Thanks for the reply Val. I am wondering how this config got there without interaction. It came a bit out of the blue.

Indeed I see the user only on mgmt systems. 

Any idea how this config got pushed? And why does it need to run a task to monitor CPM?

Probably via autopudatercli as the last release of the Web Smart Console is dated from July 18th, and makes mention of the tool for offline updates. Interestingly, the web Smart Console is not listed in the components of the autoupdatercli SK.

I just discovered this new user on my management servers, to say I was surprised would be quite the understatement. Having an automated process that can randomly create new users on my management servers (no matter what permissions are set) is completely unacceptable and irresponsible on Check Point's part. We are heavily regulated and our management server configurations are audited.  We must have justification for each and every user account on our management servers, how am I to explain this to an auditor? Check Point decided, for no reason that is well documented, to create this user? What's to stop Check Point from creating a different user account with different permissions?

We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.

Dave

I couldn't agree more.

We're in the same situation like Dave, and having such user and cron job pushed by an auto-update process is unacceptable. It is still not clear to me from which update it came in; I first thought it was from JHF109 which we recently deployed, but 1st) I am not seeing it on our "offline" managers and 2nd) users were created before JHF109 deployment, so it must be any of cpuse, IPS, ... online update services.

This situation literally means we have lost control over granting access to our devices as the vendor can (and does!) push in any user required.
The explanation in the SK about what this user exactly does is vague ("used for internal processes"); also it does not list the exact permissions and "files read". According the SK it has "Non-root permission (groupid 100)", but when checking existing users for audits reports with "show users" command, it will show "Access to Expert features" on the Privilege tab, same as "admin".

Additionally, the SK was published three days _after_ users were pushed to our servers by "admin", so to me it looks as if Check Point had to quickly explain themselves.

For the cron job, it produces error messages when it runs (we get notified about failures on cron jobs); is there any QA on this before pushing out?
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 153: service: command not found
/opt/CPsuite-R81.10/fw1/webconsole/mwc.sh: line 155: service: command not found
tail: cannot open '/opt/CPsuite-R81.10/fw1/log/wsc_cpm_monitoring.elg' for reading: No such file or directory

I'm quoting for truth:

---

@David_C1 wrote:

[..]We have automatic updates enabled on our management servers for IPS downloads, AppCtrl, etc. It would have been inconceivable to me that this would enable Check Point to create user accounts on my devices. I'm at a loss as to why Check Point would think this is acceptable.

Dave

---

adding:
"and even more concerned they are even doing it".

I am really disappointed!

Mario

I am guessing there is much more to this story than Check Point is telling us. This happened for a reason and the explanation is vague for a reason.

Dave

---

@Itai_Minuhin wrote:

Hello, 

I'd like to address several questions that have been raised in regars to cpsho_user.

What permissions and credentials cpsho_user has?

The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login. Gaia has the definition of the user, it has Non-root permission ( groupid 100 ).

Not exactly true - the password is obviously stored on the local management server. Can the password be changed without causing "impact on several Management features"?

When is cpsho_user created?

Installation of WebSmartConsole package will trigger the creation of the user. WebSmartConsole can be installed manually, by automatic update, and as part of the JHF.

This account showed up on my management servers on a Sunday. WebSmartConsole was not manually installed on this day, nor was a JHF installed. What "automatic update" would trigger this?

 

Why is cpsho_user created?

cpsho_user is being created for internal system purposes. Several dockers on the MGMT server are using this low privileged user in order to read input files and write to log files.  For example Infinity Services and WebSmartConsole. 

 

How were these "internal system purposes" handled prior to the creation of this account? Why suddenly the need for this new account to handle these processes which presumably were working before this account showed up?

Can cpsho_user be deleted?

Deleting this user is not recommended and might have impact on several Management features - Infinity Services, WebSmartConsole and SmartConsole (as some views and pages are of SmartConsole are based on WebSmartConsole as infrastructure)

 

Again, these features were working prior to this account showing up. Could you provide more details about this potential impact?

