[EMAIL PROTECTED] bin]# gdb /var/ossec/bin/syscheck_control
GNU gdb Fedora (6.8-21.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...
(gdb) set follow-fork-mode child
(gdb) run -i 001
Starting program: /var/ossec/bin/syscheck_control -i 001
Integrity changes for agent 'harp (001) - 130.68.4.82':
Program received signal SIGSEGV, Segmentation fault.
0x0000003fcce9d461 in __strftime_internal () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc.x86_64
(gdb) bt
#0 0x0000003fcce9d461 in __strftime_internal () from /lib64/libc.so.6
#1 0x0000003fcce9f3d6 in strftime_l () from /lib64/libc.so.6
#2 0x000000000041876f in _do_print_syscheck (fp=0x21096d0, all_files=0,
csv_output=0)
at read-agents.c:439
#3 0x0000000000418984 in print_syscheck (sk_name=0x210da30 "harp",
sk_ip=0x210da10 "130.68.4.82",
fname=0x0, print_registry=0, all_files=0, csv_output=0,
update_counter=0) at read-agents.c:512
#4 0x0000000000404541 in main (argc=3, argv=0x7fff27f92528) at
syscheck_control.c:366
Daniel Cid wrote:
> Hi Jimi,
>
> Can you run syscheck_control under gdb?
>
> # gdb /var/ossec/bin/syscheck_control
> (gdb) set follow-fork-mode child
> (gdb) run -i 001
> (gdb) bt
>
> And give us the output? I never had any issue with it, so I can't
> reproduce from here.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Wed, Oct 1, 2008 at 6:30 PM, Jimi Schwar <[EMAIL PROTECTED]> wrote:
>> Thanks for the links, I had been wondering if there were tools like
>> these. However has anyone run into any trouble with syscheck_control
>> seg faulting on Fedora 9.
>>
>> Well, let me a bit more specific (ip addresses removed from info)
>>
>> The following command fails:
>>
>> [EMAIL PROTECTED] bin]# ./syscheck_control -i 001
>>
>> Integrity changes for agent 'harp (001) - ':
>> Segmentation fault
>>
>> and ossec reports
>>
>> Oct 1 17:27:11 menace kernel: syscheck_contro[6818]: segfault at 8 ip
>> 6cc461 sp 7fff0b659380 error 4 in libc-2.8.so[62f000+162000]
>>
>> but the following works just fine
>>
>> [EMAIL PROTECTED] bin]# ./syscheck_control -i 001 -f ossec
>>
>> Integrity changes for agent 'harp (001) - 130.68.4.82':
>> Detailed information for entries matching: 'ossec'
>>
>> 2008 Oct 01 16:34:00,0 - /var/ossec/etc/ossec.conf
>> File added to the database.
>> Integrity checking values:
>> Size: 2428
>> Perm: r--r-----
>> Uid: 0
>> Gid: 504
>> Md5: 9ce39facef5d9dd3a9379f82898ee14d
>> Sha1: 608a28d729ec7409f5ae8879fd49a12b7564dba1
>>
>> 19974 Mar 25 07:32:03,0 - /var/ossec/etc/ossec.conf
>> File changed. - 1st time modified.
>> Integrity checking values:
>> Size: >3129
>> Perm: r--r-----
>> Uid: 0
>> Gid: 504
>> Md5: >e3e41ddc592fe7fa26d4cd6604333e45
>> Sha1: >3793141962eced5e0e783db4605a2615b6b1ce33
>>
>>
>> Bryan Jacobs wrote:
>>> Yes sir... the following did the trick!
>>>
>>> /var/ossec/bin/agent_control -r -u 000
>>>
>>> Thank You!
>>>
>>> On Sun, 2008-09-28 at 23:03 -0200, Rodrigo Montoro(Sp0oKeR) wrote:
>>>> Try
>>>>
>>>>
>>>> http://www.ossec.net/dcid/?p=130
>>>>
>>>> http://www.ossec.net/dcid/?p=142
>>>>
>>>>
>>>>
>>>>
>>>> Hope it helps!
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Rodrigo Montoro(Sp0oKeR)
>>>>
>>>> On Sun, Sep 28, 2008 at 7:21 AM, Byran Jacobs <[EMAIL PROTECTED]>
>>>> wrote:
>>>>
>>>> How do I manually invoke a system check? I have a few laptops
>>>> that
>>>> OSSEC is installed on and they do not get used all that often
>>>> but when
>>>> they do I usually run updates on them, do what I need to, and
>>>> shut them
>>>> down. I would like to manually run a system check after the
>>>> updates
>>>> have been installed/run so all alerts of changed files will be
>>>> processed
>>>> at the time the updates are run and not weeks/months later
>>>> when the
>>>> laptop(s) are turned back on and used.
>>>>
>>>> Thanks In Advance,
>>>>
>>>> BKJ
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------
>>>> Virus Free -- Scanned By MailSecurity
>>>> ----------------------------------------------------
>>>> This email message is for the sole use of the intended
>>>> recipient(s) and may contain confidential and privileged
>>>> information. Any unauthorized review, use, disclosure or
>>>> distribution is prohibited. If you are not the intended
>>>> recipient, please contact the sender by reply email and
>>>> destroy all copies of the original message. Any views
>>>> expressed in this message are those of the author, except
>>>> where the sender specifically states them to be the views of
>>>> BBG, Inc.
>>>>
>>>>
>>>>
>>>> --
>>>> ===========================
>>>> Rodrigo Montoro (Sp0oKeR)
>>>> Security Analyst
>>>> SnortCP / RHCE / LPIC-I / MCSO
>>>> http://www.spooker.com.br
>>>> http://www.snort.org.br
>>>> http://www.linkedin.com/in/spooker
>>>> ===========================
>>>>
>>>
>>>
>>> ----------------------------------------------------
>>> Virus Free -- Scanned By MailSecurity
>>> ----------------------------------------------------
>>> This email message is for the sole use of the intended recipient(s) and may
>>> contain confidential and privileged information. Any unauthorized review,
>>> use, disclosure or distribution is prohibited. If you are not the intended
>>> recipient, please contact the sender by reply email and destroy all copies
>>> of the original message. Any views expressed in this message are those of
>>> the author, except where the sender specifically states them to be the
>>> views of BBG, Inc.
>>
