Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

In 2.2.0p24, the agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs are vulnerable to privilege escalation to root by the oracle user.  With Werk 16232 we introduced a change that prevents privilege escalation to root. 

Affected binaries are:  sqlplus, tnsping and crsctl. 

As a result:

  • Windows
    mk_oracle.ps1 -
      we now check if any non-admin users have Write, Modify or Full Control permissions on the affected binaries. . If such a user is found then the execution of the agent plugin is blocked and you will be notified about the non-admin user who owns the binary.
  • Linux 
    mk_oracle - If you use Oracle Wallet to connect to your Database and used the instructions of our official documentation to setup your configuration then you are also also affected by this change. Now, we have introduced a new functionality to the  mk_oracle's “Just check the connection” mode ( -t ) so that it now also checks the permissions of the files.  It will suggest you the desired permissions required on the ora files and the Oracle Wallet files.

...

Panel
borderColorblack
bgColor#f8f8f8
titleTable of Contents

Table of Contents

Problem

All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.


Affected binaries are: 

  • sqlplus
  • tnsping
  • crsctl


On Linux, this causes issues when using an oracle wallet as the unprivileged user might not be able to access the files defining the connection details and credentials which are primarily

...

Code Block
languagebash
themeRDark
[root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent;  /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool 
<<<oracle_instance>>>
<<<oracle_performance>>>
<<<oracle_systemparameter>>>
<<<oracle_processes>>>
<<<oracle_sessions>>>
<<<oracle_longactivesessions>>>
<<<oracle_logswitches>>>
<<<oracle_undostat>>>
<<<oracle_recovery_area>>>
<<<oracle_recovery_status>>>
<<<oracle_dataguard_stats>>>
<<<oracle_locks>>>
<<<oracle_tablespaces>>>
<<<oracle_rman>>>
<<<oracle_jobs>>>
<<<oracle_resumable>>>
<<<oracle_instance>>>
<<<oracle_processes>>>
<<<oracle_asm_diskgroup>>>
<<<oracle_instance:sep(124)>>>
PRODDB|FAILURE|/etc/check_mk//sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.

...

Note

If you don't use the bakery, then you can run the following on the server where you have installed the agent:

Code Block
languagebash
themeRDark
  [root@linuxhost check_mk]#chgrp oinstall "/etc/check_mk//sqlnet.ora"

  [root@linuxhost check_mk]#chmod g+r "/etc/check_mk//sqlnet.ora"

 

Below, you will find an example output from mk_oracle -t:

Code Block
languagebash
themeRDark
[root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent;  /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool -t
<<<oracle_instance>>>
<<<oracle_performance>>>
<<<oracle_systemparameter>>>
<<<oracle_processes>>>
<<<oracle_sessions>>>
<<<oracle_longactivesessions>>>
<<<oracle_logswitches>>>
<<<oracle_undostat>>>
<<<oracle_recovery_area>>>
<<<oracle_recovery_status>>>
<<<oracle_dataguard_stats>>>
<<<oracle_locks>>>
<<<oracle_tablespaces>>>
<<<oracle_rman>>>
<<<oracle_jobs>>>
<<<oracle_resumable>>>
<<<oracle_instance>>>
<<<oracle_processes>>>
<<<oracle_asm_diskgroup>>>

---checking permissions-------------------------------------------------
see https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting+mk+oracle+for+Windows+and+Linux

* sqlplus binary: /opt/oracle/product/19c/dbhome_1/bin/sqlplus
* sqlplus binary owner: oracle
* change user: true
* $TNS_ADMIN: /etc/check_mk/
* ERROR! user "oracle" can NOT read /etc/check_mk//sqlnet.ora
  -rw-r-----. 1 root root 373 10. Apr 11:51 /etc/check_mk//sqlnet.ora
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk//sqlnet.ora"
  chmod g+r "/etc/check_mk//sqlnet.ora"

  If you use the AGENT BAKERY you have to use the rule 'sqlnet.ora premission group' to make this change permanently, otherwise it will be overwritten by an agent update.
* user "oracle" can read /etc/check_mk//tnsnames.ora

* test-login does not work!

  Could not login. In case you are using a wallet to connect, there might be a permission error.
  Make sure that the wallet folder can be read and executed by user "oracle" and
  the files inside the wallet can be read by the user.
  Consult your ora files for hints where the wallet is located:
  /etc/check_mk//sqlnet.ora
  /etc/check_mk//tnsnames.ora

------------------------------------------------------------------------

---login----------------------------------------------------------------
    Operating System:       Linux
    ORACLE_HOME (oratab):   /opt/oracle/product/19c/dbhome_1
    Logincheck to Instance: proddb
    Version:                
<<<oracle_instance:sep(124)>>>
PRODDB|FAILURE|/etc/check_mk//sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.
    SYNC_SECTIONS:          instance performance systemparameter processes sessions longactivesessions logswitches undostat recovery_area recovery_status dataguard_stats locks
    ASYNC_SECTIONS:         tablespaces rman jobs resumable
------------------------------------------------------------------------



[root@linuxhost check_mk]# chown :oinstall sqlnet.ora
 


[root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent;  /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool -t
<<<oracle_instance>>>
<<<oracle_performance>>>
<<<oracle_systemparameter>>>
<<<oracle_processes>>>
<<<oracle_sessions>>>
<<<oracle_longactivesessions>>>
<<<oracle_logswitches>>>
<<<oracle_undostat>>>
<<<oracle_recovery_area>>>
<<<oracle_recovery_status>>>
<<<oracle_dataguard_stats>>>
<<<oracle_locks>>>
<<<oracle_tablespaces>>>
<<<oracle_rman>>>
<<<oracle_jobs>>>
<<<oracle_resumable>>>
<<<oracle_instance>>>
<<<oracle_processes>>>
<<<oracle_asm_diskgroup>>>
    Logindetails:           /@PRODDB

---checking permissions-------------------------------------------------
see https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting+mk+oracle+for+Windows+and+Linux

* sqlplus binary: /opt/oracle/product/19c/dbhome_1/bin/sqlplus
* sqlplus binary owner: oracle
* change user: true
* $TNS_ADMIN: /etc/check_mk/
* user "oracle" can read /etc/check_mk//sqlnet.ora
* user "oracle" can read /etc/check_mk//tnsnames.ora

* test-login does not work!
  ORA-12578 suggests, that there is an error reading the wallet.
  Detected sqlnet.ora as suggested in the documentation.

* ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet
  drwxr-x---. 2 root root 90  9. Apr 12:16 /etc/check_mk/oracle_wallet
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet"
  chmod g+r "/etc/check_mk/oracle_wallet"

* ERROR! user "oracle" can NOT execute /etc/check_mk/oracle_wallet
  drwxr-x---. 2 root root 90  9. Apr 12:16 /etc/check_mk/oracle_wallet
  We suggest to change the group to oinstall and give execute permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet"
  chmod g+x "/etc/check_mk/oracle_wallet"

* ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/cwallet.sso
  -rw-r-----. 1 root root 949  9. Apr 12:20 /etc/check_mk/oracle_wallet/cwallet.sso
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet/cwallet.sso"
  chmod g+r "/etc/check_mk/oracle_wallet/cwallet.sso"

* ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/cwallet.sso.lck
  -rw-r-----. 1 root root 0  9. Apr 12:16 /etc/check_mk/oracle_wallet/cwallet.sso.lck
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet/cwallet.sso.lck"
  chmod g+r "/etc/check_mk/oracle_wallet/cwallet.sso.lck"

* ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/ewallet.p12
  -rw-r-----. 1 root root 904  9. Apr 12:20 /etc/check_mk/oracle_wallet/ewallet.p12
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet/ewallet.p12"
  chmod g+r "/etc/check_mk/oracle_wallet/ewallet.p12"

* ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/ewallet.p12.lck
  -rw-r-----. 1 root root 0  9. Apr 12:16 /etc/check_mk/oracle_wallet/ewallet.p12.lck
  We suggest to change the group to oinstall and give read permission for the group:
  chgrp oinstall "/etc/check_mk/oracle_wallet/ewallet.p12.lck"
  chmod g+r "/etc/check_mk/oracle_wallet/ewallet.p12.lck"

------------------------------------------------------------------------

---login----------------------------------------------------------------
    Operating System:       Linux
    ORACLE_HOME (oratab):   /opt/oracle/product/19c/dbhome_1
    Logincheck to Instance: proddb
    Version:                
    Error Message:          PRODDB|FAILURE|ERROR: ORA-12578: TNS:wallet open failed 
    SYNC_SECTIONS:          instance performance systemparameter processes sessions longactivesessions logswitches undostat recovery_area recovery_status dataguard_stats locks
    ASYNC_SECTIONS:         tablespaces rman jobs resumable
------------------------------------------------------------------------

...