Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

manage_agents unable to access /dev/random due to chroot #425

Closed
bitcomsecdev opened this issue Oct 31, 2014 · 11 comments
Closed

manage_agents unable to access /dev/random due to chroot #425

bitcomsecdev opened this issue Oct 31, 2014 · 11 comments

Comments

@bitcomsecdev
Copy link

Hi,

OS: 14.10 (Utopic Unicorn)
Kernel: Linux 3.16.0-23-generic
OSSEC Version: snapshot from github an hour ago.

I installed OSSEC for the first time and was excited to get going. Once installed I tried to add an agent via manage_agents bin and got:

2014/10/31 09:34:55 manage_agents: ERROR: randombytes failed for all possible methods for accessing random data

Strace output:
[ output omitted for readability ]
setgroups(1, [1001]) = 0
setresgid(-1, 1001, -1) = 0
setgid(1001) = 0
chdir("/var/ossec") = 0
chroot("/var/ossec") = 0
chdir("/") = 0

[ .. more omittions ..]

open("/dev/urandom", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/random", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "2014/10/31 09:38:16 ", 202014/10/31 09:38:16 ) = 20
write(2, "manage_agents: ERROR: randombyte"..., 91manage_agents: ERROR: randombytes failed for all possible methods for accessing random data) = 91
write(2, "\n", 1
) = 1
exit_group(1) = ?
+++ exited with 1 +++

From what I gather manage_agents chroots itself, but doesn't take into account that it actually needs entropy from /dev/urandom and /dev/random.

If you need the entire strace log by all means just let me know.

@bitcomsecdev
Copy link
Author

For those dealing with this issue a quick temporary fix was to execute:

cd /var/ossec/
mkdir dev
mount -o bind /dev dev/

And you'll be able to add new agents to /var/ossec/etc/client.keys

Cheers.

@jrossi
Copy link
Member

jrossi commented Oct 31, 2014

This is due to the new way we grab random data from /dev/random. But it must be done before chroot-ing. I am on mobile but should be easy to fix when I get to a computer. The fix is easy move srandom_init() before chroot.

@jrossi
Copy link
Member

jrossi commented Oct 31, 2014

I have opened a Pull request to fix this, but I cannot test as I am still mobile.

@pjmorr
Copy link

pjmorr commented Jan 27, 2016

this issue 'seems' to be causing system wide effects?? I have a new server which is now no longer able to git clone or wget after doing the mount -o bind /dev dev/ from /var/ossec as root.
the error:

~# wget https://github.com/ossec/ossec-hids/archive/master.zip
Error in GnuTLS initialization: Failed to acquire random data.
ERROR: Failed to open cert /etc/ssl/certs/d7746a63.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/11f154d6.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/6e8bf996.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/9d6523ce.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Global_Chambersign_Root_-_2008.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/124bbd54.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/StartCom_Certification_Authority_2.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Certigna.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/56b8a0b6.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/81b9768f.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Comodo_Secure_Services_root.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/75680d2e.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/4a6481c9.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/9007ae68.0: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/Certinomis_-_Autorité_Racine.pem: (-402).
ERROR: Failed to open cert /etc/ssl/certs/00673b5b.0: (-402).
...<removing pages of cert failures>
Resolving github.com (github.com)... 192.30.252.131
Connecting to github.com (github.com)|192.30.252.131|:443... connected.
Segmentation fault

git clone has the same issue.
I have not tried rebooting the server yet.

@pnill
Copy link
Contributor

pnill commented Sep 1, 2016

This issue still affects latest release candidate, I had to do the mount work around to get mass creation of agents working...

It was also confusing not knowing it ran in the chroot trying to specify the file it was looking for as it's chrooted into /var/ossec and not the current dir of the bin.

So when I placed the text file containing my agent names and IPs and attempted to do ./agent_list.txt was a bit odd.

@ddpbsd
Copy link
Member

ddpbsd commented Sep 2, 2016

How are people triggering this? I don't see this behavior on OpenBSD or Ubuntu. I just tried a bulk add as well without issue.

@pnill
Copy link
Contributor

pnill commented Sep 2, 2016

Is this with the latest Release RC 2.9.0 that you're not getting it @ddpbsd or is it the latest source?

@ddpbsd
Copy link
Member

ddpbsd commented Sep 2, 2016

The latest source. I haven't tried RC3 yet, but I'll try to give it a shot this weekend.

@pnill
Copy link
Contributor

pnill commented Sep 2, 2016

The issue I encountered was on the latest RC on an Ubuntu system, I didn't compile from source off git and try that yet but this is also a production system I'm working to upgrade/migrate due to other unexpected/unexplained issues.

@ddpbsd
Copy link
Member

ddpbsd commented Sep 2, 2016

Ok, I'll give that a shot. How were you running manage_agents?

@ddpbsd
Copy link
Member

ddpbsd commented Sep 2, 2016

Ok, got it:

root@earth:/var/ossec# cat TEST
192.168.18.99,test1
192.168.18.100,test2
root@earth:/var/ossec# bin/manage_agents -f TEST
Bulk load file: TEST
Opening: [TEST]
2016/09/02 13:03:55 manage_agents: ERROR: randombytes failed for all possible methods for accessing random data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants