Test Configuration
Now we can test our configuration by rebooting the server and checking the services
$ reboot $ service --status-all | grep Sym
DLP Services will not auto-start on reboot
Release : 15.x
Component :Enforce Servers, Detection Servers running on RHEL 7.x, 8.x
This is caused by systemd calling stat () on the DLP services when the DLP services is a symlink to /opt/Symantec/.......
In the dmesg log you will see the following error:
systemd-sysv-generator[586]: stat() failed on /etc/rc.d/init.d/SymantecDLPDetectionServerService: No such file or directory
Since the DLP services are symlinks to /opt/Symantec/DataLossPrevention/EnforceServer/Services/<servicename>.sh, if the /opt is on its own mount point, the systemd call happens before the /opt is mounted in the log.
The services are symlinks to the /opt/Symantec directories,
In the fstab we see
# cat /etc/fstab
...
/dev/apps_vg/vol1 /opt/Symantec xfs defaults 0 0
To ensure the non-root filesystem is mounted before systemd-sysv-generator
runs:
Edit the /etc/fstab
file and add x-initrd.mount to the /opt/Symantec
entry options as shown below:
/dev/apps_vg/vol1 /opt/Symantec xfs defaults,x-initrd.mount 0 0
Make sure the logical volume apps_vg/vol1 hosting /opt/Symantec
is activated in the initramfs by appending rd.lvm.lv=apps_vg/vol1 to the GRUB_CMDLINE_LINUX
entry in /etc/default/grub
as shown below:
NOTE: In this example, the apps_vg is the volume group and the vol1 is the logical volume name. You volume group/logical volume will be different from this article.
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=system_vg/swap_lv rd.lvm.lv=system_vg/root_lv rd.lvm.lv=system_vg/usr_lv rd.lvm.lv=apps_vg/vol1 rhgb"
To find the volumegroup/logicalvolume name you need to run the lvscan command. In this screenshot drop the /dev/ when entering in the grub.conf
Rebuild the GRUB menu and initramfs for changes to be taken into account:
# grub2-mkconfig -o /etc/grub2.cfg
# dracut -f
If rebuilding the grub is not an option you can run the following as a workaround.
To enable Data Loss Prevention services to start automatically (after a reboot), complete the following:
These steps work on RHEL 6 and RHEL 7 with 15.5 and 15.7:
Log onto the Enforce server and SU as root, then run the following:
systemctl enable SymantecDLPManagerService
systemctl enable SymantecDLPIncidentPersisterService
systemctl enable SymantecDLPDetectionServerControllerService
systemctl enable SymantecDLPNotifierService
Log onto to Detection server and su as root, then run the following:
systemctl enable SymantecDLPDetectionServerService
The following has been tested on 15.5 and RHEL7:
1. Create systemd script as root:
=> vi /etc/systemd/system/dlpSymantec_startup.service
[Unit]
After=network-online.target
[Service]
ExecStart=/usr/local/bin/dlpSymantec_startup.sh
[Install]
WantedBy=default.target
2. Create the dlpSymantec_startup.sh and add the services startup commands.
=> vi /usr/local/bin/dlpSymantec_startup.sh
Enforce services
#!/bin/bash
#DLP startup scripts###
service start SymantecDLPManagerService
service start SymantecIncidentPersisterService
service start SymantecDLPNotifierService
service start SymantecDLPDetectionServerControllerService
exit 0
Detection Services on Detection servers.
#!/bin/bash
#DLP v15.5
service SymantecDLPDetectionServerService start
exit 0
3. Set the permissions of the systemd script and the bash script
=> chmod 744 /usr/local/bin/dlpSymantec_startup.sh
=> chmod 664 /etc/systemd/system/dlpSymantec_startup.service
4. Enable the systemd service.
=> systemctl daemon-reload
=> systemctl enable dlpSymantec_startup.service
NOTE: Symantec DLP 15.1 will be named without the service at the end of each service name for example SymantecDLPManagerService will be named SymantecDLPManager.
Now we can test our configuration by rebooting the server and checking the services
$ reboot $ service --status-all | grep Sym
refer to https://access.redhat.com/solutions/3094591