Info |
---|
In 2.2.0p24, the agent plugins mk_oracle, mk_oracle.ps1 and mk_oracle_crs are vulnerable to privilege escalation to root by the oracle user. With Werk 16232 we introduced a change that prevents privilege escalation to root. Affected binaries are: sqlplus, tnsping and crsctl. As a result:
|
...
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
|
Problem
All binaries, which are called by the plugins, are now checked if they need to be executed as a non-root (non-administrator under Windows) user, preventing the privilege escalation.
Affected binaries are:
- sqlplus
- tnsping
- crsctl
On Linux, this causes issues when using an oracle wallet as the unprivileged user might not be able to access the files defining the connection details and credentials which are primarily
...
Code Block | ||||
---|---|---|---|---|
| ||||
[root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent; /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool
<<<oracle_instance>>>
<<<oracle_performance>>>
<<<oracle_systemparameter>>>
<<<oracle_processes>>>
<<<oracle_sessions>>>
<<<oracle_longactivesessions>>>
<<<oracle_logswitches>>>
<<<oracle_undostat>>>
<<<oracle_recovery_area>>>
<<<oracle_recovery_status>>>
<<<oracle_dataguard_stats>>>
<<<oracle_locks>>>
<<<oracle_tablespaces>>>
<<<oracle_rman>>>
<<<oracle_jobs>>>
<<<oracle_resumable>>>
<<<oracle_instance>>>
<<<oracle_processes>>>
<<<oracle_asm_diskgroup>>>
<<<oracle_instance:sep(124)>>>
PRODDB|FAILURE|/etc/check_mk//sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file.
|
...
Note | |||||||
---|---|---|---|---|---|---|---|
If you don't use the bakery, then you can run the following on the server where you have installed the agent:
|
Below, you will find an example output from mk_oracle -t:
Code Block | ||||
---|---|---|---|---|
| ||||
[root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent; /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool -t <<<oracle_instance>>> <<<oracle_performance>>> <<<oracle_systemparameter>>> <<<oracle_processes>>> <<<oracle_sessions>>> <<<oracle_longactivesessions>>> <<<oracle_logswitches>>> <<<oracle_undostat>>> <<<oracle_recovery_area>>> <<<oracle_recovery_status>>> <<<oracle_dataguard_stats>>> <<<oracle_locks>>> <<<oracle_tablespaces>>> <<<oracle_rman>>> <<<oracle_jobs>>> <<<oracle_resumable>>> <<<oracle_instance>>> <<<oracle_processes>>> <<<oracle_asm_diskgroup>>> ---checking permissions------------------------------------------------- see https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting+mk+oracle+for+Windows+and+Linux * sqlplus binary: /opt/oracle/product/19c/dbhome_1/bin/sqlplus * sqlplus binary owner: oracle * change user: true * $TNS_ADMIN: /etc/check_mk/ * ERROR! user "oracle" can NOT read /etc/check_mk//sqlnet.ora -rw-r-----. 1 root root 373 10. Apr 11:51 /etc/check_mk//sqlnet.ora We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk//sqlnet.ora" chmod g+r "/etc/check_mk//sqlnet.ora" If you use the AGENT BAKERY you have to use the rule 'sqlnet.ora premission group' to make this change permanently, otherwise it will be overwritten by an agent update. * user "oracle" can read /etc/check_mk//tnsnames.ora * test-login does not work! Could not login. In case you are using a wallet to connect, there might be a permission error. Make sure that the wallet folder can be read and executed by user "oracle" and the files inside the wallet can be read by the user. Consult your ora files for hints where the wallet is located: /etc/check_mk//sqlnet.ora /etc/check_mk//tnsnames.ora ------------------------------------------------------------------------ ---login---------------------------------------------------------------- Operating System: Linux ORACLE_HOME (oratab): /opt/oracle/product/19c/dbhome_1 Logincheck to Instance: proddb Version: <<<oracle_instance:sep(124)>>> PRODDB|FAILURE|/etc/check_mk//sqlnet.ora can not be read by user "oracle"! Either use 'sqlnet.ora permission group' bakery