search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.2k stars 234 forks source link

maldet upgrade kills maldet monitoring #414

Open Gazoo opened 1 year ago

Gazoo commented 1 year ago

Running maldet -d from the command line or if autoupdate_version is enabled in the config (using maldet 1.6.5) will stop the maldet service from running putting it into a failed state needing to be restarted (if maldet is updated).

Before running the update:

systemctl status maldet
● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-03-31 04:16:08 MDT; 22h ago
 Main PID: 18667 (inotifywait)
   CGroup: /system.slice/maldet.service
           ├─18667 /usr/bin/inotifywait -r --fromfile /usr/local/maldetect/sess/inotify.paths.16462 --exclude (^/var/tmp/mysql.sock$|^/tmp/mysql.sock$|^/var/cache/buagent/md0.cache.data$|^/var/tmp/#sql-.*$|^/tmp/#sql-.*$|^/tmp/systemd-private-*|^/tmp/cl...
           ├─18683 bash /usr/local/maldetect/maldet --monitor users
           └─19142 sleep 30

Mar 31 04:16:03 server.example.com maldet[16462]: (C) 2002-2023, R-fx Networks <proj@rfxn.com>
Mar 31 04:16:03 server.example.com maldet[16462]: (C) 2023, Ryan MacDonald <ryan@rfxn.com>
Mar 31 04:16:03 server.example.com maldet[16462]: This program may be freely redistributed under the terms of the GNU GPL v2
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /dev/shm to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /var/tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} starting inotify process on 3 paths, this might take awhile...
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify startup successful (pid: 18667)
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Mar 31 04:16:08 server.example.com systemd[1]: Started Linux Malware Detect monitoring - maldet.

Running the update:

# maldet -d
Linux Malware Detect v1.6.5
            (C) 2002-2023, R-fx Networks <proj@rfxn.com>
            (C) 2023, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19177): {update} checking for available updates...
maldet(19177): {update} hashing install files and checking against server...
maldet(19177): {update} version check shows latest but hash check failed, forcing update...
maldet(19177): {update} verified md5sum of maldetect-current.tar.gz
maldet(19177): {update} completed update v1.6.5 cd06ce => v1.6.5 6b340a, running signature updates...
maldet(19908): {sigup} performing signature update check...
maldet(19908): {sigup} local signature set is version 202304011147602
maldet(19908): {sigup} latest signature set already installed
maldet(19177): {update} update and config import completed

After running the update:

# systemctl status maldet
● maldet.service - Linux Malware Detect monitoring - maldet
   Loaded: loaded (/usr/lib/systemd/system/maldet.service; enabled; vendor preset: disabled)
   Active: failed (Result: signal) since Sat 2023-04-01 02:54:05 MDT; 13s ago
 Main PID: 18667 (code=killed, signal=KILL)

Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /dev/shm to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /var/tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} added /tmp to inotify monitoring array
Mar 31 04:16:05 server.example.com maldet[16462]: maldet(16462): {mon} starting inotify process on 3 paths, this might take awhile...
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify startup successful (pid: 18667)
Mar 31 04:16:08 server.example.com maldet[16462]: maldet(16462): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log
Mar 31 04:16:08 server.example.com systemd[1]: Started Linux Malware Detect monitoring - maldet.
Apr 01 02:54:05 server.example.com systemd[1]: maldet.service: main process exited, code=killed, status=9/KILL
Apr 01 02:54:05 server.example.com systemd[1]: Unit maldet.service entered failed state.
Apr 01 02:54:05 server.example.com systemd[1]: maldet.service failed.

The auto updater should check if the maldet service was enabled and running before the update then restart it again after the upgrade.

P.S. You should also note that after the upgrade from 1.6.4 to 1.6.5 autoupdate_version is enabled in the config even if it was turned off previously before the upgrade.