topic Re: cpsho_user config pushed from Check Point? in General Topics

cpsho_user config pushed from Check Point?

Lesley — Mon, 24 Jul 2023 07:25:17 GMT

Hey everyone,

I noticed the following changes occurred the previous weekend. Some config changes got I assume pushed from Check Point.

I cannot find anything regarding this. I suspect there is a relation with HCP update from 19-7.

Anyone else has noticed this? Below the GAIA config, they are from 2 different customers.

add cron job wsc_cpm_monitoring command "sh /opt/CPsuite-R81.10/fw1/webconsole/wsc_cpm_monitoring.sh" recurrence daily time *:*
add user cpsho_user uid 1000 homedir /home/cpsho_user
set user cpsho_user gid 100 shell /etc/cli.sh
set user cpsho_user realname "Cpsho_user"
set user cpsho_user password-hash <HASH>

add cron job wsc_cpm_monitoring command "sh /opt/CPsuite-R81/fw1/webconsole/wsc_cpm_monitoring.sh" recurrence daily time *:*
add user cpsho_user uid 1000 homedir /home/cpsho_user
set user cpsho_user gid 100 shell /etc/cli.sh
set user cpsho_user realname "Cpsho_user"
set user cpsho_user password-hash <HASH>

Re: cpsho_user config pushed from Check Point?

_Val_ — Mon, 24 Jul 2023 08:11:14 GMT

This is a system user account related to the web console, and some other management features, with R81.10 and above. Should only appear on management servers.

Re: cpsho_user config pushed from Check Point?

Lesley — Mon, 24 Jul 2023 08:46:09 GMT

Thanks for the reply Val. I am wondering how this config got there without interaction. It came a bit out of the blue.

Indeed I see the user only on mgmt systems.

Any idea how this config got pushed? And why does it need to run a task to monitor CPM?

Re: cpsho_user config pushed from Check Point?

Alex- — Mon, 24 Jul 2023 10:06:03 GMT

Probably via autopudatercli as the last release of the Web Smart Console is dated from July 18th, and makes mention of the tool for offline updates. Interestingly, the web Smart Console is not listed in the components of the autoupdatercli SK.

Re: cpsho_user config pushed from Check Point?

Itai_Minuhin — Thu, 27 Jul 2023 10:50:00 GMT

Hello,

I'd like to address several questions that have been raised in regars to cpsho_user.

What permissions and credentials cpsho_user has?

The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).

When is cpsho_user created?

Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.

Why is cpsho_user created?

cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files. For example Infinity Services and WebSmartConsole.

Can cpsho_user be deleted?

Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)

More information available at sk181305 .

Best Regards,

Itai

Re: cpsho_user config pushed from Check Point?

David_C1 — Tue, 01 Aug 2023 15:14:13 GMT

I just discovered this new user on my management servers, to say I was surprised would be quite the understatement. Having an automated process that can randomly create new users on my management servers (no matter what permissions are set) is completely unacceptable and irresponsible on Check Point's part. We are heavily regulated and our management server configurations are audited. We must have justification for each and every user account on our management servers, how am I to explain this to an auditor? Check Point decided, for no reason that is well documented, to create this user? What's to stop Check Point from creating a different user account with different permissions?

We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.

Dave

Re: cpsho_user config pushed from Check Point?

MStu — Wed, 02 Aug 2023 14:33:30 GMT

I couldn't agree more.

We're in the same situation like Dave, and having such user and cron job pushed by an auto-update process is unacceptable. It is still not clear to me from which update it came in; I first thought it was from JHF109 which we recently deployed, but 1st) I am not seeing it on our "offline" managers and 2nd) users were created before JHF109 deployment, so it must be any of cpuse, IPS, ... online update services.

This situation literally means we have lost control over granting access to our devices as the vendor can (and does!) push in any user required.
The explanation in the SK about what this user exactly does is vague ("used for internal processes"); also it does not list the exact permissions and "files read". According the SK it has "Non-root permission (groupid 100)", but when checking existing users for audits reports with "show users" command, it will show "Access to Expert features" on the Privilege tab, same as "admin".

