Update (fsaua) doesn't work on my Linux servers

ThierryOZON

Hi,

On my Linux Ubuntu 14.04.5 LTS (yes, it's old and no longer maintained, but it is the system required by one of our provider - shame on these guys!).

There are information about versions:

 - Ubuntu 14.04.5 LTS

 - F-Secure Linux Security 11.10 build 68

 - F-Secure Firewall Daemon 11.10 build 68

 - F-Secure Integrity Checker 11.10 build 68

 - F-Secure On-Access Scanning Daemon 11.10 build 68

 - F-Secure Management Agent 4.75 build 79

I'm using PSB managed installation. I follow this installation procedure:

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

sudo bash fsls-11.10.68 --auto psb fspsbs=http://psb1-smi-bw.sp.f-secure.com/ keycode=XXXX-XXXX-XXXX-XXXX-XXXX

/opt/f-secure/fsav/sbin/fschooser

# (  “f”<enter> <enter> )

sudo /etc/init.d/fsma restart

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Note: on the following trace, the system is up to date because cron job perform regularly a manual update.

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

wget http://download.f-secure.com/latest/fsdbupdate9.run

/opt/f-secure/fssp/bin/dbupdate /tmp/fsdbupdate9.run

/etc/init.d/fsma restart

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Communication with PSB is working: PSB says me that the DB is not uptodate, I run manual update, and PSB remove the warning.

fsaua is running:

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

gw01:~$ ps auxf | grep fsaua

fsaua  32086 0.0 0.5 3887372 61172 ?    Ss  May08  0:18 /opt/f-secure/fsaua/bin/fsaua

fsaua  32245 0.0 0.0  3472 3024 ?    Ss  May08  0:06 /opt/f-secure/fsaua/bin/fsaua

fsaua  32252 0.0 0.0 3360396 3076 ?    Ss  May08  0:06 /opt/f-secure/fsaua/bin/fsaua

fsaua  32499 0.0 0.0  3560 3072 ?    Ss  May08  0:06 /opt/f-secure/fsaua/bin/fsaua

fsaua  12463 0.0 0.0  3644 3056 ?    Ss  11:26  0:03 /opt/f-secure/fsaua/bin/fsaua

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Using tcpdump, I validate periodic communication between fsaua and F-Secure servers: (I dont join the capture because our licence-key is contained in the excanged base64 data). There is an extract of the communication:

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

10:18:02.955783 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 1:891, ack 1, win 229, options [nop,nop,TS val 3530629646 ecr 494125792], length 890: HTTP: POST /8/MRQ HTTP/1.1

10:18:02.957486 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 891, win 121, options [nop,nop,TS val 494125792 ecr 3530629646], length 0

10:18:02.978374 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 1:1813, ack 891, win 121, options [nop,nop,TS val 494125794 ecr 3530629646], length 1812: HTTP: HTTP/1.1 200 OK

10:18:02.978435 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [.], ack 1813, win 257, options [nop,nop,TS val 3530629651 ecr 494125794], length 0

10:18:02.979491 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 891:2502, ack 1813, win 257, options [nop,nop,TS val 3530629652 ecr 494125794], length 1611: HTTP: POST /8/MRQ HTTP/1.1

10:18:02.981243 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 2502, win 133, options [nop,nop,TS val 494125794 ecr 3530629652], length 0

10:18:03.002392 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 1813:3615, ack 2502, win 133, options [nop,nop,TS val 494125796 ecr 3530629652], length 1802: HTTP: HTTP/1.1 200 OK

10:18:03.002436 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [.], ack 3615, win 285, options [nop,nop,TS val 3530629657 ecr 494125796], length 0

10:18:03.003547 IP 172.16.254.2.51500 > 13.249.8.8.80: Flags [P.], seq 2502:4113, ack 3615, win 285, options [nop,nop,TS val 3530629658 ecr 494125796], length 1611: HTTP: POST /8/MRQ HTTP/1.1

10:18:03.005309 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [.], ack 4113, win 146, options [nop,nop,TS val 494125796 ecr 3530629658], length 0

10:18:03.027454 IP 13.249.8.8.80 > 172.16.254.2.51500: Flags [P.], seq 3615:4712, ack 4113, win 146, options [nop,nop,TS val 494125799 ecr 3530629658], length 1097: HTTP: HTTP/1.1 200 OK

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

The fsaua logs contain ONLY lines with content similar to the following.

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

Mon May 11 07:55:11 2020(2):  Connecting to http://psb1-smi-bw.sp.f-secure.com/ (no BW proxy, no HTTP proxy)...

Mon May 11 07:55:11 2020(2): Update check completed successfully. No updates are available.

8< -x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-

My logs are from Apr 12 2020, to May 13 2020. I remove "no update" indication. The remaining logs line doesn't contains any update confirmation.

No update during 30 days, this is not possible. During this 30 days, I count 1265 attemps of update with always the result "No updates are available."

I join at the end of this post:

 - "fsauatool -g" report

 - full listing of /var/opt/f-secure/fsaua directory

Someone has any idea ?

ThierryOZON

Hi, thanks for the answer. In summary:

• I'm in France, I use psb1
• Tests seems ok
• Stop, delete file and restart were done
• The fsaua doesn't download anything. The directory /var/opt/f-secure/fsaua/data/content/ remain empty, and it is no longer filled by fsaua.

gw01:~$ ping psb1-bw.sp.f-secure.com

PING drca3sse5qkfd.cloudfront.net (13.224.58.19) 56(84) bytes of data.

