Failed to set capabilities on file `/opt/bro/bin/bro' (Read-only file system)

460 views
Skip to first unread message

haris...@gmail.com

unread,
Jun 20, 2017, 11:17:53 AM6/20/17
to security-onion
Hello team,

We see the following errors and the bro & ossec services are not coming UP. Could you please help us in the same regard. Thanks in advance.

service nsm status
/usr/lib/nsmnow/lib-nsm-sensor-utils: line 167: /tmp/awk.conf: Read-only file sy stem
awk: fatal: can't open source file `/tmp/awk.conf' for reading (No such file or directory)
Status: HIDS
* ossec_agent (sguil) [ FAIL ]
Status: Bro
Failed to set capabilities on file `/opt/bro/bin/bro' (Read-only file system)

Failed to set capabilities on file `/opt/bro/bin/capstats' (Read-only file syste m)

Regards,
Harish

SO Bro error.jpg

Wes

unread,
Jun 20, 2017, 11:23:48 AM6/20/17
to security-onion

Harish,

What is the output of the following:

df -h

Also, please provide the output of sostat-redacted, attaching as a plain text file, or using a service like Pastebin.com

Thanks,
Wes

haris...@gmail.com

unread,
Jun 21, 2017, 3:03:31 AM6/21/17
to security-onion

Hello Wes,

Here is the output of df -h:

xxxx@XXXXXX1:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda7 46G 12G 33G 26% /
udev 7.9G 4.0K 7.9G 1% /dev
tmpfs 1.6G 780K 1.6G 1% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 0 7.9G 0% /run/shm
/dev/sdb8 1.8T 1.5T 158G 91% /nsm
/dev/sda5 9.1G 21M 8.6G 1% /bootalt
/dev/sda1 9.1G 663M 8.0G 8% /boot

sostat-redacted: The command stuck at this point

xxxxx@xxxxx:~$ sudo sostat-redacted
mktemp: failed to create file via template `/tmp/tmp.XXXXXXXXXX': Read-only file system
/usr/bin/sostat: line 91: $TMP: ambiguous redirect


Regards,
Harish

Wes Lambert

unread,
Jun 21, 2017, 7:34:24 AM6/21/17
to securit...@googlegroups.com
Harish,

What is the output of the following?

lsb_release -a 

Could there be some issue with the permissions or existence of you /tmp folder?

Thanks,
Wes




--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Marco

unread,
Jun 21, 2017, 7:39:39 AM6/21/17
to security-onion
Can you also post the output of 'mount'?

haris...@gmail.com

unread,
Jun 21, 2017, 8:21:38 AM6/21/17
to security-onion
On Wednesday, June 21, 2017 at 5:09:39 PM UTC+5:30, Marco wrote:
> Can you also post the output of 'mount'?

Hello Marco,

Here is the output of 'mount':

XXXX@XXXXXXX:~$ mount
/dev/sda7 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
/dev/sdb8 on /nsm type ext4 (rw)
/dev/sda5 on /bootalt type ext4 (rw)
/dev/sda1 on /boot type ext4 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)

mount: warning: /etc/mtab is not writable (e.g. read-only filesystem).
It's possible that information reported by mount(8) is not
up to date. For actual information about system mount points
check the /proc/mounts file.

Matt

unread,
Jun 21, 2017, 8:25:03 AM6/21/17
to security-onion

I have been having read only issues for a while now on multiple systems. It seems like the disk gets corrupted and I have to boot to recovery and run fsck to fix it.

Marco

unread,
Jun 21, 2017, 8:47:25 AM6/21/17
to security-onion
Your root partition is set to remount in read-only mode on errors (I believe that's the standard).