Additionally, the SK was published three days _after_ users were pushed to our servers by "admin", so to me it looks as if Check Point had to quickly explain themselves.

For the cron job, it produces error messages when it runs (we get notified about failures on cron jobs); is there any QA on this before pushing out?
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 153: service: command not found
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 155: service: command not found
tail: cannot open '/opt/CPsuite-R81.10/fw1/log/wsc_cpm_monitoring.elg' for reading: No such file or directory

I'm quoting for truth:

@David_C1 wrote:
[..]We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.
Dave

adding:
"and even more concerned they are even doing it".

I am really disappointed!

Mario

Re: cpsho_user config pushed from Check Point?

David_C1 — Wed, 02 Aug 2023 22:28:23 GMT

I am guessing there is much more to this story than Check Point is telling us. This happened for a reason and the explanation is vague for a reason.

Dave

Re: cpsho_user config pushed from Check Point?

David_C1 — Thu, 03 Aug 2023 14:51:12 GMT

@Itai_Minuhin wrote:

Hello,

I'd like to address several questions that have been raised in regars to cpsho_user.

What permissions and credentials cpsho_user has?

The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).

Not exactly true - the password is obviously stored on the local management server. Can the password be changed without causing "impact on several Management features"?

When is cpsho_user created?

Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.

This account showed up on my management servers on a Sunday. WebSmartConsole was not manually installed on this day, nor was a JHF installed. What "automatic update" would trigger this?

Why is cpsho_user created?

cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files. For example Infinity Services and WebSmartConsole.

How were these "internal system purposes" handled prior to the creation of this account? Why suddenly the need for this new account to handle these processes which presumably were working before this account showed up?

Can cpsho_user be deleted?

Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)

Again, these features were working prior to this account showing up. Could you provide more details about this potential impact?

More information available at sk181305 .

Best Regards,

Itai

Dave

Re: cpsho_user config pushed from Check Point?

Paul_Hagyard — Thu, 10 Aug 2023 03:40:54 GMT

It appears that the only thing currently preventing a remote login (SSH/web UI) is the lack of an assigned role. If you change the password and try to login via SSH you get the following in /var/log/messages:

Aug 10 15:33:34 2023 fwmgr clish[23032]: User not logged in. He has no configured role.
Aug 10 15:33:34 2023 fwmgr clish[23032]: User cpsho_user logged out due to an error from CLI shell

Web UI gives "Permission denied"

If you assign an rba role it will happily log you in.

Either way, a vendor known static password (however long) deployed on a customer system without their consent is called a backdoor and is a security accident waiting to happen. Not what you expect from a security company.

Re: cpsho_user config pushed from Check Point?

Paul_Hagyard — Thu, 10 Aug 2023 04:30:31 GMT

Re-reading this:

"The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login."

Randomly generate per-install, or once by Check Point? If it is not stored anywhere how can it be used, and why is a password needed at all?

Re: cpsho_user config pushed from Check Point?

Tomer_Noy — Thu, 10 Aug 2023 06:01:16 GMT

Hi,

The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.

Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.

It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.

I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.

Re: cpsho_user config pushed from Check Point?

David_C1 — Thu, 10 Aug 2023 13:03:17 GMT

@Tomer_Noy wrote:

Hi,

The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.

True, but if this is the case, why was the user created with Web and Clish Access enabled?

Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.

Details, please. What was previously running with full system permissions that had to be fixed with a named user? UID 1000 already existed, why the need for a named user? What bug was found (and not disclosed)?

It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.

Umm...yeah. Would this had ever been brought to light if a few of us didn't notice this additional user?

I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.

Again, details would help restore some trust.

Also, an explanation between this discrepancy:

Dave

Re: cpsho_user config pushed from Check Point?

