Tcpdump tries to creates "tcpdump" user and "tcpdump" group without checking whether they exist beforehand

Solution Verified - Updated -


  • Red Hat Enterprise Linux (RHEL) 7
  • tcpdump 4.5.1
  • tcpdump 4.9.0
  • tcpdump 4.9.2


During an installation of tcpdump, it attempts to create tcpdump user and group without previously checking if that group/user already exist. That behaviour raises alerts in /var/log/audit/audit.log.


Update to tcpdump-4.9.2-4.el7 released with Advisory RHBA-2019:2342 or newer.

Root Cause

The tcpdump package tries to create tcpdump user and group unconditionally, without checking whether they already exist. This bug is fixed in tcpdump-4.9.2-4.el7 and newer.

Diagnostic Steps

To reproduce the issue upgrade thetpcdump package from a previous version while having auditing enabled. Auditing is enabled in RHEL 7 by default.

  • To perform the upgrade execute the following command:

    # yum upgrade tcpdump
  • Actual results seen in /var/log/audit/audit.log:

    type=ADD_GROUP msg=audit(1547033150.379:79791): pid=6469 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="tcpdump" exe="/usr/sbin/groupadd" addr=? terminal=pts/0 res=failed'
    type=ADD_USER msg=audit(1547033233.280:79798): pid=7841 uid=0 auid=0 ses=3832 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="tcpdump" exe="/usr/sbin/useradd" addr=? terminal=pts/0 res=failed'
  • Component
  • rpm

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.