You could check your /var/log/messages or dmesg for any disk failure entries or try to remount the partition as read-write with 'mount -o remount,rw /'

Marco

unread,
Jun 21, 2017, 8:53:11 AM6/21/17
to security-onion
You can also check all your mounted disks/volumes and their respective modes with this little shell script:

cat /proc/mounts|sort|awk '{print $1 "\011" toupper(substr($4,0,2))}'

satyav...@gmail.com

unread,
Jun 28, 2017, 6:06:45 AM6/28/17
to security-onion
Here is the output we are getting, is there anything we can do on this,

xxxx@xxxxxxx:/var/log$ cat /proc/mounts|sort|awk '{print $1 "\011" toupper(substr($4,0,2))}'
binfmt_misc RW
/dev/disk/by-uuid/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx RO
devpts RW
/dev/sda1 RW
/dev/sda5 RW
/dev/sdb8 RW
none RW
none RW
none RW
none RW
none RW
proc RW
rootfs RW
sysfs RW
tmpfs RW
udev RW

xxxx@xxxxxx:/var/log$ sudo mount -o remount,rw /
mount: cannot remount block device /dev/sda7 read-write, is write-protected

Doug Burks

unread,
Jun 28, 2017, 6:14:01 AM6/28/17
to securit...@googlegroups.com
Hi satyavegulla9,

To avoid confusion, please start a new thread to discuss your issue separately.
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

Doug Burks

unread,
Jun 28, 2017, 6:18:25 AM6/28/17
to securit...@googlegroups.com
Looking back at the thread, this does appear to be the same box, I
just didn't recognize the name, so we can continue the discussion
here.

Have you run a full diagnostic test on your hardware?

Have you updated all firmware?

You may also want to see if you're affected by this:
https://lists.debian.org/debian-devel/2017/06/msg00308.html
--
Doug Burks

Satya Vegulla

unread,
Jul 18, 2017, 4:15:23 AM7/18/17
to security-onion

Hi Dough,

Couldn't find source, where exactly to run the full hardware diagnostics on the device,
Ran fsck, by interrupting the boot loader to check if it fixes the ro mount issue, but couldn't see any success in it.

Apologies for delay in response, as server is in remote location, it takes some time to coordinate with onsite.

Regards,
Satya.

Wes

unread,
Jul 19, 2017, 7:14:25 AM7/19/17
to security-onion

Satya,

Hardware diagnostics would be something specific to the vendor by which your hardware was manufactured.

Is there any useful output in dmseg?

What was the output from fsck?

Thanks,
Wes

Satya Vegulla

unread,
Jul 19, 2017, 10:03:11 AM7/19/17
to security-onion

Hi Wes,

PFA dmseg log,
Couldn't see any difference after running fsck, And when asked my onsite coordinator, i was informed there wasn't any error.

Regards,
Satya.

dmsg log.txt

Wes Lambert

unread,
Jul 19, 2017, 10:42:00 PM7/19/17
to securit...@googlegroups.com
Have you tried using a different disk?

Thanks,
Wes

> > > >> To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
> > > >> To post to this group, send email to security-onion@googlegroups.com.

> > > >> Visit this group at https://groups.google.com/group/security-onion.
> > > >> For more options, visit https://groups.google.com/d/optout.
> > > >
> > > >
> > > >
> > > > --
> > > > Doug Burks
> > >
> > >
> > >
> > > --
> > > Doug Burks
> >
> > Hi Dough,
> >
> > Couldn't find source, where exactly to run the full hardware diagnostics on the device,
> > Ran fsck, by interrupting the boot loader to check if it fixes the ro mount issue, but couldn't see any success in it.
> >
> > Apologies for delay in response, as server is in remote location, it takes some time to coordinate with onsite.
> >
> > Regards,
> > Satya.
>
> Satya,
>
> Hardware diagnostics would be something specific to the vendor by which your hardware was manufactured.
>
> Is there any useful output in dmseg?
>
> What was the output from fsck?
>
> Thanks,
> Wes

Hi Wes,

PFA dmseg log,
Couldn't see any difference after running fsck, And when asked my onsite coordinator, i was informed there wasn't any error.

Regards,
Satya.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

Satya Vegulla

unread,
Aug 31, 2017, 6:19:09 AM8/31/17
to security-onion
> > > > >> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> > > > >> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Hi Wes,

This looks to be an issue with hard disk, even when tried to reimage the sensor, it was throwing errors.

Thanks,
Satya.
Reply all
Reply to author
Forward
0 new messages