Open scott-mackenzie opened 1 month ago
The server is hardened to CIS Level 2 standard.
I'd say this is the prime suspect for causing this issue. I just tried ssh-audit --version
on Ubuntu 22.04 (without CIS hardening) and it worked.
The method used to build the snap package is pretty standard (see https://github.com/jtesta/ssh-audit/blob/master/snapcraft.yaml), so no workarounds come to mind. Have you had problems with other snap packages on that machine?
snap --version
snap 2.62+22.04 snapd 2.62+22.04 series 16 ubuntu 22.04 kernel 6.5.0-1020-aws
Attempting to start snap package: ~# ssh-audit version cannot create mount point for file "/tmp/snap.rootfs_ttB1w4/README.md": Permission denied
Contents of /tmp/
ls -l /tmp/
total 84 drwx------ 2 root root 4096 May 19 10:24 snap-private-tmp drwx------ 2 root root 4096 May 19 10:30 snap.rootfs_1P4Kmn drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_DiD5AX drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_Jjr3EU drwx------ 2 root root 4096 May 19 10:33 snap.rootfs_LEA0ic drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_LqTJvt drwx------ 2 root root 4096 May 19 10:40 snap.rootfs_Pfd36j drwx------ 2 root root 4096 May 19 10:35 snap.rootfs_QGPUKe drwx------ 2 root root 4096 May 19 10:44 snap.rootfs_QZaClr drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_QZjfkv drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_Qdv2Cj drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_UyxaGE drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_WcgzpB drwx------ 2 root root 4096 May 19 10:29 snap.rootfs_a6X4fm drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_cZVQlD drwx------ 2 root root 4096 May 19 10:32 snap.rootfs_o1qFYW drwx------ 2 root root 4096 May 19 11:46 snap.rootfs_ttB1w4 drwx------ 2 root root 4096 May 19 11:23 snap.rootfs_xoAXG6
~# sudo aa-status |grep snapd /snap/core/16928/usr/lib/snapd/snap-confine /snap/core/16928/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21184/usr/lib/snapd/snap-confine /snap/snapd/21184/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21465/usr/lib/snapd/snap-confine /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
dmesg | grep DENIED
Returns no data empty
snap debug confinement
strict
Other snap packages seem to be working but fresh install does not work for ssh-audit https://github.com/jtesta/ssh-audit
The server is hardened to CIS Level 2 standard.
Anyone come across this before?