cron.daily/asl failing with "/usr/bin/find: invalid argument `+' to `-ctime'"

[Bitpalast]

Last night's maintenance caused this response on several, not all hosts:

/etc/cron.daily/asl:

/usr/bin/find: invalid argument `+' to `-ctime'
/usr/bin/find: invalid argument `+' to `-ctime'
/usr/bin/find: invalid argument `+' to `-ctime'
/usr/bin/find: invalid argument `+' to `-ctime'

What is this about?

 

[IgorG]

Hmm...
asl == Atomic Secure Linux
Have you tried to ask Atomic about this issue?

 

[Bitpalast]

No, I did not know what it is. If it is Atomic, it is about ModSecurity. And if it is ModSecurity it means that it is one of the frequent ModSecurity maintenance errors. I'll wait a few days, normally the ModSecurity issues disappear automatically.

 

[Branko]

I am also having this issue. Waiting also, and following this thread.
Please, if you find solution write it here. I will too.

 

[jamie!]

Same issue -- across all instances

 

[MarkM]

Welp, not much help but I can confirm I had the same issue. I already wiped the box though as it was a dev environment.

 

[judith]

I got the same on Centos Linux 7.4. is it an issue with file creation time?

 

[Oxilion B.V.]

This is an issue with the latest update of the AUM RPM package from the upstream provider (Atomic)

There's a new parameter "PURGE_LOGS" that's been added to the configuration file "/etc/asl/config". The cronjob "/etc/cron.daily/asl" uses this new parameter and expects it to be set to either the new default "no", or a number.

However, since the package is already installed, the "yum" package manager does not update the existing config file, since that would override any customisations by the sysadmin. Instead, the RPM default behaviour is to save the new config file as "/etc/asl/config.rpmnew".

Thus, the updated cronjob has no value for "$PURGE_LOGS", and therefore the "find" command has a missing parameter to the "ctime" option, resulting in this error.

I can see only one solution, and that is that the upstream provider adds some logic to the RPM package's post-install-scripts to add the newly added options to the existing config-file, without overwriting the entire file.

The alternative would be to manually edit the existing config-file and add the missing PURGE_LOGS="no" line...

Or, to use a one-liner (be careful, and NEVER just blindly paste one-liners from the internet, always make sure it does what you expect and want):

# grep -q PURGE_LOGS /etc/asl/config || sed -i '/general configuration/a PURGE_LOGS="no"' /etc/asl/config; /var/asl/bin/aum -uf

This adds the line to the file, but only if it does not contain the parameter already, making it idempotent

edited: added "/var/asl/bin/aum -uf" after the 'sed' to activate the changes, as is mentioned in the config-file

 

[trumbaut]

Same story here. Error occurs in the following part of /etc/cron.daily/asl due to the missing $PURGE_LOGS variable in /etc/asl/config (which was updated last night):

  # Purge Logs
  if [[ "$PURGE_LOGS" != "no" ]]; then
        DAYS=$PURGE_LOGS
        # Alerts
        /usr/bin/find /var/ossec/logs/alerts/ -name \*gz -type f -ctime +$DAYS -exec /bin/rm -f {} \;
        /usr/bin/find /var/ossec/logs/alerts/ -name \*sum -type f -ctime +$DAYS -exec /bin/rm -f {} \;

        # Archives
        /usr/bin/find /var/ossec/logs/archives/ -name \*gz -type f -ctime +$DAYS -exec /bin/rm -f {} \;
        /usr/bin/find /var/ossec/logs/archives/ -name \*sum -type f -ctime +$DAYS -exec /bin/rm -f {} \;
  fi

Since $PURGE_LOGS is empty, the script is running find with an empty ctime ("... -ctime + -exec ...").

As a workaround, just add the following line to /etc/asl/config:

PURGE_LOGS="no"

@IgorG : since /etc/asl/config is maintained by Plesk, this looks like a bug?

 

[pleskpanel]

Same issue here on Cent OS Linux 7.4 installs!

 

[Trung Ma]

I got the same issue on all plesks

 

[IgorG]

@IgorG : since /etc/asl/config is maintained by Plesk, this looks like a bug?

Sorry, but

# rpm -qf /etc/cron.daily/asl
aum-5.0-3707.el7.art.x86_64

# rpm -qf /etc/asl/config
aum-5.0-3707.el7.art.x86_64

# rpm -qi aum | grep Vendor
Vendor : Atomic Corporate Industries

So, please, contact Atomic regarding this issue.
From our side, we will report this issue to Atomic too.

 

[Brujo]

Sorry IgorG i know you are right and I apreciate that Plesk Team push Atomic - but just take into consider that some Users will see this different as you, because it is not clear inough that the ruleset is "NOT FROM PLESK" and therefore not maintained from Plesk Team .

 

[Bitpalast]

I just realize that ModSecurity is a field I don't know enough about yet.

# grep -q PURGE_LOGS /etc/asl/config || sed -i '/general configuration/a PURGE_LOGS="no"' /etc/asl/config

One question on this:

# IF MODIFICATIONS ARE MADE TO THIS FILE DIRECTLY, THE FOLLOWING MUST BE RUN
# TO COMMIT THE CHANGES:
#
# For ful ASL installations:
#   /var/asl/bin/asl -s -f
#
# For rules only installations:
#   /var/asl/bin/aum -uf

What the heck is the difference between the two commands? What is the correct one for a Plesk environment? Both are installed.

 

[dgtluc30]

i have a same problem on 10 servers with plesk ... we need a solution quickly please !

 

[MarkM]

What the heck is the difference between the two commands? What is the correct one for a Plesk environment? Both are installed.

-uf would be the forced update of rules and signatures only and is used when you haven't purchased a full ASL license (as in licensing the ASL kernel and what not)

 

[jamie!]

-uf would be the forced update of rules and signatures only and is used when you haven't purchased a full ASL license (as in licensing the ASL kernel and what not)

In my case, it appears this is only happening with instances with the full license.

 

[MarkM]

Negative, I have it on a 17.5 box running the free rules.

 

[trumbaut]

Since the /etc/asl/config file is reset every night (by the /etc/cron.hourly/asl cron), the workarounds above doesn't work. While waiting for a permanent fix, you can add

if [ -z "$PURGE_LOGS" ]; then
        PURGE_LOGS="no"
fi

before the Purge Log section (line 78) in /etc/cron.daily/asl.

 

[mr-wolf]

Shorter and IMHO better...
If $PURGE_LOGS is undefined it will initialize with "no"

[ ${PURGE_LOGS} ] || PURGE_LOGS="no"