KarelD

On access scanning RHEL7: not working / shmget: Permission Denied

3 posts in this topic

Posted (edited)

Hi,

I am using ESET on a RHEL7 machine.
The on demand scan is working.
Since the machine is used as an sftp server, I would like to use the on access scan when a new file is added to a specific directory.
In the esets.cfg file I specified the action (create) and directory in [pac]. 

In het sshd.service file, the environment=LD_PRELOAD=.../libesets_pac.so is defined.
This environment is loaded for sshd. However, the on access scan seems not te be working according to the stats.onaccess file.
I tried to upload the EICAR test file and it's not detected (~ no scan performed).

Did anyone had the same issues or any idea on what can be wrong with my configuration?

Kind regards

Edited by KarelD

Share this post


Link to post
Share on other sites

Some updates and more information:

We created a sftp-server. A user is able to upload files over sftp. When a file is uploaded to a certain directory, it must be scanned 'on access'.

As I mentioned in my previous post, we did a preload for the libeset_pac.so library when the ssh daemon in started. We changed the way we do this. First is was with the environment parameter, now we change 

ExecStart=/usr/sbin/sshd $OPTIONS

into

ExecStart=/bin/bash -c "LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so /usr/sbin/sshd $OPTIONS"

We can see that the library is preloaded:

lsof -p <pid>:
sshd    <pid> root  mem    REG              253,0   318792   555738 /opt/eset/esets/lib64/libesets_pac.so

In the configuration file of eset, the actions and directory for [pac] are set. However, the on access scan is still not performed.

When performing an strace on the pid of sshd (there are multiple, but in some of the children we can find this):

stat("/opt/eset/esets/sbin/esets_daemon", {st_mode=S_IFREG|0755, st_size=1446464, ...}) = 0
shmget(0x32009ce1, 0, 0)                = -1 EACCES (Permission denied)

It seems like information is requested about the esets daemon, and some shared memory is accessed, but permission to this shared memory is denied.

When looking at the shared memory segments:

------ Shared Memory Segments --------
key        shmid      owner      perms      bytes      nattch     status
0x32009ce1 1671168    root       644        512        2
0x0113beff 1212417    root       600        1000       7


------ Shared Memory Creator/Last-op PIDs --------
shmid      owner      cpid       lpid
1671168    root       32011      32013
1212417    root       20140      20140

and 32011 is the pid of the eset daemon.

root     32011     1  0 16:08 ?        00:00:00 /opt/eset/esets/sbin/esets_daemon

To conclude, we think that the libesets_pac.so library is loaded correctly, and when a call to open() is made, the function in this library is used. To perform the on access scan the ssh daemon process tries to read from a certain shared memory from the esets daemon, but is not allowed. Following that the scan is not performed. We checked the namespaces of the sshd and eset and they are both the same.


Does anyone has any idea what can be wrong? Or any suggestions for additional tests?
 

Thank you in advance for your reply.

 

 

 

Share this post


Link to post
Share on other sites
On 12. 4. 2017 at 9:21 AM, KarelD said:

Does anyone has any idea what can be wrong? Or any suggestions for additional tests?

Just guessing but is SELinux enabled on this machine? If I recall correctly, SELinux-enabled systems are not supported by this product. I would recommend to check audit logs or test functionality with SELinux switched into permissive mode in case it was enabled previously (in enforcing mode).

Another possibility is that sshd is running under user account, that is for some reason not able to access mentioned shared memory. Is SSHD running with root privileges?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.