I have multiple servers, and (according to Cpanel) cpanel cannot cope with auto restarts of RPM based software. (The most common culprit is messagebus).
I would love it if when lfd first sees that the dbus proccess has been deleted, that it could attempt an automatic restart of it, instead of emailing me about it every hour.
Sure this is only relevant for certain services, which is where I think a customisable script would be good. This could be called each time lfd sees a deleted process, and would then allow admins of individual systems to decide which services they want to auto restart, along with the server specific syntax for doing so.
Other common updates which cause lfd to spam are
Deleted process tracking is a great idea, and not something i am keen to turn off, but we do need some kind of way to limit the amount of spam it sends, so that a real threat doesnt get lost amongst all the junk.
Hi,So every time this happens, LFD sees the files as having changed and flags up the pt_deleted warning for everything in the folder.
When I tested with upcp on a vps that needed to be updated dovecotup was run and the timestamp on /usr/libexec/dovecot/ was likely checked for permissions/ownerships and either set or force set anyway. If there is something in place that is going to check mdsum and timestamps then it would be best to have a whitelist in place. This isn't something we are going to put in place because LFD checks for these things. There are a number of checks that are already in our product which may force a permission or ownership change and subsequently change the timestamp.
Here is an example
touch -t 201101110101 /usr/libexec/dovecot/
chmod 750 /usr/libexec/dovecot/
then stat or ls -ald /usr/libexec/dovecot/
you will see the data and time be set for janaury 11 and permissions set to 750
and stat or ls -d /usr/libexec/dovecot/ again. You will see the permissions set correctly and the timestamp current. This is intended behavior in our product.
As to the following update, neither the MD5SUM check (LF_INTEGRITY) nor the running process check (PT_DELETED) are affected at all by changing a binaries permissions or date. Only changing the contents of the binary affect these. This happens if either the binary is replaced either with a new binary, or modified e.g. by prelink.