Evebox keeps on running if IPS (suricata) is disabled

ips
(Mark Verlinde) #1

Being bold categorizing it as a bug although it’s non critical :grinning:

Behavior: (how to reproduce)

On fresh install ISP (suricata) is disabled by default, you have to enable it in the server-manager or manually enable it as as documented here.
Just after a fresh install evebox is enabled by default and running, AFAIK not able to report something.
Same applies if you decide to disable IPS: evebox keeps on running.

Expected behavior:

evebox start and stops with IPS (suricata).

Notes:
I think the status of evebox can be included in

nethserver-suricata ../Module/IPS.php

Unfortunately PHP is not my strong point, hence uncomfortable produce a PR on this.

(Giacomo Sanchietti) #2

I think the simplest solution is to add a systemd requires to evebox unit.

Take a look at this:
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Requires=

Not tested, but should do the work:

mkdir -p /etc/systemd/system/evebox.service.d
cat <<EOF > /etc/systemd/system/evebox.service.d/requires.conf
[Unit]
Requires=suricata.service

EOF
systemctl daemon reload

Then try to start and stop both service. If suricata is stopped, evebox should be stopped too (but it will not start again, you need BindsTo for that).

By the way, this solution will not work if you’re using a custom suricata configuration which is scanning events from a remote source.

(Mark Verlinde) #3

Same thoughts here (literally on the same page :grinning:)

checkout PartOf=

(Mark Verlinde) #4

this starts and stops evebox with suricata (on a default server configuration)

# cat evebox.service.d/eve-json.conf
[Unit]
ConditionPathExists=/var/log/suricata/eve.json
Requires=suricata.service

[Service]
User=suricata
Group=suricata

# cat suricata.service.d/override.conf
[Unit]
BindsTo=evebox.service

two little imperfections: (in server-manager services)

  1. obviously evebox shows enabled flag from e-smith db:

afbeelding

  1. the suricata service keeps running after disabled it in the server-manager > IPS (did not noticed this earlier, sorry )

afbeelding

Form a functional point of view it solves the issue and adds value:

  • frees up system resources
  • you could get the impression checking evebox web interface everything is fine , in a situation suricata died on you. now you get a “503”.

EDIT a bit to hasty its accurate now

(Mark Verlinde) #5

After fiddling around with systemd override configurations can not find the right solution:

The solution shall:

  • Start evebox if suricata is started
  • Stop evebox from running if suricata is stopped
  • Stop evebox from running if suricata enters a fail-state

The solution may:

  • Enter evebox in a fail-state if suricata is stopped
    (open for discussion)
  • Enter evebox in a fail-state if suricata enters a fail-state

The solution shall not:

  • Stop suricata if evebox is stopped
  • Start suricata if evebox is started
    (user needs to choose filters and firewall nfqueue bits must be configured too)
  • Enter suricata in a fail-state if evebox is stopped
  • Enter suricata in a fail-state if evebox enters a fail-state

All my attempts fail on one or more requirements of shall not .