sengkee Absent Member.
Absent Member.
10264 views

Mcafee LinuxShield deny all users access to files

I installed a eval Linuxshield 1.5.1 on OES2 and started it with no errors. Its monitoring web page show it running properly and the number of files scanned was increasing.

Suddenly all the users started complaining they can't access their files on the network drive. We can see the files listing but whether is excel, word or ordinary text files, all of them won't open.

Killing the Linuxshield nails service immediately resolved the issue.

It seems when Linuxshield was running, all files on the NSS volumes were unaccessible but it was not flagging them as viruses. Files on local reiserfs volumes were strangely not affected.

Appreciate if you have any ideas on what went wrong?
Labels (2)
0 Likes
24 Replies
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

I found these in var/log/messages:

Jan 9 15:53:02 pilsys02 su: (to nails) root on none
Jan 9 15:53:04 pilsys02 su: (to nails) root on none
Jan 9 15:53:31 pilsys02 kernel: lshook: module not supported by Novell, setting U taint flag.
Jan 9 15:53:31 pilsys02 kernel: lshook: Loading module compiled for kernel version into kernel version

Jan 9 15:53:31 pilsys02 kernel: linuxshield: module not supported by Novell, setting U taint flag.
Jan 9 15:53:31 pilsys02 kernel: linuxshield: Loading module compiled for kernel version into kernel version

Jan 9 15:53:43 pilsys02 nailsepolog[14153]: Starting ePO logging
Jan 9 15:53:44 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2
Jan 9 15:53:45 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2
Jan 9 15:53:46 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2
Jan 9 15:53:47 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2
Jan 9 15:53:48 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2



The last error 'Couldn't get FDN' repeated non-stop till I killed Linuxshield nails service. Could it be a LUM issue instead of Mcafee?
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

sengkee,

have you excluded the ._NETWARE directory on the nss volumes from scanning ?
If not try that please.

Rainer
0 Likes
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

I have excluded the folder but it still deny users access to nss volumes.

Also I tried to disable Linuxshield 'On-Access scan' and it actually allows access to the files, so its something between the On-Access scan and the tons of LUM errors messages in var/log/messages. Any further advice appreciated.
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

sengkee,

you run the linuxshield with a lum enabled user.
Have you checked if that user is available by running

# id <linuxshield user>

Can you check which user has uid 1239 ?
Either check the /etc/passwd or use imanager and check the linuxshield user if it has that uid.

Rainer
0 Likes
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

Thanks, I check id nails and its uid happens to be 1239.

I go into iManager's LUM to reselected nails and it tells me nails is already linux enabled.

Do I need to linux enable nails another time?
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

sengkee,

as it is already lum enabled you do not need to do it a second time.
Can you please verify once again if the messages in /var/log/mesages:

Jan 9 15:53:45 pilsys02 kernel: Couldn't get FDN from LUM for uid=1239, rc=2

appear when you try to access a file on a nss volume ?
If you stop linuxshield you can access those volumes ?

What filesystems / directories do you have included in the scanning ?
Do you have the on access scanning activate just when reading or writing ?

Do you have the choice to remove some directories from scanning and check if you can write at that time to them ?

Also, do you have the /_admin in the root of the linux server excluded ?
If not do that.

Another question regarding the nails user. You gave that user supervisor rights on the nss filesystems. Correct ?

Can you check if the nails user really can read files on the nss volumes ?
Therefor login as root and then cahnge to the nails user with

# su - nails
# cd /mednai/nss/...

and see if you can copy a file there.
This would show that the user really has the rights there.

Rainer

Rainer
0 Likes
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

Rainer appreciate the help so far.

> kernel: Couldn't get FDN from LUM for uid=1239, rc=2

I tried on another server and got the same error as above. Yes once the on-access is active, everytime a file access is attempted on nss volume, the above message is logged.


> If you stop linuxshield you can access those volumes ?

Yes stop Linuxshield completely or just disable on-access mode will let me access the volumes.


>What filesystems / directories do you have included in the scanning ? Do you have the on access scanning activate just when reading or writing ?

I left everything at default, except for the folders you ask me to exclude.


> Do you have the choice to remove some directories from scanning and check if you can write at that time to them ?

