ssh-audit
ssh-audit copied to clipboard
jtesta
cannot create mount point for file /tmp/snap.rootfs_
snap --version
snap 2.62+22.04 snapd 2.62+22.04 series 16 ubuntu 22.04 kernel 6.5.0-1020-aws
Attempting to start snap package: ~# ssh-audit version cannot create mount point for file "/tmp/snap.rootfs_ttB1w4/README.md": Permission denied
Contents of /tmp/
ls -l /tmp/
total 84 drwx------ 2 root root 4096 May 19 10:24 snap-private-tmp drwx------ 2 root root 4096 May 19 10:30 snap.rootfs_1P4Kmn drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_DiD5AX drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_Jjr3EU drwx------ 2 root root 4096 May 19 10:33 snap.rootfs_LEA0ic drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_LqTJvt drwx------ 2 root root 4096 May 19 10:40 snap.rootfs_Pfd36j drwx------ 2 root root 4096 May 19 10:35 snap.rootfs_QGPUKe drwx------ 2 root root 4096 May 19 10:44 snap.rootfs_QZaClr drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_QZjfkv drwx------ 2 root root 4096 May 19 10:25 snap.rootfs_Qdv2Cj drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_UyxaGE drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_WcgzpB drwx------ 2 root root 4096 May 19 10:29 snap.rootfs_a6X4fm drwx------ 2 root root 4096 May 19 10:24 snap.rootfs_cZVQlD drwx------ 2 root root 4096 May 19 10:32 snap.rootfs_o1qFYW drwx------ 2 root root 4096 May 19 11:46 snap.rootfs_ttB1w4 drwx------ 2 root root 4096 May 19 11:23 snap.rootfs_xoAXG6
~# sudo aa-status |grep snapd /snap/core/16928/usr/lib/snapd/snap-confine /snap/core/16928/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21184/usr/lib/snapd/snap-confine /snap/snapd/21184/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /snap/snapd/21465/usr/lib/snapd/snap-confine /snap/snapd/21465/usr/lib/snapd/snap-confine//mount-namespace-capture-helper /usr/lib/snapd/snap-confine /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
dmesg | grep DENIED
Returns no data empty
snap debug confinement
strict
Other snap packages seem to be working but fresh install does not work for ssh-audit https://github.com/jtesta/ssh-audit
The server is hardened to CIS Level 2 standard.
Anyone come across this before?
The server is hardened to CIS Level 2 standard.
I'd say this is the prime suspect for causing this issue. I just tried ssh-audit --version on Ubuntu 22.04 (without CIS hardening) and it worked.
The method used to build the snap package is pretty standard (see https://github.com/jtesta/ssh-audit/blob/master/snapcraft.yaml), so no workarounds come to mind. Have you had problems with other snap packages on that machine?
Since I cannot reproduce this on a non-CIS hardened server, and because the snapcraft.yaml file doesn't have anything that would suggest a problem with our packaging, I'm forced to conclude this is a general problem between CIS hardening and the snap service.
@scott-mackenzie: you may want to bring this issue up to CIS directly, since others likely have the same problem. In fact, linking them to this thread would be helpful as well. Thanks!