0

I just upgrade from Debian 10 to Debian 11 using these instructions. Everything seems to have worked smoothly, except maldet is failing.

This is the the error:

maldet[2117]: maldet(2117): {mon} kernel does not support inotify(), aborting
systemd[1]: maldet.service: Can't open PID file /usr/local/maldetect/tmp/inotifywait.pid (yet?) after start: Operation not permitted 
systemd[1]: maldet.service: Failed with result 'protocol'.
systemd[1]: Failed to start Linux Malware Detect monitoring - maldet.

My /usr/lib/systemd/system/maldet.service file contains:

[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
EnvironmentFile=/usr/local/maldetect/conf.maldet
ExecStart=/usr/local/maldetect/maldet --monitor USERS
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

prior to my update, I verified all services were working properly and during the update chose "N" no, declined to replace my custom config files... so nothing should have changed.

Also, I am using Linux 5.10.0-8-amd64 & maldet 1.6.4

Can someone help me figure this out? thanks

Maestro223
  • 203
  • 2
  • 13
  • `kernel does not support inotify` does not make sense, as it is very unlikely that the Debian maintainers would have made such a mistake in building the kernel and not have millions of people complaining. Something else is going on with your system. Did you actually **review** the new configuration files to see if there were changes you need to make? – Michael Hampton Sep 11 '21 at 23:51
  • @MichaelHampton The first thing I did trying to troubleshoot this was review my installation guide and settings. Nothing has changed. I even compared my test server config files to my prod server config files, where maldet still works on prod.. – Maestro223 Sep 12 '21 at 02:29
  • Editted above. I am running maldet 1.6.4 on both prod and test. inotifywait is present at/usr/bin/inotifywait, and /usr/local/maldetect/conf.maldet are still my customized versions on both test and prod... hence, my confusion. – Maestro223 Sep 12 '21 at 03:02
  • seems that maldet was installed not using debian packages, but "manually" - I would try to rebuild/reinstall it to see if that helps. also it might be useful to check /usr/local/maldetect/tmp/ for permissions or other issues - seems that maldet can't create a file (pid) there. – Martynas Saint Sep 12 '21 at 07:29
  • @MartynasSaint can you provide instructions for installing maldet via debian packages. Every set of installation that I have found all use manual installation. FYI, permissions for /usr/local/maldetect/tmp/ are still exactly the same between prod and test. – Maestro223 Sep 12 '21 at 12:10
  • i guess there is no official debian package, so you have to do it yourself if you want to go that route. by test server you mean debian 11 and prod debian 10? btw, what happens when you run it manually, like: /usr/local/maldetect/maldet --monitor USERS ? – Martynas Saint Sep 12 '21 at 14:39

1 Answers1

2

The issue is the condition in the file /usr/local/maldetect/internals/functions :

if [ -f "/boot/System.map-$(uname -r)" ]; then
        ksup=`grep -i inotify_ /boot/System.map-$(uname -r)`
        if [ -z "$ksup" ]; then
            eout "{mon} kernel does not support inotify(), aborting." 1
            exit
        fi
    elif [ -f "/boot/config-$(uname -r)" ]; then
        ksup=`grep -m1 CONFIG_INOTIFY /boot/config-$(uname -r)`
        if [ -z "$ksup" ]; then
            eout "{mon} kernel does not support inotify(), aborting." 1
            exit
        fi
fi

It's doing grep on the file /boot/System.map-$(uname -r) but in Debian 11 the content is ffffffffffffffff B The real System.map is in the linux-image-<version>-dbg package

I see two quick solutions, the first one is to check the proper file :

  • Install dbg package for the running Kernel with this command apt install linux-image-$(uname -r)-dbg
  • Replace the file path of the condition to point to the good one with sed -i 's#/boot/System.map#/lib/debug/boot/System.map#' /usr/local/maldetect/internals/functions

To avoid installing dbg package, the other solution is to remove the first condition and only use the second one which check into /boot/config-$(uname -r).

I used the first one to test, Maldetect is starting now. Both solutions should work waiting for a definitive fix.

Regards

camillepr
  • 36
  • 2
  • thx for this.. i will give a try and let you know... – Maestro223 Sep 29 '21 at 22:46
  • This solution worked like a charm... thanx. – Maestro223 Oct 02 '21 at 03:56
  • Hi there.. unfortunately, I had to migrate to a new server.. (ubuntu 20.04), but and I have encountered this problem again. However, neither solution above works. 1.) I cannot install the dbg package. and (E: Unable to locate package linux-image-5.4.0-109-generic-dbg) and 2.) only using the second solution, just didn't work. Any other suggestions? – Maestro223 May 11 '22 at 07:34