search

jtesta / ssh-audit

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
MIT License
3.23k stars 165 forks source link

cannot create mount point for file /tmp/snap.rootfs_ #268

Open scott-mackenzie opened 1 month ago

scott-mackenzie commented 1 month ago

snap --version

snap 2.62+22.04 snapd 2.62+22.04 series 16 ubuntu 22.04 kernel 6.5.0-1020-aws

Attempting to start snap package: ~# ssh-audit version cannot create mount point for file "/tmp/snap.rootfs_ttB1w4/README.md": Permission denied

Contents of /tmp/

ls -l /tmp/

total 84 drwx------ 2 root root 4096 May 19 10:24 snap-private-tmp drwx------ 2 root root 4096 May 19 10:30 snap.rootfs_1P4Kmn drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_DiD5AX drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_Jjr3EU drwx------ 2 root root 4096 May 19 10:33 snap.rootfs_LEA0ic drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_LqTJvt drwx------ 2 root root 4096 May 19 10:40 snap.rootfs_Pfd36j drwx------ 2 root root 4096 May 19 10:35 snap.rootfs_QGPUKe drwx------ 2 root root 4096 May 19 10:44 snap.rootfs_QZaClr drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_QZjfkv drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_Qdv2Cj drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_UyxaGE drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_WcgzpB drwx------ 2 root root 4096 May 19 10:29 snap.rootfs_a6X4fm drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_cZVQlD drwx------ 2 root root 4096 May 19 10:32 snap.rootfs_o1qFYW drwx------ 2 root root 4096 May 19 11:46 snap.rootfs_ttB1w4 drwx------ 2 root root 4096 May 19 11:23 snap.rootfs_xoAXG6

~# sudo aa-status |grep snapd /snap/core/16928/usr/lib/snapd/snap-confine /snap/core/16928/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21184/usr/lib/snapd/snap-confine /snap/snapd/21184/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21465/usr/lib/snapd/snap-confine /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper

dmesg | grep DENIED

Returns no data empty

snap debug confinement

strict

Other snap packages seem to be working but fresh install does not work for ssh-audit https://github.com/jtesta/ssh-audit

The server is hardened to CIS Level 2 standard.

Anyone come across this before?

jtesta commented 6 days ago

The server is hardened to CIS Level 2 standard.

I'd say this is the prime suspect for causing this issue. I just tried ssh-audit --version on Ubuntu 22.04 (without CIS hardening) and it worked.

The method used to build the snap package is pretty standard (see https://github.com/jtesta/ssh-audit/blob/master/snapcraft.yaml), so no workarounds come to mind. Have you had problems with other snap packages on that machine?