search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.4k stars 1.03k forks source link

ossec-hids-authd not starting #1368

Open shivam99aa opened 6 years ago

shivam99aa commented 6 years ago

I am trying to start ossec-hids-authd using systemctl but it is not starting. It just hangs when I try to run

sudo /etc/init.d/ossec-hids-authd start Starting ossec-hids-authd (via systemctl):

When I try to show status after killing the above command it shows this

sudo /etc/init.d/ossec-hids-authd status ● ossec-hids-authd.service - LSB: Authentication Daemon for OSSEC-HIDS. Loaded: loaded (/etc/rc.d/init.d/ossec-hids-authd; bad; vendor preset: disabled) Active: activating (start) since Wed 2018-02-21 14:57:38 UTC; 4min 53s ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/ossec-hids-authd.service └─7966 /var/ossec/bin/ossec-authd -p 1515

Feb 21 14:57:38 ip-10-0-196-113.ec2.internal systemd[1]: Starting LSB: Authentication Daemon for OSSEC-HIDS.... Feb 21 14:57:38 ip-10-0-196-113.ec2.internal ossec-hids-authd[7960]: [39B blob data] Feb 21 14:57:38 ip-10-0-196-113.ec2.internal systemd[1]: PID file /var/run/ossec-authd.pid not readable (yet?) after start. Feb 21 14:57:38 ip-10-0-196-113.ec2.internal ossec-hids-authd[7960]: 2018/02/21 14:57:38 ossec-authd: INFO: Started (pid: 7966).

ddpbsd commented 6 years ago

And it's not running after that? Nothing listening on port 1515? Which version of OSSEC?

shivam99aa commented 6 years ago

ossec 2.9.3. When I do ps -ef|grep ossec then I can see ossec running but systemctl keep on failing which is an issue. So my ansible scripts are dying due to this.

ddpbsd commented 6 years ago

I'll have to try and figure out how systemctl is trying to run authd. It's not really built to be a long-running daemon or anything.

shivam99aa commented 6 years ago

But if I want to register agents automatically without user involvement then I suppose authd is the solution.

shivam99aa commented 6 years ago

So if I understand correctly ossec-authd is getting started correctly but it is not generating any pid file due to which systemd is failing as it cannot find any pid file.

shivam99aa commented 6 years ago

From more debugging I understand that ossec-authd is creating pid file in /var/ossec/var/run/ while systemctl is searching for it in /var/run thus failing.

shivam99aa commented 6 years ago

@ddpbsd This line present in the init script for ossec-hids-authd is causing the issue # pidfile: /var/run/ossec-authd.pid

This makes systemd to think that pid file is present here, please remove this in your next release. After removing this line I was able to run ossec-hids-auth perfectly from init script.

the6thBook commented 5 years ago

I had add: PIDFILE=ossec-authd.pid

to get it to work.

steowens commented 3 years ago

none of these solutions works for me. How hard is it to write a SystemD service file anyhow?

steowens commented 3 years ago

Solved. Edit the init.d script as follows:

Change: # pidfile: /var/ossec/var/run/ossec-authd.pid To: #### pidfile: /var/ossec/var/run/ossec-authd.pid

Add: PIDFILE=/var/ossec/var/run/ossec-authd.pid below: PIDDIR=/var/ossec/var/run