Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

maldet upgrade kills maldet monitoring #414

Open
Gazoo opened this issue Apr 1, 2023 · 0 comments
Open

maldet upgrade kills maldet monitoring #414

Gazoo opened this issue Apr 1, 2023 · 0 comments

Comments

@Gazoo
Copy link
Contributor

Gazoo commented Apr 1, 2023

Running maldet -d from the command line or if autoupdate_version is enabled in the config (using maldet 1.6.5) will stop the maldet service from running putting it into a failed state needing to be restarted (if maldet is updated).

Before running the update:

systemctl status maldet
● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-03-31 04:16:08 MDT; 22h ago
 Main PID: 18667 (inotifywait)
   CGroup: /system.slice/maldet.service
           ├─18667 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.16462 --exclude (^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql-.*$|^/tmp/#sql-.*$|^/tmp/systemd-private-*|^/tmp/cl...
           ├─18683 bash /usr/local/maldetect/maldet --monitor users
           └─19142 sleep 30

Mar 31 04:16:03 server.example.com maldet[16462]: (C) 2002-2023, R-fx Networks <[email protected]>
Mar 31 04:16:03 server.example.com maldet[16462]: (C) 2023, Ryan MacDonald <[email protected]>
Mar 31 04:16:03 server.example.com maldet[16462]: This program may be freely redistributed under the terms of the GNU GPL v2
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /dev/shm to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /var/tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} starting inotify process on 3 paths, this might take awhile...
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify startup successful (pid: 18667)
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Mar 31 04:16:08 server.example.com systemd[1]: Started Linux Malware Detect monitoring - maldet.

Running the update:

# maldet -d
Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks <[email protected]>
            (C) 2023, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19177): {update} checking for available updates...
maldet(19177): {update} hashing install files and checking against server...
maldet(19177): {update} version check shows latest but hash check failed, forcing update...
maldet(19177): {update} verified md5sum of maldetect-current.tar.gz
maldet(19177): {update} completed update v1.6.5 cd06ce => v1.6.5 6b340a, running signature updates...
maldet(19908): {sigup} performing signature update check...
maldet(19908): {sigup} local signature set is version 202304011147602
maldet(19908): {sigup} latest signature set already installed
maldet(19177): {update} update and config import completed

After running the update:

# systemctl status maldet
● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: failed (Result: signal) since Sat 2023-04-01 02:54:05 MDT; 13s ago
 Main PID: 18667 (code=killed, signal=KILL)

Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /dev/shm to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /var/tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} starting inotify process on 3 paths, this might take awhile...
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify startup successful (pid: 18667)
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Mar 31 04:16:08 server.example.com systemd[1]: Started Linux Malware Detect monitoring - maldet.
Apr 01 02:54:05 server.example.com systemd[1]: maldet.service: main process exited, code=killed, status=9/KILL
Apr 01 02:54:05 server.example.com systemd[1]: Unit maldet.service entered failed state.
Apr 01 02:54:05 server.example.com systemd[1]: maldet.service failed.

The auto updater should check if the maldet service was enabled and running before the update then restart it again after the upgrade.

P.S. You should also note that after the upgrade from 1.6.4 to 1.6.5 autoupdate_version is enabled in the config even if it was turned off previously before the upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant