[Intelmq-dev] Regarding rpm packages for RHEL/CentOS

Mon Nov 13 09:54:00 CET 2017

Hi all,

 Recently, I have installed IntelMQ in a CentOS 7.4 host (fully
patched) and I see some "errors" in official IntelMQ's rpm packages
installed from http://download.opensuse.org/repositories/home:/sebix:/intelmq/CentOS_7/.

 a/ /etc/cron.d/intelmq-update-data. Content is:

 # /etc/cron.d/intelmq-update-data: crontab fragment for intelmq
#  This updates the data files used by some expert bots.
#
# m h  dom mon dow      command
# Update data for tor_nodes bot:
11 0 * * *     intelmq   /usr/bin/update-tor-nodes
/var/lib/intelmq/bots/tor_nodes/tor_nodes.dat
# Update data for maxmind_geoip bot:
17 0 * * *     intelmq   /usr/bin/update-geoip-data
/var/lib/intelmq/bots/maxmind_geoip/GeoLite2-City.mmdb
# Update data for asn_lookup bot:
23 0 * * *     intelmq   /usr/bin/update-asn-data
/var/lib/intelmq/bots/asn_lookup/ipasn.dat
# Update data for the RIPE DB abuse_c offline contact lookup
25 6 * * *     intelmq   /usr/bin/update-ripencc_abuse_contact_offline
/var/lib/intelmq/bots/ripencc_abuse_contact_offline/

 Where are these scripts: update-tor-nodes, update-geoip-data,
update-asn-data and update-ripencc_abuse_contact_offline? They don't
exist in my system. But exists intelmq-update-asn-data,
intelmq-update-geoip-data and intelmq-update-tor-nodes (not ripe).

 b/ /etc/logrotate.d/intelmq. Content is:

 compress
delaycompress
copytruncate
create 640 intelmq intelmq

/var/log/intelmq/*.log {
    su intelmq intelmq
    daily
    maxsize 10M
    rotate 60
    notifempty
    sharedscripts
    postrotate
        /usr/bin/intelmqctl reload --quiet
    endscript
}

/var/lib/intelmq/bots/file-output/*.txt {
    su intelmq intelmq
    daily
    maxsize 10M
    rotate 60
    notifempty
    sharedscripts
    postrotate
        /usr/bin/intelmqctl reload file-output --quiet
    endscript
}

 ... but returns the following email error:

 From root at cosintelmq.mydomain.com  Mon Nov 13 08:29:04 2017
Return-Path: <root at cosintelmq.mydomain.com>
X-Original-To: root
Delivered-To: root at cosintelmq.mydomain.com
From: Anacron <root at cosintelmq.mydomain.com>
To: root at cosintelmq.mydomain.com
Content-Type: text/plain; charset="UTF-8"
Subject: Anacron job 'cron.daily' on cosintelmq.mydomain.com
Date: Mon, 13 Nov 2017 08:29:04 +0000 (UTC)
Status: R

/etc/cron.daily/logrotate:

intelmqctl: Running intelmqctl as root is highly discouraged!
usage: intelmqctl [-h] [-v] [--type {text,json}] [--quiet]

{list,check,clear,log,run,help,start,stop,restart,reload,status,enable,disable}
                  ...
intelmqctl: error: unrecognized arguments: --quiet
error: error running shared postrotate script for '/var/log/intelmq/*.log '

 Maybe is it more correct to do this:

 - /usr/bin/intelmqctl reload --quiet
 + su -m intelmq -c ' /usr/bin/intelmqctl reload --quiet'

 - /usr/bin/intelmqctl reload file-output --quiet
 + su -m intelmq -c '/usr/bin/intelmqctl reload file-output --quiet' ??

 Thanks.