Data Loss Prevention : RHEL Services will not auto start on reboot
search cancel

Data Loss Prevention : RHEL Services will not auto start on reboot

book

Article ID: 220770

calendar_today

Updated On: 02-18-2025

Products

Data Loss Prevention Enforce

Issue/Introduction

DLP Services will not auto-start on reboot

Environment

Release : 15.x, 16.x

Component :Enforce Servers, Detection Servers running on RHEL 7.x, 8.x 

Cause

This is caused by systemd calling stat () on the any services when the DLP services is a symlink to /opt/Symantec/.......

In the dmesg log you will see the following error:

systemd-sysv-generator[586]: stat() failed on /etc/rc.d/init.d/SymantecDLPDetectionServerService: No such file or directory

Since the DLP services are symlinks to /opt/Symantec/DataLossPrevention/EnforceServer/Services/<servicename>.sh, if the /opt is on its own mount point, the systemd call happens before the /opt is mounted in the log.

Resolution

The services are symlinks to the /opt/Symantec directories, 

In the fstab we see

  # cat /etc/fstab
  ...
  /dev/apps_vg/vol1 /opt/Symantec xfs defaults    0   0

To ensure the non-root filesystem is mounted before systemd-sysv-generator runs:

Edit the /etc/fstab file and add x-initrd.mount to the /opt/Symantec entry options as shown below:

/dev/apps_vg/vol1   /opt/Symantec xfs defaults,x-initrd.mount 0   0

Make sure the logical volume apps_vg/vol1 hosting /opt/Symantec is activated in the initramfs by appending rd.lvm.lv=apps_vg/vol1 to the GRUB_CMDLINE_LINUX entry in /etc/default/grub as shown below:

NOTE: In this example, the apps_vg is the volume group and the vol1 is the logical volume name. You volume group/logical volume will be different from this article. 

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=system_vg/swap_lv rd.lvm.lv=system_vg/root_lv rd.lvm.lv=system_vg/usr_lv rd.lvm.lv=apps_vg/vol1 rhgb"

To find the volumegroup/logicalvolume name you need to run the lvscan command. In this screenshot drop the /dev/ when entering in the grub.conf

Rebuild the GRUB menu and initramfs for changes to be taken into account:

# grub2-mkconfig -o /etc/grub2.cfg
# dracut -f

WORKAROUND 1:

If rebuilding the grub is not an option you can run the following as a workaround. 

To enable Data Loss Prevention services to start automatically (after a reboot), complete the following:

These steps work on RHEL 6 and RHEL 7 with 15.5 and 15.7:

Log onto the Enforce server and SU as root, then run the following:

systemctl enable SymantecDLPManagerService

systemctl enable SymantecDLPIncidentPersisterService

systemctl enable SymantecDLPDetectionServerControllerService

systemctl enable SymantecDLPNotifierService

Log onto to Detection server and su as root, then run the following:

systemctl enable SymantecDLPDetectionServerService

 

The following has been tested on 15.5 and RHEL7:

1. Create systemd script as root:

=> vi /etc/systemd/system/dlpSymantec_startup.service

[Unit]

After=network-online.target

[Service]

ExecStart=/usr/local/bin/dlpSymantec_startup.sh

[Install]

WantedBy=default.target

2. Create the dlpSymantec_startup.sh and add the services startup commands. 

=> vi /usr/local/bin/dlpSymantec_startup.sh

Enforce services 

#!/bin/bash
#DLP startup scripts###
service start SymantecDLPManagerService
service start SymantecIncidentPersisterService
service start SymantecDLPNotifierService
service start SymantecDLPDetectionServerControllerService

exit 0
 

Detection Services on Detection servers.

#!/bin/bash
#DLP v15.5
service SymantecDLPDetectionServerService start
exit 0

 

3. Set the permissions of the systemd script and the bash script

=> chmod 744 /usr/local/bin/dlpSymantec_startup.sh

=> chmod 664 /etc/systemd/system/dlpSymantec_startup.service

4. Enable the systemd service.

=> systemctl daemon-reload

=> systemctl enable dlpSymantec_startup.service

NOTE: Symantec DLP 15.1 will be named without the service at the end of each service name for example SymantecDLPManagerService will be named SymantecDLPManager.

Test Configuration

Now we can test our configuration by rebooting the server and checking the services

$ reboot
$ service --status-all | grep Symantec

RHEL 8.x/9.x and above with DLP 16.0 Detection Server

  1. Create the file DLP-DetectionServer.service with the following contents here: /etc/systemd/system
    [Unit]
    Description=DLP-DetectionServerService
    Requires=network.target
    After=network.target
    [Service]
    Type=forking
    ExecStart=/etc/rc.d/init.d/SymantecDLPDetectionServerService start
    ExecStop=/etc/rc.d/init.d/SymantecDLPDetectionServerService stop
    Restart=on-abnormal
    [Install]
    WantedBy=multi-user.target
  2. Run the following commands to update the file permissions and the service state:
    chmod 644 /etc/systemd/system/DLP-DetectionServer.service
    cd /etc/systemd/system
    systemctl enable DLP-DetectionServer.service
    systemctl daemon-reload

Services should be able to start and stop after a reboot.

NOTE: if doing this on enforce you will need to replace the ExecStart, ExecStop, PreExecStart, PostExecStart and so forth with the enforce server service names. 

Test Configuration

Now we can test our configuration by rebooting the server and checking the services:

$ reboot
$ service --status-all | grep Symantec

RHEL 8.x/9.x and above with DLP 16.1 Detection Server

  1. Create the file DLP-Connector-Detector-Services.service with the following contents here: /etc/systemd/system
    [Unit]
    Description=DLP-Connector-Detector-Services
    Requires=network-online.target
    After=network-online.target
    [Service]
    Type=forking
    ExecStartPre=/etc/rc.d/init.d/SymantecDLPEnforceConnectorService start
    ExecStart=/etc/rc.d/init.d/SymantecDLPDetectorService start
    ExecStopPre=/etc/rc.d/init.d/SymantecDLPEnforceConnectorService stop
    ExecStop=/etc/rc.d/init.d/SymantecDLPDetectorService stop
    Restart=on-abnormal
    [Install]
    WantedBy=multi-user.target
  2. Run the following commands to update the file permissions and the service state:
    chmod 644 /etc/systemd/system/DLP-Connector-Detector-Services.service
    cd /etc/systemd/system
    systemctl enable DLP-Connector-Detector-Services.service
    systemctl daemon-reload

Services should be able to start and stop after a reboot. 

The .sh file is no longer needed since systems script is calling the Services directory in ExecStart and ExecStop lines. 

Test Configuration

Now we can test our configuration by rebooting the server and checking the services:

$ reboot
$ service --status-all | grep Symantec

 

Additional Information

refer to https://access.redhat.com/solutions/3094591

NOTE: if the grub cannot be rebuilt and the workaround is not working, contact RHEL support since this is a limitation of the Linux OS.

Performing these steps incorrectly could cause your system to not boot

Powered by Wolken Software