Bug 1146687

Summary: AUDIT-FIND: resource-agents: Static default credentials
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Peter Varkoly <varkoly>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: nwang, varkoly, ygao
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1021689    

Description Johannes Segitz 2019-08-21 14:37:44 UTC 
In resource-agents-4.3.018.a7fb5035/heartbeat/oracle
 64 OCF_RESKEY_monpassword_default="OCFMON"

The original reason for the audit, still unfixed. Please either generate the credentials randomly and present them to the user or ask him for a password.
Comment 1 nick wang 2020-03-26 13:37:04 UTC 
This issue is duplicate to https://bugzilla.suse.com/show_bug.cgi?id=1021689
Comment 2 Johannes Segitz 2020-03-26 15:32:16 UTC 
1021689 is the tracker bug for all the findings. Please discuss the static credentials here and use 1021689 for the meta discussion

As for the upstream discussion:
https://github.com/ClusterLabs/resource-agents/issues/1030
Disabling automatic creation of the user would be fine
Comment 3 nick wang 2020-03-27 06:37:20 UTC 
(In reply to Johannes Segitz from comment #2)
> As for the upstream discussion:
> https://github.com/ClusterLabs/resource-agents/issues/1030
> Disabling automatic creation of the user would be fine

I think the upstream maintainer suggested that the best solution is stay not change. Since the the created monitor user has limited restriction of select only on system table.

One drawback of disabling automatic creation without a changed password is it will fail the resource (behavior like "mandatory/must") when no password. However, the password still need to mark as "optional" to make the monitor action after upgrading work as expect.

Sorry for the question, cause i still need to persuade maintainer if send a request conflict to his "best guess".
Comment 5 Johannes Segitz 2020-04-03 11:01:00 UTC 
I chimed in upstream
https://github.com/ClusterLabs/resource-agents/issues/1030
I think a random pw should be generated on new setups while trying the old credentials to keep backwards compatibility.
Comment 6 nick wang 2020-04-03 12:49:11 UTC 
(In reply to Johannes Segitz from comment #5)
> I chimed in upstream
> https://github.com/ClusterLabs/resource-agents/issues/1030
> I think a random pw should be generated on new setups while trying the old
> credentials to keep backwards compatibility.

Great thanks for the method.

After previous discussion in rocket chat, i asked upstream with your 1st suggestion on disabling automatic creation of user. I even use your mentioned example of "a local user login and do bad things in case of a (future) bug".
With the help of Yan, upstream accepted and merged the code of [1].

Hi Peter,
Need you help on back port resource agent package with others.

[1] https://github.com/ClusterLabs/resource-agents/pull/1472

Johannes, Yan, Peter,
Thanks for the help!
Comment 10 Swamp Workflow Management 2020-04-23 19:32:11 UTC 
SUSE-SU-2020:1090-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15 (src):    resource-agents-4.3.0184.6ee15eb2-3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-04-23 19:34:42 UTC 
SUSE-SU-2020:1089-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP1 (src):    resource-agents-4.3.0184.6ee15eb2-4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-04-23 19:36:17 UTC 
SUSE-SU-2020:1092-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146776,1146784,1146785,1146787,1146789,1161898
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP3 (src):    resource-agents-4.0.1+git.1495055229.643177f1-2.45.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-04-23 19:37:56 UTC 
SUSE-SU-2020:1091-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1146789
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability 12-SP5 (src):    resource-agents-4.3.018.a7fb5035-3.42.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    resource-agents-4.3.018.a7fb5035-3.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-04-24 19:19:05 UTC 
SUSE-SU-2020:14348-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146784,1146785,1146787
CVE References: 
Sources used:
SUSE Linux Enterprise High Availability Extension 11-SP4 (src):    resource-agents-3.9.5-50.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-05-01 22:37:36 UTC 
openSUSE-SU-2020:0585-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    resource-agents-4.3.0184.6ee15eb2-lp151.3.18.1
Comment 16 Johannes Segitz 2021-07-09 07:18:13 UTC 
thank you for the fix
Comment 20 Swamp Workflow Management 2022-07-08 13:16:58 UTC 
SUSE-SU-2022:2337-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 1021689,1146687,1146690,1146691,1146692,1146766,1146776,1146784,1146785,1146787,1196164,1197956,1199766
CVE References: 
JIRA References: 
Sources used:
SUSE Linux Enterprise High Availability 15-SP2 (src):    resource-agents-4.4.0+git57.70549516-150200.3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.