Opsware accessing AIX as root user without password

[KPKIND]

Dear All,

Not sure how many of you out there are using Opsware but this is the first time I am seeing this product.
Of late the place where I am working is evaluating HP Opsware product for file distribution etc. This piece of sw seems to work like master & agent. During the evaluation we have found that once the agent is installed on the AIX server, people who are logged on to opsware master console, can gain access to the system as root and do whatever they want.. The way the agent was installed was, by adding the AIX server in question as an object and pushing the agent to the AIX server. A non-root user having full sudo access has been given while pushing the agent, so the agent installation can happen. When we have asked the Team working from Opsware about this, they said they will have a workaround and limit the access to people who are going to work on the console. My questions are

1. So there is a superuser in Opsware console which can restrict access, but this superuser can logon to any AIX server without a password or any sort of authentication. Worst is the login from opsware console does not leave any audit trail in the OS logs. I have verified the ssh logs and wtmp to see if they report root user being connected, but could not see any info.

2. Since the agent is installed by Opsware which had the legitimate access, does it mean for all the rest of the time that piece of sw can logon without any authentication. Is this right???

3. If we escalate this to IBM, shouldn't IBM be obliged to fix this by not allowing third party applications to do this kind of stuff on their OS. Say if there was a vulnerability for sendmail, doesn't IBM come out with a fix or not...

Any light on this is very much appreciated.

Regards
KPKIND

 

[exsnafu]

i've never used opsware but I'm curious how you know that opsware is logging in without any authentication?

opsware has an agent on the server? the agent runs as root or the non-root user with full sudo? is opsware connecting to the agent and inheriting whatever access the agent has? if so then how can this be aix's issue?

i'd assume at the very least the communicationg between opsware and its agent is authenticated using ssl/keys of some sort?

I am curious though because there has been talk of reviewing opsware for server management here.

 

[KPKIND]

exsnafu,

Going through each points you have mentioned

"i've never used opsware but I'm curious how you know that opsware is logging in without any authentication?"

--> How do I know that is, it does not ask for a password nor there is any key pair that has been generated or uploaded for the authentication to be successful. Moreover when you right click on the agent from Opsware GUI and click on connect to remote machine, it just gives you a root shell and you could do whatever you want.

"opsware has an agent on the server? the agent runs as root or the non-root user with full sudo? is opsware connecting to the agent and inheriting whatever access the agent has? if so then how can this be aix's issue?"

--> The agent seems to be running as root user. When the agent was installed initially, we have given a non-root account that had full sudo access. Probably you are right saying Opsware is connecting to its agent running on the server and inheriting the access what the agent has, but is it not a kind of backdoor which will give someone root access, most worrying is nobody would even know who has logged in and what has he done as this login doesn't seem to be captured by ssh logs/wtmp...etc. I am not sure if this is Aix issue or not, say if someone can write a clever bit of code and put that code on the box somehow as root user, does it mean from next time onwards he can access the box whenever he wants as root and nobody will be able to see this.. on these ground I was thinking IBM can do something to stop exploting the code related to authentication.

I am sure there are no keys setup that has been done between opsware master and the agent server.

Regards
KPKIND

 

[chgwhat]

Before saying it is a AIX issue, check and make sure there are no Opsware tasks running as root, if there is than it is a user / Opsaware issue. If you allow a task to run as root, you are giving them root access, Not Aix.

Tony ... aka chgwhat

When in doubt,,, Power out...

 

[exsnafu]

KPKIND,

no doubt if opsware allows root login from their centralized management server without even an option to require a password that is bad but this isn't something AIX is responsible for locking down. you're running something as root which exposes the server(or so it appears).

i'd be very surprised and saddened though if opsware isn't at least exchanging keys/authenticating between the client and the server.. you may not see it but it'd be completely unacceptable if they actually designed it like this.

 

[KPKIND]

Thanks for all the responses

I am not saying it is for AIX to fix this, but I was asking a question, will this be something for IBM to fix or for Opsware.

exsnafu -- I can definitely say it is not exchanging any keys of any user to get this access, but probably since the agent is running as root, probably it is using that agent as source for logging in as root.


Thanks for your opinions

Regards
KPKIND

 

[DukeSSD]

If you give some third party application root access to your system then you get what you asked for.
This is not an OS / AIX problem but an application vendor problem and having seen what you describe I wouldn't use that application.
Don't expect IBM to fix this application opening root access to your system by this method.