Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Alerts not being generated on a new installation

EDR: Alerts not being generated on a new installation

Environment

  • EDR Server: 6.0.1 and Higher

Symptoms

  • Alerts are not generated.
  • Watchlists are not running.
  • Cron jobs owned by user "cb" are not executing. 
  • No corn log entries appear in /var/log/cb/job-runner/job-runner.log 
  • /var/log/cron error:
Feb 19 14:32:01 cbr01 crond[15462]: (cb) PAM ERROR (Permission denied)
Feb 19 14:32:01 cbr01 crond[15462]: (cb) FAILED to authorize user with PAM (Permission denied)
  •  tail -10 /var/log/audit/audit.log shows PAM errors accessing cron job to run watchlists:
type=LOGIN msg=audit(1548232981.265:413306): pid=13522 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=49464 res=1 
type=USER_START msg=audit(1548232981.278:413307): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' 
type=CRED_REFR msg=audit(1548232981.279:413308): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' 
type=CRED_DISP msg=audit(1548232983.761:413309): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' 
type=USER_END msg=audit(1548232983.764:413310): pid=13522 uid=0 auid=0 ses=49464 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' 
type=AVC msg=audit(1548232991.028:413311): avc: denied { search } for pid=13576 comm="df" name="/" dev="0:39" ino=96 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 
type=AVC msg=audit(1548232991.028:413311): avc: denied { read } for pid=13576 comm="df" name="rabbit@CB-SERVER-CLUSTER-HEAD-NODE" dev="0:39" ino=21299 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 
type=AVC msg=audit(1548232991.028:413311): avc: denied { open } for pid=13576 comm="df" path="/var/cb_data/data/rabbitmq/mnesia/rabbit@CB-SERVER-CLUSTER-HEAD-NODE" dev="0:39" ino=21299 scontext=system_u:system_r:rabbitmq_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir 
type=SYSCALL msg=audit(1548232991.028:413311): arch=c000003e syscall=2 success=yes exit=3 a0=7ffdf8f1b90f a1=100 a2=2283380 a3=7ffdf8f195a0 items=0 ppid=13575 pid=13576 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="df" exe="/usr/bin/df" subj=system_u:system_r:rabbitmq_t:s0 key=(null)

Cause

The Linux OS is configurated to force all users to use the PAM authentication module.

Resolution

  1. Modify the /etc/security/access.conf file to allow the "cb" user access to the crond service.
  2. Place this line immediately below the line that references "root" for organizational reasons:
+ : cb : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
  1. Restart the crond service
sudo service crond restart

Additional Notes

  • If the cron restart does not work, then restart the entire OS.;

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
804
Contributors