64 bytes from server-13-224-58-19.cdg50.r.cloudfront.net (13.224.58.19): icmp_seq=1 ttl=246 time=1.16 ms

---------------------------------------------

gw01:~$ nslookup psb1-bw.sp.f-secure.com

Server:   8.8.8.8

Address: 8.8.8.8#53

Non-authoritative answer:

psb1-bw.sp.f-secure.com canonical name = drca3sse5qkfd.cloudfront.net.

Name: drca3sse5qkfd.cloudfront.net

Address: 13.224.58.3

Name: drca3sse5qkfd.cloudfront.net

Address: 13.224.58.19

Name: drca3sse5qkfd.cloudfront.net

Address: 13.224.58.98

Name: drca3sse5qkfd.cloudfront.net

Address: 13.224.58.50

---------------------------------------------

gw01:~$ curl -v http://psb1-bw.sp.f-secure.com

* Rebuilt URL to: http://psb1-bw.sp.f-secure.com/

* Hostname was NOT found in DNS cache

*  Trying 13.224.58.98...

* Connected to psb1-bw.sp.f-secure.com (13.224.58.98) port 80 (#0)

> GET / HTTP/1.1

> User-Agent: curl/7.35.0

> Host: psb1-bw.sp.f-secure.com

> Accept: */*

>

< HTTP/1.1 200 OK

< Content-Length: 92

< Connection: keep-alive

< Date: Fri, 15 May 2020 07:46:17 GMT

* Server Apache is not blacklisted

< Server: Apache

< X-Via: ip-10-112-15-28

< X-Cache: Hit from cloudfront

< Via: 1.1 50fe359d704e2db97a226367d34cf076.cloudfront.net (CloudFront)

< X-Amz-Cf-Pop: CDG50-C1

< X-Amz-Cf-Id: 29y6OfdvKjXMlFhbbMClLX18YHlnC30t3UZMk8w98qHqhXEoPm9A1w==

< Age: 2

<

F-Secure Automatic Update Server. Unauthorized access is monitored and strictly forbidden.

* Connection #0 to host psb1-bw.sp.f-secure.com left intact

---------------------------------------------

gw01:~$ sudo /etc/init.d/fsma stop

Stopping FSMA modules

 Stopping F-Secure clstate update Daemon  () as root

 Stopping F-Secure Alert Database Handler Daemon  (/opt/f-secure/fsav/libexec/fsadhd.stop) as fsma

 Stopping F-Secure FSAV On-Access Scanner Daemon  (/opt/f-secure/fsav/libexec/fsoasd.stop) as root

 Stopping F-Secure Database Update Daemon  () as root

 Stopping F-Secure FSAV Web UI  (/opt/f-secure/fsav/tomcat/bin/fs-shutdown.sh -force) as root

 Stopping F-Secure FSAV PostgreSQL daemon  (/opt/f-secure/common/postgresql/bin/shutdown.sh) as fsma

Stopping F-Secure Management Agent

---------------------------------------------

gw01:~$ sudo /etc/init.d/fsaua stop

Shutting down F-Secure Automatic Update Agent: done

---------------------------------------------

gw01:~$ ps -efl | grep fsupdated

0 S thierry 12372 11692 0 80  0 - 3515 pipe_w 09:49 pts/2  00:00:00 grep --color=auto fsupdated

---------------------------------------------

gw01:~$ sudo rm -rf /var/opt/f-secure/fsaua/data/content/*

---------------------------------------------

gw01:~$ sudo /etc/init.d/fsaua start

Starting F-Secure Automatic Update Agent: done

---------------------------------------------

gw01:~$ sudo /etc/init.d/fsma start

Starting F-Secure Management Agent (running as fsma user)

Starting FSMA modules

 Starting F-Secure clstate update Daemon  (/opt/f-secure/fssp/bin/clstate_updated.rc start) as root

 Starting F-Secure Alert Database Handler Daemon  (/opt/f-secure/fsav/sbin/fsadhd) as fsma

 Starting F-Secure FSAV Policy Manager Daemon  (/opt/f-secure/fsav/bin/fsavpmd) as root

 Starting F-Secure Firewall Daemon  (/opt/f-secure/fsav/bin/fsfwd.run) as root

 Starting F-Secure FSAV License Alerter  (/opt/f-secure/fsav/libexec/fslmalerter) as root

 Starting F-Secure FSAV On-Access Scanner Daemon  (/opt/f-secure/fsav/sbin/fsoasd) as root

 Starting F-Secure FSAV Status Daemon  (/opt/f-secure/fsav/bin/fstatusd) as root

 Starting F-Secure Database Update Daemon  (/opt/f-secure/fssp/libexec/fsupdated.rc start) as root

 Starting F-Secure FSAV Web UI  (/opt/f-secure/fsav/tomcat/bin/fs-catalina.sh start) as root

 Starting F-Secure FSAV PostgreSQL daemon  (/opt/f-secure/common/postgresql/bin/startup.sh) as fsma

---------------------------------------------

gw01:~$ sudo ls -l /var/opt/f-secure/fsaua/data/content/

total 0