On Tue, May 20, 2008 at 2:04 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi Chris, > > Thanks for the bug report. Syscheckd also runs rootcheck, which > executes a bunch of shells > for some of the rootkit detections (netstat and ps are run, for > example, to compare with the > output of some system calls). Can you disable rootcheck to see if this > still happens? >
I disabled rootcheck and started up OSSEC again about 6 hours ago. No defunct processes. It was 4 hours after it started when I sent the previous message with over a thousand defunct processes, so it does indeed seem the problem is caused by rootcheck. > What I find strange is that this doesn't happen on any other system > (including OpenBSD and older > versions of FreeBSD). We use the "system" function, which should > handle the forking, returns, etc. > This box is a bit different from a stock FreeBSD install because it's running 11 jails. Hence it has 12 copies of devfs mounted, and some other differences related to running jails which might be the cause. OSSEC is running only on the host, not in any of the jails. I don't have any FreeBSD 7.0 boxes handy that aren't running jails, and those jails are production servers so I can't stop them and see if it's still a problem. I know with FreeBSD 6.3 and jails there were no problems with 1.4, even running inside and outside the jails simultaneously, but I don't know about 1.5. It could be a FreeBSD 7 bug that OSSEC is really good at triggering, or a OSSEC 1.5 bug. I'll setup a test 7.0 server with jails running and see if I can replicate when I have some time. thanks, Chris
