Data Loss Prevention : RHEL Services will not auto start on reboot
search cancel

Data Loss Prevention : RHEL Services will not auto start on reboot

book

Article ID: 220770

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

DLP Services will not auto-start on reboot

Environment

Release : 15.x, 16.x

Component :Enforce Servers, Detection Servers running on RHEL 7.x, 8.x 

Cause

This is caused by systemd calling stat () on the any services when the DLP services is a symlink to /opt/Symantec/.......

In the dmesg log you will see the following error:

systemd-sysv-generator[586]: stat() failed on /etc/rc.d/init.d/SymantecDLPDetectionServerService: No such file or directory

Since the DLP services are symlinks to /opt/Symantec/DataLossPrevention/EnforceServer/Services/<servicename>.sh, if the /opt is on its own mount point, the systemd call happens before the /opt is mounted in the log.

Resolution

The services are symlinks to the /opt/Symantec directories, 

In the fstab we see

  # cat /etc/fstab
  ...
  /dev/apps_vg/vol1 /opt/Symantec xfs defaults    0   0

To ensure the non-root filesystem is mounted before systemd-sysv-generator runs:

Edit the /etc/fstab file and add x-initrd.mount to the /opt/Symantec entry options as shown below:

/dev/apps_vg/vol1   /opt/Symantec xfs defaults,x-initrd.mount 0   0

Make sure the logical volume apps_vg/vol1 hosting /opt/Symantec is activated in the initramfs by appending rd.lvm.lv=apps_vg/vol1 to the GRUB_CMDLINE_LINUX entry in /etc/default/grub as shown below:

NOTE: In this example, the apps_vg is the volume group and the vol1 is the logical volume name. You volume group/logical volume will be different from this article. 

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=system_vg/swap_lv rd.lvm.lv=system_vg/root_lv rd.lvm.lv=system_vg/usr_lv rd.lvm.lv=apps_vg/vol1 rhgb"

To find the volumegroup/logicalvolume name you need to run the lvscan command. In this screenshot drop the /dev/ when entering in the grub.conf

Rebuild the GRUB menu and initramfs for changes to be taken into account:

# grub2-mkconfig -o /etc/grub2.cfg
# dracut -f

WORKAROUND 1:

If rebuilding the grub is not an option you can run the following as a workaround. 

To enable Data Loss Prevention services to start automatically (after a reboot), complete the following:

These steps work on RHEL 6 and RHEL 7 with 15.5 and 15.7:

Log onto the Enforce server and SU as root, then run the following:

systemctl enable SymantecDLPManagerService

systemctl enable SymantecDLPIncidentPersisterService

systemctl enable SymantecDLPDetectionServerControllerService

systemctl enable SymantecDLPNotifierService

Log onto to Detection server and su as root, then run the following:

systemctl enable SymantecDLPDetectionServerService

 

The following has been tested on 15.5 and RHEL7:

1. Create systemd script as root:

=> vi /etc/systemd/system/dlpSymantec_startup.service

[Unit]

After=network-online.target

[Service]

ExecStart=/usr/local/bin/dlpSymantec_startup.sh

[Install]

WantedBy=default.target

2. Create the dlpSymantec_startup.sh and add the services startup commands. 

=> vi /usr/local/bin/dlpSymantec_startup.sh

Enforce services 

#!/bin/bash
#DLP startup scripts###
service start SymantecDLPManagerService
service start SymantecIncidentPersisterService
service start SymantecDLPNotifierService
service start SymantecDLPDetectionServerControllerService

exit 0
 

Detection Services on Detection servers.

#!/bin/bash
#DLP v15.5
service SymantecDLPDetectionServerService start
exit 0

 

3. Set the permissions of the systemd script and the bash script

=> chmod 744 /usr/local/bin/dlpSymantec_startup.sh

=> chmod 664 /etc/systemd/system/dlpSymantec_startup.service

4. Enable the systemd service.

=> systemctl daemon-reload

=> systemctl enable dlpSymantec_startup.service

NOTE: Symantec DLP 15.1 will be named without the service at the end of each service name for example SymantecDLPManagerService will be named SymantecDLPManager.

Test Configuration

Now we can test our configuration by rebooting the server and checking the services

$ reboot
$ service --status-all | grep Sym

RHEL 8.x and above 

 

1. create file DLP-DetectionServer.service in /etc/systemd/system

[Unit]
Description=DLP-DetectionServerService
Requires=network.target
After=network.target
[Service]
Type=forking
ExecStart=/etc/rc.d/init.d/SymantecDLPDetectionServerService start
ExecStop=/etc/rc.d/init.d/SymantecDLPDetectionServerService stop
Restart=on-abnormal
[Install]
WantedBy=multi-user.target


2. chmod 644 /etc/systemd/system/DLP-DetectionServer.service

3. cd /etc/systemd/system

4.  systemctl enable DLP-DetectionServer.service

5. systemctl daemon-reload

6. the services should be able to start and stop at this point. 

NOTE: also the .sh file is no longer needed since systems script is  calling the Services directory in ExecStart and ExecStop lines. 

 

Additional Information

refer to https://access.redhat.com/solutions/3094591

NOTE: if the grub cannot be rebuilt and the workaround is not working, contact RHEL support since this is a limitation of the Linux OS.