More information available at sk181305 .

 

Best Regards,

Itai

---

 

Dave

It appears that the only thing currently preventing a remote login (SSH/web UI) is the lack of an assigned role. If you change the password and try to login via SSH you get the following in /var/log/messages:

Aug 10 15:33:34 2023 fwmgr clish[23032]: User not logged in. He has no configured role.
Aug 10 15:33:34 2023 fwmgr clish[23032]: User cpsho_user logged out due to an error from CLI shell

Web UI gives "Permission denied"

If you assign an rba role it will happily log you in.

Either way, a vendor known static password (however long) deployed on a customer system without their consent is called a backdoor and is a security accident waiting to happen. Not what you expect from a security company.

Re-reading this:

"The password is randomly generated and it is 108 characters long, it is not stored anywhere, hence this user is never used to login."

Randomly generate per-install, or once by Check Point? If it is not stored anywhere how can it be used, and why is a password needed at all?

---

@Tomer_Noy wrote:

Hi,

The password is randomly generated per machine, it is very long and not kept after it is generated.
Therefore it is not a static password that anyone can use to log in.

True, but if this is the case, why was the user created with Web and Clish Access enabled?

Essentially, we defined this user in a way that no one will be able to use it to log in, under any circumstances. The random password is generated simply because that is needed to create the user.
It was created as a security precaution since it has lower privileges and it allows us to run some processes without full system permissions.

Details, please. What was previously running with full system permissions that had to be fixed with a named user? UID 1000 already existed, why the need for a named user? What bug was found (and not disclosed)?

It retrospect, we understand that this was not clear to the field and we need to better communicate such underlying changes. We appreciate the feedback and will try to document this much better.

Umm...yeah. Would this had ever been brought to light if a few of us didn't notice this additional user?

I want to emphasize though, that this does not introduce security concerns, to the contrary, it was done to tighten security.

Again, details would help restore some trust.

Also, an explanation between this discrepancy:

Dave

Hi,

I have now seen 3 times at 3 different customers after upgrading from R81.10 to R81.20 we get Segmentation fault in clish when trying to back up, or after show configuration. 
After some debug I pinpointed the problem. During the the upgrade process the user "Cpsho_user" is automatically created, but this user is created without a home dir:

[Expert@s-manage03:0]# grep "passwd:cpsho_user" /config/active
passwd:cpsho_user t
passwd:cpsho_user:realname Cpsho_user
passwd:cpsho_user:gid 100
passwd:cpsho_user:uid 1000
passwd:cpsho_user:lastchg 1694536445
passwd:cpsho_user:shell /sbin/nologin
passwd:cpsho_user:passwd *

In one installation I exported the configuration, reinstalled on R81.20 and imported config and the Cpsho_user was gone, and everything worked

On the other I deleted Cpsho_user, and everything worked

And on the 3rd I added the homedir: set user cpsho_user homedir /home/cpsho_user

why is Cpsho_user not created on a fresh installed R81.20?

/gsa

Anyone else that hits this thread:

In our instance:

Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.so

cpsho_user was missing both homedir & realname

Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305

"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626

---

@StackCap43382 wrote:

Anyone else that hits this thread:

In our instance:

Message logs filled with:
kernel:clish[xxxxx]: segfault at 0 ip 00000000f5078a5f sp 00000000ffeeb3b0 error 4 in libcli_passwd.so

cpsho_user was missing both homedir & realname

Gaia administrator "cpsho_user" is added on Management Servers
https://support.checkpoint.com/results/sk/sk181305

"show configuration user" command fails with "Segmentation fault" on the Security Management Server
https://support.checkpoint.com/results/sk/sk181626

---

Yes, we had the same issue exactly. It appeared on R81.10 after installing JHF130 over JHF95.  Adding home directory helped.