linux-malware-detect
linux-malware-detect copied to clipboard
rfxn
cpulimit bug in LMD v1.6.4
There is a bug in LMD of usage cpulimit. If it is enabled the following command is generated to launch find:
/usr/bin/cpulimit -l 50 /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 7 /usr/bin/find "/home\*/\*/public_html/" "/var/www/" "/usr/local/apache/htdocs/" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -1 -o -ctime -1 \) -size +24c -size -6947618c -not -perm 000
It does not work:
Sep 14 06:30:26 oc maldet(6887): {scan} executed eval /usr/bin/cpulimit -l 50 /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 7 /usr/bin/find "/home\*/\*/public_html/" "/var/www/" "/usr/local/apache/htdocs/" /tmp /var/tmp /dev/shm /var/fcgi_ipc -maxdepth 15 -regextype posix-egrep -type f \( -mtime -1 -o -ctime -1 \) -size +24c -size -6947618c -not -perm 000
Sep 14 06:30:26 oc maldet(6887): {scan} scan returned empty file list; check that path exists, contains files in days range or files in scope of configuration.
The following command sould be used instead: /usr/bin/cpulimit -l 50 -- /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 7 /usr/bin/find...
Pay attention to the double dash after cpulimit and before nice.
Well, it seems that LMD works with cpulimit correctly only if you install binary from https://github.com/opsengine/cpulimit The behavior and CLI syntax of the same binary from Debian packages differs much and breaks functioning of LMD.
There are two incompatible releases of cpulimit: http://limitcpu.sourceforge.net/ https://github.com/opsengine/cpulimit
The last one is a fork of the first but not updated since 2015. The first one is used in Debian packages. The second - in LMD.
Further to this bug it looks like the debian version of cpulimit isn't compatible with inotify_cpulimit either. When inotify_cpulimit is set the maldet service will fail to start. Looking at the inotify_log it looks like maldet is calling the wrong options as this is what is in the inotify_log after starting:
cat /usr/local/maldetect/logs/inotify_log
CPUlimit version 2.4
Usage: /usr/bin/cpulimit TARGET [OPTIONS...] [-- PROGRAM]
TARGET must be exactly one of these:
-p, --pid=N pid of the process
-e, --exe=FILE name of the executable program file
The -e option only works when
cpulimit is run with admin rights.
-P, --path=PATH absolute path name of the
executable program file
OPTIONS
-b --background run in background
-f --foreground launch target process in foreground and wait for it to exit
-c --cpu=N override the detection of CPUs on the machine.
-l, --limit=N percentage of cpu allowed from 1 up.
Usually 1 - 200, but can be higher
on multi-core CPUs (mandatory)
-m, --monitor-forks Watch children/forks of the target process
-q, --quiet run in quiet mode (only print errors).
-k, --kill kill processes going over their limit
instead of just throttling them.
-r, --restore Restore processes after they have
been killed. Works with the -k flag.
-s, --signal=SIG Send this signal to the watched process when cpulimit exits.
Signal should be specificed as a number or
SIGTERM, SIGCONT, SIGSTOP, etc. SIGCONT is the default.
-v, --verbose show control statistics
-z, --lazy exit if there is no suitable target process,
or if it dies
-- This is the final CPUlimit option. All following
options are for another program we will launch.
-h, --help display this help and exit
With all these bugs and the fact that there is no EPEL package for cpulimit for Centos/RHEL 8 my vote is to just remove the scan_cpulimit and inotify_cpulimit options in LMD 1.6.5. What do you thing @rfxn ?
I have preferred to disable cpulimit in LMD totally. I use it just under Debian.