Update From Debian 10 to Debian 11 Gone Wrong

debian malware

I just upgrade from Debian 10 to Debian 11 using these instructions. Everything seems to have worked smoothly, except maldet is failing.

This is the the error:

maldet[2117]: maldet(2117): {mon} kernel does not support inotify(), aborting
systemd[1]: maldet.service: Can't open PID file /usr/local/maldetect/tmp/inotifywait.pid (yet?) after start: Operation not permitted 
systemd[1]: maldet.service: Failed with result 'protocol'.
systemd[1]: Failed to start Linux Malware Detect monitoring - maldet.

My /usr/lib/systemd/system/maldet.service file contains:

[Unit]
Description=Linux Malware Detect monitoring - maldet
After=network.target

[Service]
EnvironmentFile=/usr/local/maldetect/conf.maldet
ExecStart=/usr/local/maldetect/maldet --monitor USERS
ExecStop=/usr/local/maldetect/maldet --kill-monitor
Type=forking
PIDFile=/usr/local/maldetect/tmp/inotifywait.pid
[Install]
WantedBy=multi-user.target

prior to my update, I verified all services were working properly and during the update chose "N" no, declined to replace my custom config files... so nothing should have changed.

Also, I am using Linux 5.10.0-8-amd64 & maldet 1.6.4

Can someone help me figure this out? thanks


Solution 1:

The issue is the condition in the file /usr/local/maldetect/internals/functions :

if [ -f "/boot/System.map-$(uname -r)" ]; then
        ksup=`grep -i inotify_ /boot/System.map-$(uname -r)`
        if [ -z "$ksup" ]; then
            eout "{mon} kernel does not support inotify(), aborting." 1
            exit
        fi
    elif [ -f "/boot/config-$(uname -r)" ]; then
        ksup=`grep -m1 CONFIG_INOTIFY /boot/config-$(uname -r)`
        if [ -z "$ksup" ]; then
            eout "{mon} kernel does not support inotify(), aborting." 1
            exit
        fi
fi

It's doing grep on the file /boot/System.map-$(uname -r) but in Debian 11 the content is ffffffffffffffff B The real System.map is in the linux-image-<version>-dbg package

I see two quick solutions, the first one is to check the proper file :

  • Install dbg package for the running Kernel with this command apt install linux-image-$(uname -r)-dbg
  • Replace the file path of the condition to point to the good one with sed -i 's#/boot/System.map#/lib/debug/boot/System.map#' /usr/local/maldetect/internals/functions

To avoid installing dbg package, the other solution is to remove the first condition and only use the second one which check into /boot/config-$(uname -r).

I used the first one to test, Maldetect is starting now. Both solutions should work waiting for a definitive fix.

Regards

Related

/etc/rc.local doesn't execute apache tomcat startup script on boot
Print Ansible header before executing a long running task
iptables FTP connection tracking not working
How to correctly route a Gitlab installation in a subdirectory through an SSL reverse proxy?
Nginx multiple IPs to origin
Own puppet function
Cannot get latest-version package from multiple yum repos
Why doesn't nginx like my $args?
how do I convert a live root ext3 filesystem to ext4?
What can prevent a Server 2008 machine accessing its OWN UNC shares?
How to reset service permissions after messing up with `sc sdset`?
Can I have a class A and class B on same switch?