Cuckoo Network Analysis Failure

Cuckoo Network Analysis Failure

Baisc Info:

• Error Message: CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis
• OS: Ubuntu 16.04 LST
• Cuckoo: 2.0.5
• Python Version: 2.7

Failure Description

• Cuckoo Web UI上的Network Analysis頁面無法出現分析結果

• 已經使用下列指令禁用AppArmor對tcpdump的安全配置

  $ sudo aa-disable /usr/sbin/tcpdump

• 使用下列指令檢查AppArmor對tcpdump的狀態，tcpdump沒有在禁用列表內

  $ sudo aa-status --verbose
  apparmor module is loaded.
  20 profiles are loaded.
  20 profiles are in enforce mode.
     /sbin/dhclient
     /usr/bin/evince
     /usr/bin/evince-previewer
     /usr/bin/evince-previewer//sanitized_helper
     /usr/bin/evince-thumbnailer
     /usr/bin/evince-thumbnailer//sanitized_helper
     /usr/bin/evince//sanitized_helper
     /usr/bin/ubuntu-core-launcher
     /usr/lib/NetworkManager/nm-dhcp-client.action
     /usr/lib/NetworkManager/nm-dhcp-helper
     /usr/lib/connman/scripts/dhclient-script
     /usr/lib/cups/backend/cups-pdf
     /usr/lib/lightdm/lightdm-guest-session
     /usr/lib/lightdm/lightdm-guest-session//chromium
     /usr/sbin/cups-browsed
     /usr/sbin/cupsd
     /usr/sbin/cupsd//third_party
     /usr/sbin/ippusbxd
     webbrowser-app
     webbrowser-app//oxide_helper
  0 profiles are in complain mode.
  3 processes have profiles defined.
  3 processes are in enforce mode.
     /usr/bin/evince (5165) 
     /usr/bin/evince (31898) 
     /usr/sbin/cups-browsed (844) 
  0 processes are in complain mode.
  0 processes are unconfined but have a profile defined.

• 但cuckoo的log仍出現錯誤訊息

  ~/.cuckoo/log$ tail -F cuckoo.log
  # ...
  CuckooOperationalError: Error running tcpdump to sniff the network traffic during the analysis; 
  stdout = '' and stderr = 'tcpdump: ~/.cuckoo/storage/analyses/14/dump.pcap: Permission denied\n'. 
  Did you enable the extra capabilities to allow running tcpdump as non-root user and disable 
  AppArmor properly (the latter only applies to Ubuntu-based distributions with AppArmor, 
  see also https://cuckoo.sh/docs/faq/index.html#permission-denied-for-tcpdump)?
  # ...

Solution

• 將tcpdump的模式從enforce轉成complain模式

  $ sudo aa-complain /usr/sbin/tcpdump
  Setting /usr/sbin/tcpdump to complain mode.
  
  # 確認tcpdump的模式
  $ sudo grep tcpdump /sys/kernel/security/apparmor/profiles
  /usr/sbin/tcpdump (complain)

• 就可以在對應的頁面看到Network Analysis