Articles in this section

See more

asl command line errors

Avatar
tara shinn
  • Updated
Follow

Checking directory : not found [FAILED]

That means you have a blank entry in your admin users setting. Check to make sure you dont have a blank entry, for example:

foo,,bar

or

foo,

or

foo,bar,

sh: /proc/sys/fs/inotify/max_user_watches: Permission denied

See below.

cmd_system ERROR: '/bin/echo 16384 > /proc/sys/fs/inotify/max_user_watches >/dev/null 2>&1 (1)'

This means that ASL can not increase the number of inotify "watches" on the system. The Linux inotify system provides a mechanism for monitoring filesystem events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory. ASL uses Inotify to monitor the file system from changes to software, configuration files and other sensitive parts of the operating system in real time.

This error generally occurs on a VPS system where Inotify limits are set on the host, and can not be changed on the guest. Keep in mind that a watch is require for each file in the directory being watched. By default those directories are:

/etc
/var/ossec/active-response
/var/ossec/etc
/var/ossec/agentless
/bin
/lib
/lib64
/opt
/sbin
/usr/bin
/usr/lib
/usr/lib64
/usr/local/bin
/usr/local/lib
/usr/local/sbin

Solutions

1. Increase Inotify Watches on hardware node

On Virtuzzo/Openvz/[VPS] systems it is possible to change the max_user_watches limit on the hardware node only. This will raise the limit for all containers.

Increase the limit on the hardware node:

[root@vz ~]# sysctl -w fs.inotify.max_user_watches=1000000

To save it across reboots, redirect the output to sysctl configuration file:

[root@vz ~]# sysctl -w fs.inotify.max_user_watches=1000000 >> /etc/sysctl.conf

2. Or remove directories from realtime watches (not recommended)

Please see this article:

https://www.atomicorp.com/wiki/index.php?title=File_Integrity#Watch_Rules

Warning: Removing directories from real time watches means ASL will no longer monitor these files for changes nor will it generate alerts or report anything for these directories in the ASL file integrity monitor.

Error: could not find general_firewall_ftp_mod

This means that ASL could not find any FTP modules loaded into the kernel. If this system is a VPS system, then this is expected behavior. VPS systems do not allow the user (including root) to see what modules are loaded into the kernel. There is no solution to this issue except to check to see if the FTP modules are loaded in the VPS host. Until such time as Virtuzzo/OpenVZ allow VPS systems to see the modules loaded into the kernel, there is no solution to this issue.

Solution:

We highly recommend if you are using FTP that you check the VPS host to ensure the FTP kernel modules are loaded to ensure that FTP and firewall rules will work properly. Please see this article for information on FTP modules to check for in the VPS host:

https://www.atomicorp.com/wiki/index.php?title=ASL_Troubleshooting#FTP_not_working

Comments

0 comments

Article is closed for comments.

Powered by Zendesk