rhowe
commented
6 years ago I submitted this to secure@microsoft.com on the 22 May 2018, but received a response advising I raise an issue here
Closed rhowe closed 1 month ago
rhowe
commented
6 years ago I submitted this to secure@microsoft.com on the 22 May 2018, but received a response advising I raise an issue here
mexmirror
commented
6 years ago Any updates on this?
shpimpal
commented
6 years ago Hi, thanks for reporting this. We'll look into this but this won't be addressed at least until a release after the upcoming one. We have improved on one aspect though by giving files/folders comparatively more restrictive access, that will be a part of upcoming release.
jimmielightner
commented
4 years ago Hi All, has there been any further progress on reviewing this? This is blocking our use, as it is flagged during security scans and we are unable to rationalize it to our security team.
mikedzikowski
commented
4 years ago Hi Team,
Is there any update here on this issue?
jimmielightner
commented
4 years ago Circling back on this as my customer is asking for an update.
twem
commented
3 years ago It took a couple of months but we got an answer from premier support, they are not going to change OMS. They have promised it will be support in the next generation agent "Azure Monitor agent" They have updated the official docs to say CIS is not supported https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux#supported-linux-hardening
rhowe
commented
3 years ago We have improved on one aspect though by giving files/folders comparatively more restrictive access, that will be a part of upcoming release.
I don't see how this protects anything from weak sudo rules which allow it to do dangerous things as root?
hestolz
commented
1 month ago Thank you for your submission. As previously announced, the Log Analytics agent has been deprecated and has no support as of August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate now to the new Azure Monitor agent. As part of repo archival, open issues and pull requests will be closed.
Hi,
The sudo ruleset contained within the OMS agent is too permissive:
https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/installer/conf/sudoers
The rules here allow the 'omsagent' user to read all files on the system and send arbitrary signals to arbitrary processes
All the issues effectively stem from the use of wildcards in command arguments, which allow appending arbitrary strings to the command
Vulnerable rules:
These allow the omsagent user to read any file on the machine with e.g.
sudo /usr/bin/tail -n 100000000 <path to file>This rule allows arbitrary signals to be sent to arbitrary processes (at least a DoS vector), primarly due to pkill's '--inverse' option:
omsagent ALL=(ALL) NOPASSWD: /usr/bin/pkill -u nxautomation *e.g. to kill all non-nxautomation processes:
sudo /usr/bin/pkill -u nxautomation --inverseThis rule allows the 'omsagent' user to test for existence and other attributes of files it would not otherwise be permitted to know about - note that 'test' allows construction of arbitrary expressions with the -a and -o options:
omsagent ALL=(ALL) NOPASSWD: /usr/bin/test -r*e.g.
sudo /usr/bin/test -r /secret/pathorsudo /usr/bin/test -r /secret/path -o -e /other/secret/pathOther rules with wildcards may also introduce vulnerabilities, but since they're running proprietary tools shipped as part of OMS and I'm not really familiar with the software, I'm not sure