IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Custom Action account customactionuser

    Posted Wed September 27, 2023 02:58 PM

    Hi,

    Do custom actions run under customactionuser?  I have a custom action that reads a text file in home/customactionuser/customActions.txt.  However, when I test the custom action execution from the Admin Console, I get this output (IOError: [Errno 2] No such file or directory: '/home/customactionuser/customActions.txt'):

    Hello, QRadar.
Traceback (most recent call last):
  File "/custom_action_scripts/customaction_2.script", line 11, in <module>
    customActionScriptName = functions.readCustomActionDictionary()
  File "/custom_action_scripts/functions.py", line 7, in readCustomActionDictionary
    with open(name=path, mode="r") as d:
IOError: [Errno 2] No such file or directory: '/home/customactionuser/customActions.txt'

-----------------------------------

     Thought it was a permissions error, but I think that account can read the file:

    -rw-r--r-- 1 customactionuser root 114 Sep 27 11:21 customActions.txt
-rw-r--r-- 1 customactionuser root 516 Sep 27 11:21 customactionlog.log

    No errors when I run it from the CLI:

    [root@qradar01 custom_action_scripts]# python customaction_2.script QRadar
Hello, QRadar.

    Thanks!



    ------------------------------
    Tom L
    ------------------------------


  • 2.  RE: Custom Action account customactionuser

    Posted Wed September 27, 2023 04:14 PM

    Confirmed that custom actions run under customactionuser.

    Hello, QRadar, I am customactionuser.
Traceback (most recent call last):
  File "/custom_action_scripts/customaction_2.script", line 10, in <module>
    customActionScriptName = functions.readCustomActionDictionary()
  File "/custom_action_scripts/functions.py", line 7, in readCustomActionDictionary
    with open(name=path, mode="r") as d:
IOError: [Errno 2] No such file or directory: '/home/customactionuser/customActions.txt'

-----------------------------------

    Still confused on why it cannot find that file...



    ------------------------------
    Tom L
    ------------------------------

    Original Message


  • 3.  RE: Custom Action account customactionuser

    Posted Wed September 27, 2023 05:20 PM

    It cannot find the file because a Custom Action runs in a chroot() environment.

    /opt/qradar/bin/ca_jail becomes the root of the environment, so the /home/customactionuser directory inside the environment is /opt/qradar/bin/ca_jail/home/customactionuser from the QRadar CLI as root.

    Paul



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


  • 4.  RE: Custom Action account customactionuser

    Posted Wed September 27, 2023 06:45 PM

    Thanks Paul.  It still throws the  IOError: [Errno 2] No such file or directory error: 

    Hello, QRadar, I am customactionuser.

  File "/custom_action_scripts/customaction_2.script", line 10, in <module>
    customActionScriptName = readCustomActionDictionary()
  File "/custom_action_scripts/functions.py", line 9, in readCustomActionDictionary
    with open(name=path, mode="r") as d:
IOError: [Errno 2] No such file or directory: '/opt/qradar/bin/ca_jail/home/customactionuser/customActions.txt'

-----------------------------------

    [customactionuser@qradar01 custom_action_scripts]$ cat functions.py | head -n6
#!/usr/bin/python
import sys
import ast
from datetime import datetime

def readCustomActionDictionary(path="/opt/qradar/bin/ca_jail/home/customactionuser/customActions.txt", key = sys.argv[0]): 
[customactionuser@qradar01 custom_action_scripts]$ head -n2 /home/customactionuser/customActions.txt
{
"customaction_2.script" : "Hello, QRadar Python",
[customactionuser@qradar01 custom_action_scripts]$

    Strange that you can apparently write to that directory but can read from it (QRadar Custom Action Script: Testing Scripts (ibm.com)).



    ------------------------------
    Tom L
    ------------------------------

    Original Message


  • 5.  RE: Custom Action account customactionuser
    Best Answer

    Posted Thu September 28, 2023 04:42 AM

    The linux chroot mechanism creates a whole sandboxed environment - perhaps this example will help...

    First, in the QRadar environment - set up some files:

    [root@tqhost ~]# echo "created by root in QRadar CLI" > /opt/qradar/bin/ca_jail/home/customactionuser/file001.txt
    [root@tqhost ~]# chown customactionuser:customactionuser /opt/qradar/bin/ca_jail/home/customactionuser/file001.txt
    [root@tqhost ~]# echo "created by root in QRadar CLI" > /home/customactionuser/file002.txt
    [root@tqhost ~]# chown customactionuser:customactionuser /home/customactionuser/file002.txt

    Now, lets move into the customactiouser's chroot() environment (this is how a Custom Action Script will see the system)

    [root@tqhost ~]# chroot --userspec=customactionuser /opt/qradar/bin/ca_jail/
    [customactionuser@tqhost /]$ echo "created by customactionuser in chroot() CLI" > /home/customactionuser/file003.txt
    [customactionuser@tqhost /]$ exit
    exit

    Back in the QRadar environment, let's see where our files are:

    [root@tqhost ~]# ls -l /opt/qradar/bin/ca_jail/home/customactionuser/*.txt
    -rw-r--r-- 1 customactionuser customactionuser 30 Sep 28 08:23 /opt/qradar/bin/ca_jail/home/customactionuser/file001.txt
    -rw-r--r-- 1 customactionuser root             44 Sep 28 08:23 /opt/qradar/bin/ca_jail/home/customactionuser/file003.txt
    [root@tqhost ~]# ls -l /home/customactionuser/*.txt
    -rw-r--r-- 1 customactionuser customactionuser 30 Sep 28 08:23 /home/customactionuser/file002.txt

    Return to the customactiouser's chroot() environment and see what we can see:

    [root@tqhost ~]# chroot --userspec=customactionuser /opt/qradar/bin/ca_jail/
    [customactionuser@tqhost /]$ ls -l /opt/qradar/bin/ca_jail/home/customactionuser/*.txt
    ls: cannot access /opt/qradar/bin/ca_jail/home/customactionuser/*.txt: No such file or directory
    [customactionuser@tqhost /]$ ls -l /home/customactionuser/*.txt
    -rw-r--r-- 1 customactionuser 983 30 Sep 28 08:23 /home/customactionuser/file001.txt
    -rw-r--r-- 1 customactionuser   0 44 Sep 28 08:23 /home/customactionuser/file003.txt
    [customactionuser@tqhost /]$ exit
    exit

    You can see that file002 cannot be seen inside the chroot() environment. (Also note that the group names inside the chroot() environment cannot be resolved - this is due to the /etc/group file inside the chroot() environment being missing)

    There are many resources on the Internet which will describe what a chroot() environment is and, hopefully, why the observed behaviour is expected.

    Paul



    ------------------------------
    Paul Ford-Hutchinson
    ------------------------------

    Original Message


Related Content