Skip to content
  • There are no suggestions because the search field is empty.

sftpagent stops working after upgrade to RSA NetWitness

Issue

After upgrading to a newer version, log collection (File) via sftp agent stops working.

Launching the sftp agent script from the command line returns the following error:

**** Error detected during transfer:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Couldn't read packet: Connection reset by peer

**** Transfer Errors processing /path/to/filename
**** Exiting Script


Please make sure that the sftp agent is configured correctly, with particular regards to keys, user and permissions.

Try to connect from one of the affected event sources using ftp:

sftp -v -o IdentityFile=/path-to-user-home/.ssh/id_rsa sftp@<LD/LC IP address>


In the command above please replace:
path-to-user-home with the correct path to the home directory of the user configured for the log collection on the event source
with the Log Decoder/Log Collector IP address

Check if the following error is returned:

debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Couldn't read packet: Connection reset by peer


On the Log Decoder/Log Collector is possible to see the following errors in /var/log/secure:

Jan 18 16:44:20 logdecoder sshd[3253]: Received disconnect from <EVENT SOURCE IP ADDRESS>: 14: No supported authentication methods available


Running the following command on the Log Decoder/Log Collector will show that selinux is mode is on "Enforcing":

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted


 


Cause

On the Log Decoder/Log Collector selinux cause the sftp agent to fail connecting.


Workaround

  1. Open the /etc/selinux/config file in a text editor of your choice, for example:

    # vi /etc/selinux/config
     
     

  2. Configure the SELINUX=permissive option:

    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing - SELinux security policy is enforced.
    # permissive - SELinux prints warnings instead of enforcing.
    # disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of these two values:
    # targeted - Targeted processes are protected,
    # mls - Multi Level Security protection.
    SELINUXTYPE=targeted
     
     

  3. Restart the system:

    # reboot

Reference: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux#changing-to-permissive-mode_changing-selinux-states-and-modes 


Resolution

Set the selinux mode to "Permissive" on the Log Decoder/Log Collector.


Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Log Collector
NetWitness Version/Condition: 12.x
Platform: CentOS/Alma Linux


Approval Reviewer Queue

Technical approval queue