LFD (CSF) daemon not running

[bitfactory-henk-batelaan]

Describe the bug This is from the output of a full system audit:

• LFD (CSF) daemon [ NOT RUNNING ]

From the log: 2018-10-04 11:01:55 IsRunning: process 'lfd ' not found.

systemctl status lfd ● lfd.service - ConfigServer Firewall & Security - lfd Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2018-10-04 10:47:48 CEST; 19min ago TIME-3124

Version Debian 9.5 Lynis 2.6.9

Expected behavior Sincs LFD (and CSF) is running, I would expect an [ OK ] status here.

[mboelen]

Hi Henk, thanks for reporting. Can you show your process listing filtered with lfd/csf (ps -ef | grep -E "lfd|csf")

[bitfactory-henk-batelaan]

Thanks for the reply! lfd is apparently sleeping?

ps -ef | grep -E "lfd|csf" root 18340 1 0 13:17 ? 00:00:00 lfd - sleeping root 32396 1360 0 13:23 pts/0 00:00:00 grep -E lfd|csf

[mboelen]

We want to simulate this in our lab. How did you install CSF (and in particular the systemd service file)?

[bitfactory-henk-batelaan]

I believe they don't have a repo? I've installed it manually like so:

# cd /tmp/
# wget https://download.configserver.com/csf.tgz
# tar xzf csf.tgz 
# cd csf/
# ./csftest.pl

Everything was OK, so finally:

# ./install.sh

[mboelen]

Performed installation on Ubuntu 18.04 and a Fedora 29 system. Both end with:

root@ubuntu1804:/etc/csf# systemctl start lfd.service Job for lfd.service failed because a fatal signal was delivered to the control process. See "systemctl status lfd.service" and "journalctl -xe" for details.

Running lfd manually shows only 'Killed'.

Did you configure something regarding LFD in particular?

[bitfactory-henk-batelaan]

So at your end it doesn't work at all? What does the log say?

I did some editing of course in the config file, but nothing crazy. Also, it just works after installation.

The # ./csftest.pl didn't bring anything up either?

[bitfactory-henk-batelaan]

I believe these are all changed and / or relevant settings:

TESTING = "0"
RESTRICT_SYSLOG = "3"
RESTRICT_SYSLOG_GROUP = "mysyslog"
RESTRICT_UI = "2"
AUTO_UPDATES = "1"
# Allow incoming TCP ports
TCP_IN = "80,443"
# Allow outgoing TCP ports
TCP_OUT = "25,80,443,587"
# Allow incoming UDP ports
UDP_IN = ""
# Allow outgoing UDP ports
UDP_OUT = "53,67,123"
SYSLOG_CHECK = "300"
URLGET = "1"
CC_OLDGEOLITE = "0"
LF_DIRWATCH = "0"
LF_DIRWATCH_DISABLE = "0"
LF_DIRWATCH_FILE = "0"
LF_INTEGRITY = "0"
PT_LIMIT = "0"
PT_USERMEM = "0"
PT_USERTIME = "0"
UI = "0"
LOGSCANNER = "0"

Fire it up:

# csf -r
# systemctl start csf lfd
# systemctl enable csf lfd

[iohenkies]

Hi, I just realised with a manual scan this one is still open. The problem persists on all our CSF/LFD equipped Debian servers.

Services are running:

● csf.service - ConfigServer Firewall & Security - csf
   Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2019-03-11 08:30:43 CET; 1h 50min ago
  Process: 3881 ExecStop=/usr/sbin/csf --stop (code=exited, status=0/SUCCESS)
  Process: 3864 ExecStop=/usr/sbin/csf --initdown (code=exited, status=0/SUCCESS)
  Process: 3919 ExecStart=/usr/sbin/csf --initup (code=exited, status=0/SUCCESS)
 Main PID: 3919 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/csf.service

● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-03-11 08:30:44 CET; 1h 50min ago
  Process: 3983 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 3996 (lfd - sleeping)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/lfd.service
           └─3996 lfd - sleeping

But lfd is sleeping? Maybe this is something?

[mboelen]

Found the underlying reason. The process needs to be exactly matched in this case 'lfd - sleeping'.

Fixed with commit https://github.com/CISOfy/lynis/commit/fa064a824b6ba5519296dfd87e4604c2f15be897