rule, or directly modify permissions of the file. SYNC_SECTIONS: instance performance systemparameter processes sessions longactivesessions logswitches undostat recovery_area recovery_status dataguard_stats locks ASYNC_SECTIONS: tablespaces rman jobs resumable ------------------------------------------------------------------------ [root@linuxhost check_mk]# chown :oinstall sqlnet.ora [root@linuxhost check_mk]# export MK_CONFDIR=/etc/check_mk/;export MK_VARDIR=/var/lib/check_mk_agent; /usr/lib/check_mk_agent/plugins/60/mk_oracle_fix15 --no-spool -t <<<oracle_instance>>> <<<oracle_performance>>> <<<oracle_systemparameter>>> <<<oracle_processes>>> <<<oracle_sessions>>> <<<oracle_longactivesessions>>> <<<oracle_logswitches>>> <<<oracle_undostat>>> <<<oracle_recovery_area>>> <<<oracle_recovery_status>>> <<<oracle_dataguard_stats>>> <<<oracle_locks>>> <<<oracle_tablespaces>>> <<<oracle_rman>>> <<<oracle_jobs>>> <<<oracle_resumable>>> <<<oracle_instance>>> <<<oracle_processes>>> <<<oracle_asm_diskgroup>>> Logindetails: /@PRODDB ---checking permissions------------------------------------------------- see https://checkmk.atlassian.net/wiki/spaces/KB/pages/70582273/Troubleshooting+mk+oracle+for+Windows+and+Linux * sqlplus binary: /opt/oracle/product/19c/dbhome_1/bin/sqlplus * sqlplus binary owner: oracle * change user: true * $TNS_ADMIN: /etc/check_mk/ * user "oracle" can read /etc/check_mk//sqlnet.ora * user "oracle" can read /etc/check_mk//tnsnames.ora * test-login does not work! ORA-12578 suggests, that there is an error reading the wallet. Detected sqlnet.ora as suggested in the documentation. * ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet drwxr-x---. 2 root root 90 9. Apr 12:16 /etc/check_mk/oracle_wallet We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet" chmod g+r "/etc/check_mk/oracle_wallet" * ERROR! user "oracle" can NOT execute /etc/check_mk/oracle_wallet drwxr-x---. 2 root root 90 9. Apr 12:16 /etc/check_mk/oracle_wallet We suggest to change the group to oinstall and give execute permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet" chmod g+x "/etc/check_mk/oracle_wallet" * ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/cwallet.sso -rw-r-----. 1 root root 949 9. Apr 12:20 /etc/check_mk/oracle_wallet/cwallet.sso We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet/cwallet.sso" chmod g+r "/etc/check_mk/oracle_wallet/cwallet.sso" * ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/cwallet.sso.lck -rw-r-----. 1 root root 0 9. Apr 12:16 /etc/check_mk/oracle_wallet/cwallet.sso.lck We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet/cwallet.sso.lck" chmod g+r "/etc/check_mk/oracle_wallet/cwallet.sso.lck" * ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/ewallet.p12 -rw-r-----. 1 root root 904 9. Apr 12:20 /etc/check_mk/oracle_wallet/ewallet.p12 We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet/ewallet.p12" chmod g+r "/etc/check_mk/oracle_wallet/ewallet.p12" * ERROR! user "oracle" can NOT read /etc/check_mk/oracle_wallet/ewallet.p12.lck -rw-r-----. 1 root root 0 9. Apr 12:16 /etc/check_mk/oracle_wallet/ewallet.p12.lck We suggest to change the group to oinstall and give read permission for the group: chgrp oinstall "/etc/check_mk/oracle_wallet/ewallet.p12.lck" chmod g+r "/etc/check_mk/oracle_wallet/ewallet.p12.lck" ------------------------------------------------------------------------ ---login---------------------------------------------------------------- Operating System: Linux ORACLE_HOME (oratab): /opt/oracle/product/19c/dbhome_1 Logincheck to Instance: proddb Version: Error Message: PRODDB|FAILURE|ERROR: ORA-12578: TNS:wallet open failed SYNC_SECTIONS: instance performance systemparameter processes sessions longactivesessions logswitches undostat recovery_area recovery_status dataguard_stats locks ASYNC_SECTIONS: tablespaces rman jobs resumable ------------------------------------------------------------------------ |
...