[ossec-list] Re: syscheckd 1.5 spawning defunct processes on FreeBSD 7.0

Tue, 20 May 2008 11:23:12 -0700 

Hi Chris,

Thanks for the bug report. Syscheckd also runs rootcheck, which
executes a bunch of shells
for some of the rootkit detections (netstat and ps are run, for
example, to compare with the
output of some system calls). Can you disable rootcheck to see if this
still happens?

What I find strange is that this doesn't happen on any other system
(including OpenBSD and older
versions of FreeBSD). We use the "system" function, which should
handle the forking, returns, etc.


*To disable, just set "disabled" to yes on ossec.conf:
http://www.ossec.net/main/manual/#rootcheck_options


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On Tue, May 20, 2008 at 2:40 AM, Chris Buechler <[EMAIL PROTECTED]> wrote:
>
> I've been running OSSEC 1.5 on this FreeBSD 7.0 server for about 3
> weeks, and in the past week the server has hit its maxproc limit
> (6164) three times. Got a chance to investigate, and the cause is
> ossec-syscheckd spawning thousands of defunct processes.
>
> In about 4 hours after a reboot:
>
> # ps aux | grep defunct | head -5
> root  25973  0.0  0.0     0     0  ??  Z     7:59PM   0:00.01 <defunct>
> root  25975  0.0  0.0     0     0  ??  Z     7:59PM   0:00.01 <defunct>
> root  25977  0.0  0.0     0     0  ??  Z     7:59PM   0:00.01 <defunct>
> root  25979  0.0  0.0     0     0  ??  Z     7:59PM   0:00.01 <defunct>
> root  25981  0.0  0.0     0     0  ??  Z     7:59PM   0:00.01 <defunct>
> # ps ax|grep defunct|wc -l
>    1280
> # ps ax|wc -l
>    1493
>
> 1492 - 1280 = about what the server normally runs, and about what it
> was running when it first booted up.
>
> Finding it was ossec-syscheckd:
>
> # ps ax|grep 28528
> 28528  ??  Z      0:00.01 <defunct>
> # ps axo ppid -p 28528 | grep -v PPID
>  826
> # ps ax|grep 826
>  826  ??  I      0:19.67 /var/ossec/bin/ossec-syscheckd
>
> Stopping OSSEC made all the defunct processes disappear.
>
> # /var/ossec/bin/ossec-control stop
> Killing ossec-logcollector ..
> Killing ossec-syscheckd ..
> Killing ossec-agentd ..
> Killing ossec-execd ..
> OSSEC HIDS v1.5 Stopped
> # ps ax|wc -l
>     197
> # ps ax|grep defunct
> 26877  p1  R+     0:00.00 grep defunct
> #
>
>
> Anything I can provide to help troubleshoot this?
>
> Thanks,
> Chris
>

Reply via email to