Yes, I did further tests and excluded some user dirs and these dirs were not affected - able to access with on-access mode active.


>Also, do you have the /_admin in the root of the linux server excluded ?
If not do that.

Already excluded, but didn't help with the problem.


> Another question regarding the nails user. You gave that user supervisor rights on the nss filesystems. Correct ?

Correct, given with the rights command as in mcafee manual.


>Can you check if the nails user really can read files on the nss volumes ?
>Therefor login as root and then cahnge to the nails user with
> # su - nails

I got some kind of error with above command "su: /bin/nologin no such file or directory"
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

>Can you check if the nails user really can read files on the nss volumes ?
>Therefor login as root and then cahnge to the nails user with
> # su - nails

I got some kind of error with above command "su: /bin/nologin no such file or directory"


Sorry about this, please check the nails user in edir and change the shell that should be configured as /bin/nologin to /bin/bash. After that run "namconfig cache_refresh" on the server, wait a few seconds till that is complete and then run "finger nails". That should show you the new shell. Then "su - nails" and try to change to a nss volume "cd /media/nss/DATA" or so.

Rainer
0 Likes
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

Hi, I was sidetracked to eval Trendmicro but it too has its problem so now I am back to Mcafee.

I managed to change nails to bash shell with chsh command because for some reason I can't find the linux user profile tab in imanager's modify user screen..

So now, finger nails, show me:
[INDENT]droes:~ # finger nails
Login: nails Name: LinuxShield Administrator
Directory: /home/nails Shell: /bin/bash
Never logged in.
No Mail.
No Plan.
droes:~ #[/INDENT]

then I su - nails, and chdir into the nss volumes without problem, but I just cannot do anything in the nss volumes, even 'ls' give 'Permission denied'.

I can access the other folders on the local hdd. Only /media/nss/volumes cannot access.
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

sengkee,

then I su - nails, and chdir into the nss volumes without problem, but I just cannot do anything in the nss volumes, even 'ls' give 'Permission denied'.



This would indicate that the user nails has not the appropriate rights on that nss volumes.
Can you verify with imanager that it really has supervisor rights to the nss volume object ?

Also please check the following file on the nss volume using the root user:

# cat /media/nss/DATA/._NETWARE/.trustee_database.xml
...
<trustee path="">
<name>.NAILS.CONTEXT</name>
<rights>SRWCEMFA</rights>
<object_guid>f682cca0-0dd3-01dc-80fd-000c29d00b42</object_guid>
</trustee>

This is how it looks on our oes server. take care that the user name is case sensitive !
In case the edirectory user is written in upper case you should also use it upper case in the LinuxShield config. The sample above indicates the user NAILS has supervisor rights on the volume (<rights>S...).

Rainer
CycoTron Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

I had this same problem, and I believe I have found a fix.

The user account didn't seem to be set up correctly because of the /bin/nologin shell entry, so I tried deleting the account and let lum re-create it.

Here are the commands I used:
yast2 users delete username=nails
rcnamcd restart
cd /etc/init.d
./nails start


After this I was able to access the files on an NSS volume as normal. I will know for sure tomorrow when all of our users come back.

-Nick Kelnhofer Professional Network Administrator CNA, MCSA, A+, Net+, Security+
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

Had some problems logging in to forum to update.

Cycotron thanks, your procedure somehow fixes the nails account. Nss vol is now accessible.

Rainer you have been a great help too.
0 Likes
sengkee Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

I spoke too soon, it works on the test server but on the production server I'm seeing wierd problems with rights.

I can su nails, cd into nss vol and do a dir. But the problem now is I don't see all the dirs and files. It show only 2 folder. Looks like a OES rights issue, I have even granted nails equiv to admin but still no help. Any further ideas?
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Mcafee LinuxShield deny all users access to files

sengkee,

not equivalent to admin, assign it supervisor rights to all nss volumes on this server.
To verify the current rights, run the following command for all nss volumes on your server and see if the nails user has the S for Supervisor set:

# rights -f /media/nss/<NSS VOLUME> show

Also is your nails user written in lowercase or uppercase in edirectory ?
What does the command "id <nails user>" show you ?
Have you verified in /etc/passwd and /etc/group that neither the nails user nor the nailsgroup exist ?

Rainer
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.