ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard

Published 20 hours ago verified publisher icon ossec

ossec-hids-authd not starting

Open shivam99aa opened this issue 7 years ago • 10 comments

I am trying to start ossec-hids-authd using systemctl but it is not starting. It just hangs when I try to run

sudo /etc/init.d/ossec-hids-authd start Starting ossec-hids-authd (via systemctl):

When I try to show status after killing the above command it shows this

sudo /etc/init.d/ossec-hids-authd status ● ossec-hids-authd.service - LSB: Authentication Daemon for OSSEC-HIDS. Loaded: loaded (/etc/rc.d/init.d/ossec-hids-authd; bad; vendor preset: disabled) Active: activating (start) since Wed 2018-02-21 14:57:38 UTC; 4min 53s ago Docs: man:systemd-sysv-generator(8) CGroup: /system.slice/ossec-hids-authd.service └─7966 /var/ossec/bin/ossec-authd -p 1515

Feb 21 14:57:38 ip-10-0-196-113.ec2.internal systemd[1]: Starting LSB: Authentication Daemon for OSSEC-HIDS.... Feb 21 14:57:38 ip-10-0-196-113.ec2.internal ossec-hids-authd[7960]: [39B blob data] Feb 21 14:57:38 ip-10-0-196-113.ec2.internal systemd[1]: PID file /var/run/ossec-authd.pid not readable (yet?) after start. Feb 21 14:57:38 ip-10-0-196-113.ec2.internal ossec-hids-authd[7960]: 2018/02/21 14:57:38 ossec-authd: INFO: Started (pid: 7966).

shivam99aa avatar Feb 21 '18 15:02 shivam99aa

And it's not running after that? Nothing listening on port 1515? Which version of OSSEC?

ddpbsd avatar Feb 21 '18 15:02 ddpbsd

ossec 2.9.3. When I do ps -ef|grep ossec then I can see ossec running but systemctl keep on failing which is an issue. So my ansible scripts are dying due to this.

shivam99aa avatar Feb 21 '18 16:02 shivam99aa

I'll have to try and figure out how systemctl is trying to run authd. It's not really built to be a long-running daemon or anything.

ddpbsd avatar Feb 21 '18 16:02 ddpbsd

But if I want to register agents automatically without user involvement then I suppose authd is the solution.

shivam99aa avatar Feb 21 '18 16:02 shivam99aa

So if I understand correctly ossec-authd is getting started correctly but it is not generating any pid file due to which systemd is failing as it cannot find any pid file.

shivam99aa avatar Feb 21 '18 18:02 shivam99aa

From more debugging I understand that ossec-authd is creating pid file in /var/ossec/var/run/ while systemctl is searching for it in /var/run thus failing.

shivam99aa avatar Feb 22 '18 08:02 shivam99aa

@ddpbsd This line present in the init script for ossec-hids-authd is causing the issue # pidfile: /var/run/ossec-authd.pid

This makes systemd to think that pid file is present here, please remove this in your next release. After removing this line I was able to run ossec-hids-auth perfectly from init script.

shivam99aa avatar Feb 22 '18 09:02 shivam99aa

I had add: PIDFILE=ossec-authd.pid

to get it to work.

the6thBook avatar Feb 28 '19 16:02 the6thBook

none of these solutions works for me. How hard is it to write a SystemD service file anyhow?

steowens avatar Nov 11 '20 01:11 steowens

Solved. Edit the init.d script as follows:

Change: # pidfile: /var/ossec/var/run/ossec-authd.pid To: #### pidfile: /var/ossec/var/run/ossec-authd.pid

Add: PIDFILE=/var/ossec/var/run/ossec-authd.pid below: PIDDIR=/var/ossec/var/run

steowens avatar Nov 11 '20 01:11 steowens