From patchwork Tue Sep 10 14:37:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 8098 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4X35sm1Wgjz3wdh for ; Tue, 10 Sep 2024 14:38:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sg6rP4z6Bt; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4X35sg5Fkdz34Gg; Tue, 10 Sep 2024 14:38:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4X35sJ0764z34GY for ; Tue, 10 Sep 2024 14:37:56 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4X35sH4N3Xz5Zb; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4X35sH12HtzTkg5; Tue, 10 Sep 2024 14:37:55 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination Date: Tue, 10 Sep 2024 14:37:21 +0000 Message-Id: <20240910143748.3469271-9-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org> References: <20240910143748.3469271-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: A2BLSJUCJQATFWSNX4YFZSPIACBF42XO X-Message-ID-Hash: A2BLSJUCJQATFWSNX4YFZSPIACBF42XO X-MailFrom: root@michael.haj.ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Michael Tremer X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This patch adds a watcher process that will restart suricata when it is being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV. Signed-off-by: Michael Tremer --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++ lfs/suricata | 3 ++ src/initscripts/system/suricata | 16 ++-------- 4 files changed, 61 insertions(+), 14 deletions(-) create mode 100644 config/suricata/suricata-watcher diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 53224d006..8fe53f7e6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +usr/bin/suricata-watcher usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher new file mode 100644 index 000000000..a1a13d40c --- /dev/null +++ b/config/suricata/suricata-watcher @@ -0,0 +1,55 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A Linux-based Firewall # +# Copyright (C) 2024 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +PIDFILE="/var/run/suricata.pid" + +main() { + local ret + + while :; do + # Launch suricata + /usr/bin/suricata "$@" &>/dev/null + + # Wait until suricata is done + ret=$? + + case "${ret}" in + # If suricata has been killed by SIGKILL (e.g. by + # the OOM killer, or if it ran into a SEGV, we will + # restart the process. + 137|139) + # Remove the PID file + unlink "${PIDFILE}" 2>/dev/null + + sleep 1 + continue + ;; + + *) + break + ;; + esac + done + + return ${ret} +} + +main "$@" || return $? diff --git a/lfs/suricata b/lfs/suricata index 88f3c4575..dcee61ea1 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install converter script needed for Core Update 167 install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files + # Install the watcher + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 20afab130..40bd69c87 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -123,12 +123,9 @@ case "$1" in if [ "$ENABLE_IDS" == "on" ]; then # Start the IDS. boot_mesg "Starting Intrusion Detection System..." - /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null + /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES evaluate_retval - # Allow reading the pidfile. - chmod 644 $PID_FILE - # Flush the firewall chain flush_fw_chain @@ -139,20 +136,11 @@ case "$1" in stop) boot_mesg "Stopping Intrusion Detection System..." - killproc -p $PID_FILE /var/run + killproc /usr/bin/suricata # Flush firewall chain. flush_fw_chain - # Sometimes suricata not correct shutdown. So killall. - killall -KILL /usr/bin/suricata 2>/dev/null - - # Remove suricata control socket. - rm /var/run/suricata/* >/dev/null 2>/dev/null - - # Trash remain pid file if still exists. - rm -f $PID_FILE >/dev/null 2>/dev/null - # Don't report returncode of rm if suricata was not started exit 0 ;;