Fcron running/checking question

silvio · 26 April 2022 06:19

Hi,

i was checking our IPFire system today and one point was the IDS rules page.
I see that the system is running with an old set of rules (9th of april) so my first thinking was that i forgot to enable the automatic update.
The IDS page shows me that automatic updates are enabled.

The next look was into the cron log and here my question came up.
I can see nothing in the cron log. On no day since i reinstalled the system i have a entry in this log.
The cron service (fcron) is running, I checked it from the GUI and also from the console and I have a cronfile for the root user with some ipfire related entries.

Normaly i would expect that the cron log shows me something like cron xxx running at and some infos about the job (normal cron infos) but the not running updates in combination with no entries in the log makes me a little bit nervous.
How can I check if fcron is running correct and where are the update rules for the IDS if not in the fcron file?

Silvio

bonnietwin · 26 April 2022 07:11

The cron log only has content if there have been errors with running cron.

To see the IPS ruleset update you should look in Log - System Logs - drop down box Intrusion Prevention.

If you have the update set for daily then you would see something similar to the following, depending on the ruleset providers that you have selected.

|01:25:57suricata:15 rule files processed. 12566 rules successfully loaded, 0 rules failed
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-default-rules.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-sslbl_blacklist-used- rulefiles.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-emerging-used-rulefil es.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-used-providers.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml.
|01:25:47suricata:Including configuration file /var/ipfire/suricata/suricata-homenet.yaml.
|01:25:47suricata:rule reload starting

The updater line is not directly in the fcrontab. Depending on whether you have selected daily or weekly then a symlink is made in the /etc/fcron,daily or /etc/fcron.weekly folder

I have mine set to daily and my fcron.daily folder is as follows

-rw-r–r-- 1 root root 33 Feb 22 2021 info.txt
-rwxr-x— 1 root root 4.1K Dec 19 12:57 openvpn-crl-updater
lrwxrwxrwx 1 root root 33 Mar 29 15:12 suricata → /usr/local/bin/update-ids-ruleset
-rwxr-xr-x 1 root root 126 Mar 26 2021 trim

If there is no symlink in either the daily or weekly then if you change the setting from daily, if that is what it is set to currently, to weekly and press the save button and then change back to daily and press the save button then you should find the symlink present again in the daily folder.

If daily is selected and no symlink is present then just pressing save is not enough. You need to change the setting to another one, save and then go back to the setting you want and save.

silvio · 26 April 2022 07:19

Thanks for the Info this helps a lot.
I can not find any surricata entries in /var/log/messages over the last week except the ones from this morning where I was working on the system.
I now disabled/enabled all update rules and will see what happens tomorrow (I have daily updates enabled):

But thanks again for the infos so I’m a little bit calmed down that the normal cron stuff is running.

Silvio

silvio · 26 April 2022 07:26

I checked my fcron.daily folder an could no see a surricata entry.
So i disabled/enabled the automatic update for the complete IDS and not only for the ruleset and …

[root@ipfire fcron.daily]# ls -la
total 24
drwxr-xr-x  2 root root 4096 Feb  7 14:48 .
drwxr-xr-x 50 root root 4096 Mar 31 13:51 ..
-rw-r--r--  1 root root   33 Feb  7 12:58 info.txt
-rwxr-x---  1 root root 4110 Feb  7 13:19 openvpn-crl-updater
-rwxr-xr-x  1 root root  126 Feb  7 11:46 trim
[root@ipfire fcron.daily]# ls -la
total 24
drwxr-xr-x  2 root root 4096 Apr 26 07:22 .
drwxr-xr-x 50 root root 4096 Mar 31 13:51 ..
-rw-r--r--  1 root root   33 Feb  7 12:58 info.txt
-rwxr-x---  1 root root 4110 Feb  7 13:19 openvpn-crl-updater
lrwxrwxrwx  1 root root   33 Apr 26 07:22 suricata -> /usr/local/bin/update-ids-ruleset
-rwxr-xr-x  1 root root  126 Feb  7 11:46 trim

So thanks again for the infos

Silvio