cafagent daemon shows not running when /usr/lib/symantec/status.sh is executed
search cancel

cafagent daemon shows not running when /usr/lib/symantec/status.sh is executed

book

Article ID: 441364

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

cafagent daemon shows not running when /usr/lib/symantec/status.sh is executed

Evidence from cafagent_install.log:

Enabling CAF Agents for system start..
Failed to enable unit: File /etc/systemd/system/cafagent.service already exists and is a symlink to /dev/null.
○ cafagent.service
     Loaded: masked (Reason: Unit cafagent.service is masked.)
 

Environment

SEP 14.3 RU1 and later
Amazon Linux 2023 or equivalent supported Linux OS

Cause

The primary failure is caused by a masked systemd unit on the customer system where /etc/systemd/system/cafagent.service points to /dev/null (left over from an admin action or older deployment). 

Our installer logic (instfunlib) fails silently due to two key deficiencies:

Short-circuiting Logic: The cleanup script uses systemctl is-enabled -q cafagent.service && systemctl disable cafagent.service. When a unit is masked, is-enabled returns a non-zero exit status, causing the command to short-circuit. The disable command is never executed. Even if executed, disable cannot clear a mask; a proactive unmask is strictly required.
Incorrect Path Cleanup: The installer attempts file removal from /usr/lib/systemd/system/ and /lib/systemd/system/, completely omitting the actual masking symlink located at /etc/systemd/system/cafagent.service.

Consequently, when the installer executes systemctl enable cafdaemon.service, systemd tries to generate an alias symlink at /etc/systemd/system/cafagent.service (per the unit's [Install] block). It finds the path occupied by the /dev/null mask and drops the entire enable operation.

Resolution

Re-install the agent for the correct parameters to be set.


Workaround if re-installation is not feasible:

You can manually bypass this without waiting for a re-installation. Follow the steps below:

Execute as root on the target machine:

Step 1: Verify the Masked Status

ls -la /etc/systemd/system/cafagent.service
# Expected output shows symlink pointing to /dev/null

 

Step 2: Remove the Mask and Load Service

systemctl unmask cafagent.service
systemctl daemon-reload
systemctl enable cafdaemon.service
systemctl start cafdaemon.service

 

Step 3: Verification

systemctl status cafdaemon.service
tail -n 20 /var/log/sdcss-caflog/cafagent.log 
/usr/lib/symantec/status.sh
Powered by Wolken Software