Hi all,
Recently, I have installed IntelMQ in a CentOS 7.4 host (fully patched) and I see some "errors" in official IntelMQ's rpm packages installed from http://download.opensuse.org/repositories/home:/sebix:/intelmq/CentOS_7/.
a/ /etc/cron.d/intelmq-update-data. Content is:
# /etc/cron.d/intelmq-update-data: crontab fragment for intelmq # This updates the data files used by some expert bots. # # m h dom mon dow command # Update data for tor_nodes bot: 11 0 * * * intelmq /usr/bin/update-tor-nodes /var/lib/intelmq/bots/tor_nodes/tor_nodes.dat # Update data for maxmind_geoip bot: 17 0 * * * intelmq /usr/bin/update-geoip-data /var/lib/intelmq/bots/maxmind_geoip/GeoLite2-City.mmdb # Update data for asn_lookup bot: 23 0 * * * intelmq /usr/bin/update-asn-data /var/lib/intelmq/bots/asn_lookup/ipasn.dat # Update data for the RIPE DB abuse_c offline contact lookup 25 6 * * * intelmq /usr/bin/update-ripencc_abuse_contact_offline /var/lib/intelmq/bots/ripencc_abuse_contact_offline/
Where are these scripts: update-tor-nodes, update-geoip-data, update-asn-data and update-ripencc_abuse_contact_offline? They don't exist in my system. But exists intelmq-update-asn-data, intelmq-update-geoip-data and intelmq-update-tor-nodes (not ripe).
b/ /etc/logrotate.d/intelmq. Content is:
compress delaycompress copytruncate create 640 intelmq intelmq
/var/log/intelmq/*.log { su intelmq intelmq daily maxsize 10M rotate 60 notifempty sharedscripts postrotate /usr/bin/intelmqctl reload --quiet endscript }
/var/lib/intelmq/bots/file-output/*.txt { su intelmq intelmq daily maxsize 10M rotate 60 notifempty sharedscripts postrotate /usr/bin/intelmqctl reload file-output --quiet endscript }
... but returns the following email error:
From root@cosintelmq.mydomain.com Mon Nov 13 08:29:04 2017 Return-Path: root@cosintelmq.mydomain.com X-Original-To: root Delivered-To: root@cosintelmq.mydomain.com From: Anacron root@cosintelmq.mydomain.com To: root@cosintelmq.mydomain.com Content-Type: text/plain; charset="UTF-8" Subject: Anacron job 'cron.daily' on cosintelmq.mydomain.com Date: Mon, 13 Nov 2017 08:29:04 +0000 (UTC) Status: R
/etc/cron.daily/logrotate:
intelmqctl: Running intelmqctl as root is highly discouraged! usage: intelmqctl [-h] [-v] [--type {text,json}] [--quiet]
{list,check,clear,log,run,help,start,stop,restart,reload,status,enable,disable} ... intelmqctl: error: unrecognized arguments: --quiet error: error running shared postrotate script for '/var/log/intelmq/*.log '
Maybe is it more correct to do this:
- /usr/bin/intelmqctl reload --quiet + su -m intelmq -c ' /usr/bin/intelmqctl reload --quiet'
- /usr/bin/intelmqctl reload file-output --quiet + su -m intelmq -c '/usr/bin/intelmqctl reload file-output --quiet' ??
Thanks.
Hi,
thanks for reporting this!
On 11/13/2017 09:54 AM, C. L. Martinez wrote:
Where are these scripts: update-tor-nodes, update-geoip-data, update-asn-data and update-ripencc_abuse_contact_offline? They don't exist in my system. But exists intelmq-update-asn-data, intelmq-update-geoip-data and intelmq-update-tor-nodes (not ripe).
I fixed the paths and removed the update-ripencc_abuse_contact_offline line, that only exists in a fork currently.
Maybe is it more correct to do this:
- /usr/bin/intelmqctl reload --quiet
- su -m intelmq -c ' /usr/bin/intelmqctl reload --quiet'
- /usr/bin/intelmqctl reload file-output --quiet
- su -m intelmq -c '/usr/bin/intelmqctl reload file-output --quiet' ??
--quiet needs to be between the executable (intelmqctl) and the first positional argument (reload).
I pushed the packages with these fixes (also in git in the branch maintenance) which are now available in the repositories, so please just update with your package manager.
Sebastian
Many thanks Sebastian
On Mon, Nov 13, 2017 at 6:15 PM, Sebastian Wagner wagner@cert.at wrote:
Hi,
thanks for reporting this!
On 11/13/2017 09:54 AM, C. L. Martinez wrote:
Where are these scripts: update-tor-nodes, update-geoip-data, update-asn-data and update-ripencc_abuse_contact_offline? They don't exist in my system. But exists intelmq-update-asn-data, intelmq-update-geoip-data and intelmq-update-tor-nodes (not ripe).
I fixed the paths and removed the update-ripencc_abuse_contact_offline line, that only exists in a fork currently.
Maybe is it more correct to do this:
- /usr/bin/intelmqctl reload --quiet
- su -m intelmq -c ' /usr/bin/intelmqctl reload --quiet'
- /usr/bin/intelmqctl reload file-output --quiet
- su -m intelmq -c '/usr/bin/intelmqctl reload file-output --quiet' ??
--quiet needs to be between the executable (intelmqctl) and the first positional argument (reload).
I pushed the packages with these fixes (also in git in the branch maintenance) which are now available in the repositories, so please just update with your package manager.
Sebastian
-- // Sebastian Wagner wagner@cert.at - T: +43 1 5056416 7201 // CERT Austria - https://www.cert.at/ // Eine Initiative der nic.at GmbH - https://www.nic.at/ // Firmenbuchnummer 172568b, LG Salzburg