socore unable to use crontab

[rpopp-fni-stl-com]

Version

2.4.0

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Standalone

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16Gb

Storage for /

300Gb

Storage for /nsm

300Gb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

No, one or more services are failed (please provide detail below)

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Greetings all,

I'm running into an issue with installing security onion 2.4 on a clean ubuntu 22.04 install running on Google Compute Engine. I have attempted both as a network install, and via mounting the iso image and manually invoking the so-network-install.

The primary reason I see failures at revolve around (or seem to) the inability for socore to use crontab. There is a few places during the install where this occurs, so it seems like a general permission oversight. I did not see anything outright in the install documentation that says to add that user to cron.allow or anything, unless it's buried somewhere.

What am I missing? More logs available on request, if needed.

[INFO    ] Running state [/opt/so/conf/strelka/repos.txt] at time 21:01:47.084086
[INFO    ] Executing state file.managed for [/opt/so/conf/strelka/repos.txt]
[INFO    ] File /opt/so/conf/strelka/repos.txt is in the correct state
[INFO    ] Completed state [/opt/so/conf/strelka/repos.txt] at time 21:01:47.132703 (duration_in_ms=48.616)
[INFO    ] Running state [/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1] at time 21:01:47.133125
[INFO    ] Executing state cron.present for [/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1]
[INFO    ] Executing command 'crontab' in directory '/root'
[INFO    ] Executing command 'crontab' in directory '/root'
[ERROR   ] Command 'crontab' failed with return code: 1
[ERROR   ] stderr: The user socore cannot use this program (crontab)

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[rpopp-fni-stl-com]

Digging some more, I also see this prior to those errors:

 so-dockerregistry
 so-kratos
+so-influxdb
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 21:39:12.569726 (duration_in_ms=1511.674)
[INFO    ] Running state [so-influxdb] at time 21:39:12.571681
[INFO    ] Executing state docker_container.running for [so-influxdb]
[INFO    ] {'container': {'Networks': {'bridge': {'IPConfiguration': {'old': 'automatic', 'new': 'not connected'}}, 'sobridge': {'Aliases': {'old': None, 'new': ['09f82bdd2588']}, 'IPAMConfig': {'old': None, 'new': {'IPv4Address': '172.17.1.26'}}}}}, 'container_id': {'added': '09f82bdd25885f13e0681c558a6204c29f675eb429763ccc4fecce346995d321'}, 'state': {'old': None, 'new': 'running'}}
[INFO    ] Completed state [so-influxdb] at time 21:39:14.188090 (duration_in_ms=1616.409)
[INFO    ] Running state [/opt/so/conf/so-status/so-status.conf] at time 21:39:14.188415
[INFO    ] Executing state file.uncomment for [/opt/so/conf/so-status/so-status.conf]
[INFO    ] Pattern already uncommented
[INFO    ] Completed state [/opt/so/conf/so-status/so-status.conf] at time 21:39:14.191507 (duration_in_ms=3.092)
[INFO    ] Running state [/usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log] at time 21:39:14.193598
[INFO    ] Executing state cmd.run for [/usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log]
[INFO    ] Executing command '/usr/sbin/so-influxdb-manage' in directory '/root'
[ERROR   ] Command '/usr/sbin/so-influxdb-manage' failed with return code: 1
[ERROR   ] retcode: 1

Likewise, /opt/so/log/influxdb/setup.log contains numerous entries, all the same:

Mon Jan 15 21:43:15 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (25 / 30)
Mon Jan 15 21:43:25 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (26 / 30)
Mon Jan 15 21:43:35 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (27 / 30)
Mon Jan 15 21:43:45 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (28 / 30)
Mon Jan 15 21:43:55 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (29 / 30)
Mon Jan 15 21:44:05 UTC 2024 | so-influxdb-manage | Server does not appear to be running or fully initialized - will try again in 10 seconds (30 / 30)
Mon Jan 15 21:44:15 UTC 2024 | so-influxdb-manage | Server has not started after 30 attempts - aborting

[cm-ops]

It does sound like permissions, have you attempted to use the supported AMI for GCP? - https://docs.securityonion.net/en/latest/cloud-google.html

[rpopp-fni-stl-com]

I did not, however, I did get it working.

There was actually two issues here. One was caused by running the install under a very restrictive umask (077). Once I removed all newly created directories and installed under a more "standard" umask of 022 then everything was happy.

The second issue was the original issue logged here: that socore, and suricata users couldn't use the crontab command. On adding the two to /etc/cron.allow, the issue was resolved.