Georgios_Sagos — Mon, 06 Nov 2023 21:27:00 GMT

Hi,

I have now seen 3 times at 3 different customers after upgrading from R81.10 to R81.20 we get Segmentation fault in clish when trying to back up, or after show configuration.
After some debug I pinpointed the problem. During the the upgrade process the user "Cpsho_user" is automatically created, but this user is created without a home dir:

[Expert@s-manage03:0]# grep "passwd:cpsho_user" /config/active
passwd:cpsho_user t
passwd:cpsho_user:realname Cpsho_user
passwd:cpsho_user:gid 100
passwd:cpsho_user:uid 1000
passwd:cpsho_user:lastchg 1694536445
passwd:cpsho_user:shell /sbin/nologin
passwd:cpsho_user:passwd *

In one installation I exported the configuration, reinstalled on R81.20 and imported config and the Cpsho_user was gone, and everything worked

On the other I deleted Cpsho_user, and everything worked

And on the 3rd I added the homedir: set user cpsho_user homedir /home/cpsho_user

why is Cpsho_user not created on a fresh installed R81.20?

/gsa

Re: cpsho_user config pushed from Check Point?

StackCap43382 — Thu, 30 Nov 2023 11:41:28 GMT

Anyone else that hits this thread:

In our instance:

Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.so

cpsho_user was missing both homedir & realname

Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305

"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626

Re: cpsho_user config pushed from Check Point?

AlekzNet — Mon, 29 Jan 2024 12:44:48 GMT

@StackCap43382 wrote:
Anyone else that hits this thread:
In our instance:
Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.so
cpsho_user was missing both homedir & realname
Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305
"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626

Yes, we had the same issue exactly. It appeared on R81.10 after installing JHF130 over JHF95. Adding home directory helped.

Re: cpsho_user config pushed from Check Point?

Johan_T — Thu, 13 Feb 2025 09:24:21 GMT

Upgraded to R82 JHFA10.

HealthCheck Point (HCP) now send WARNING!

Test name Status Runtime (sec) ========================================================================== Users in Gaia Database............................[WARNING] 0.00108 +------------------------------------------------------------------------------------------------------------------------------------+ | Results | +====================================================================================================================================+ | Gaia OS/General/Users in Gaia Database | +------------------------------------------------------------------------------------------------------------------------------------+ | Result: WARNING | | | | Description: This test checks if all users in the Gaia Database have the required settings (bindings) | | | | Summary:1 user is missing the required bindings: | | User 'cpsho_user' is missing these required bindings: homedir | | | | Finding: | | User 'cpsho_user' is missing these required bindings: homedir | | | | Finding: | | Suggested steps in Gaia Clish for each user with missing bindings: | | (1) Delete the problematic user: | | delete user <Username> | | (2) Save the changes in the Gaia Database: | | save config | | (3) Create the required user: | | add user <Username> uid <UID> homedir <Path> | | (4) Configure the new user: | | set user <Username> <Parameters> | | (5) Save the changes in the Gaia Database: | | save config

We prefer it should not trigger security WARNING in included health check system to suggest to remove or recreate the user.

How should the homedir issue be fixed? Do I need to create it or will it be fixed in coming JHFA or in the HCP check?

/Johan

Re: cpsho_user config pushed from Check Point?

Lesley — Thu, 13 Feb 2025 17:32:38 GMT

Correct homedir = add user cpsho_user uid 1000 homedir /home/cpsho_user

I would try this to see if the error is then gone.

Re: cpsho_user config pushed from Check Point?

Johan_T — Wed, 26 Mar 2025 12:44:21 GMT

Hi, It look like you want to add cpsho_user homedir with normal clish configuration, that does not look correct for me since I do not have anything else in clish for the cpsho_user. Different compared to some other user earlier in this thread that look like they do have it in clish. I will add it directly in the db to update passwd file instead.

That look like this if anyone else want to do the same and also do not see the cpsho_user when running in clish show configuration

dbset passwd:cpsho_user:homedir /home/cpsho_user
dbset :save

/Johan