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on:
Blocks: 1150175
  Show dependency treegraph
 
Reported: 2019-09-12 11:28 UTC by Matthias Gerstner
Modified: 2020-02-28 12:07 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 11:28:16 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

cacti installs a cron file in /etc/cron.d/cacti. It should be reviewed and
subsequently whitelisted if all is well.
Comment 1 Matthias Gerstner 2019-11-05 11:08:44 UTC
The cacti cron job runs /srv/www/cacti/poller.php as the 'wwwrun' user every
five minutes. This PHP program is large and complex and thus a high risk
candidate. It's difficult to complete review it.

The plus side is that is only runs as the 'wwwrun' user but still there might
linger things like symlink attacks or local code execution in some way. The
program works a lot with a local sqlite database but also spawns shell
commands to some extent.
Comment 2 Johannes Segitz 2020-01-10 14:43:41 UTC
So I had a look today and yes, it's difficult to review. I have two concerns:
- A lot of data is taken from the cacti installation and used to influence how the jobs run. I couldn't find a direct way to exploit it in the time I spent on this, but most of the time was just me getting to grips with the codebase. 
I think this is kind of unavoidable with a program like this. When starting from scratch one could chose a design that has some well defined entry points that could be audited, but it is what it is.
- In poller.ph
  575                 $extra_args = api_plugin_hook_function('poller_command_args', $extra_args);
allows plugins to add arguments to the commands being executed. These arguments are not escaped, so it's left to the plugins to do this. I checked the default plugins and none of them are problematic. I'll talk to upstream if this is something that could be hardened without breaking existing plugins.

So with that I think we should whitelist the cron job since it's essential for cacti.
Comment 3 Matthias Gerstner 2020-01-30 10:27:59 UTC
Thank you Johannes for double-checking this package. I'll submit a
whitelisting for the cron job.

@aj@ajaissle.de: please care for bug 1160867.
Comment 4 Matthias Gerstner 2020-02-28 12:07:04 UTC
the whitelisting will soon be submitted. I decoupled this audit bug from the
hardening requested in bug 1160867. Therefore closing this bug here.