- Red Hat Enterprise Linux (RHEL) 7
- tcpdump 4.5.1
- tcpdump 4.9.0
- tcpdump 4.9.2
During an installation of
tcpdump, it attempts to create
tcpdump user and group without previously checking if that group/user already exist. That behaviour raises alerts in
tcpdump-4.9.2-4.el7 released with Advisory RHBA-2019:2342 or newer.
tcpdump package tries to create
tcpdump user and group unconditionally, without checking whether they already exist. This bug is fixed in
tcpdump-4.9.2-4.el7 and newer.
To reproduce the issue upgrade the
tpcdump package from a previous version while having auditing enabled. Auditing is enabled in RHEL 7 by default.
To perform the upgrade execute the following command:
# yum upgrade tcpdump
Actual results seen in
type=ADD_GROUP msg=audit(1547033150.379:79791): pid=6469 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="tcpdump" exe="/usr/sbin/groupadd" hostname=host.example.com addr=? terminal=pts/0 res=failed' type=ADD_USER msg=audit(1547033233.280:79798): pid=7841 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" hostname=host.example.com addr=? terminal=pts/0 res=failed'
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.