Daniel, I just created a new VM with Fedora 9 running the i386 version instead of the i86_64 version. syscheck_control works brilliantly on the i386 version. So I guess it's not Fedora, its just the 64 bit version of the OS.
Jimi Jimi Schwar wrote: > [EMAIL PROTECTED] bin]# gdb /var/ossec/bin/syscheck_control > GNU gdb Fedora (6.8-21.fc9) > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-redhat-linux-gnu"... > (gdb) set follow-fork-mode child > (gdb) run -i 001 > Starting program: /var/ossec/bin/syscheck_control -i 001 > > Integrity changes for agent 'harp (001) - 130.68.4.82': > > Program received signal SIGSEGV, Segmentation fault. > 0x0000003fcce9d461 in __strftime_internal () from /lib64/libc.so.6 > Missing separate debuginfos, use: debuginfo-install glibc.x86_64 > (gdb) bt > #0 0x0000003fcce9d461 in __strftime_internal () from /lib64/libc.so.6 > #1 0x0000003fcce9f3d6 in strftime_l () from /lib64/libc.so.6 > #2 0x000000000041876f in _do_print_syscheck (fp=0x21096d0, all_files=0, > csv_output=0) > at read-agents.c:439 > #3 0x0000000000418984 in print_syscheck (sk_name=0x210da30 "harp", > sk_ip=0x210da10 "130.68.4.82", > fname=0x0, print_registry=0, all_files=0, csv_output=0, > update_counter=0) at read-agents.c:512 > #4 0x0000000000404541 in main (argc=3, argv=0x7fff27f92528) at > syscheck_control.c:366 > > Daniel Cid wrote: >> Hi Jimi, >> >> Can you run syscheck_control under gdb? >> >> # gdb /var/ossec/bin/syscheck_control >> (gdb) set follow-fork-mode child >> (gdb) run -i 001 >> (gdb) bt >> >> And give us the output? I never had any issue with it, so I can't >> reproduce from here. >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Wed, Oct 1, 2008 at 6:30 PM, Jimi Schwar <[EMAIL PROTECTED]> wrote: >>> Thanks for the links, I had been wondering if there were tools like >>> these. However has anyone run into any trouble with syscheck_control >>> seg faulting on Fedora 9. >>> >>> Well, let me a bit more specific (ip addresses removed from info) >>> >>> The following command fails: >>> >>> [EMAIL PROTECTED] bin]# ./syscheck_control -i 001 >>> >>> Integrity changes for agent 'harp (001) - ': >>> Segmentation fault >>> >>> and ossec reports >>> >>> Oct 1 17:27:11 menace kernel: syscheck_contro[6818]: segfault at 8 ip >>> 6cc461 sp 7fff0b659380 error 4 in libc-2.8.so[62f000+162000] >>> >>> but the following works just fine >>> >>> [EMAIL PROTECTED] bin]# ./syscheck_control -i 001 -f ossec >>> >>> Integrity changes for agent 'harp (001) - 130.68.4.82': >>> Detailed information for entries matching: 'ossec' >>> >>> 2008 Oct 01 16:34:00,0 - /var/ossec/etc/ossec.conf >>> File added to the database. >>> Integrity checking values: >>> Size: 2428 >>> Perm: r--r----- >>> Uid: 0 >>> Gid: 504 >>> Md5: 9ce39facef5d9dd3a9379f82898ee14d >>> Sha1: 608a28d729ec7409f5ae8879fd49a12b7564dba1 >>> >>> 19974 Mar 25 07:32:03,0 - /var/ossec/etc/ossec.conf >>> File changed. - 1st time modified. >>> Integrity checking values: >>> Size: >3129 >>> Perm: r--r----- >>> Uid: 0 >>> Gid: 504 >>> Md5: >e3e41ddc592fe7fa26d4cd6604333e45 >>> Sha1: >3793141962eced5e0e783db4605a2615b6b1ce33 >>> >>> >>> Bryan Jacobs wrote: >>>> Yes sir... the following did the trick! >>>> >>>> /var/ossec/bin/agent_control -r -u 000 >>>> >>>> Thank You! >>>> >>>> On Sun, 2008-09-28 at 23:03 -0200, Rodrigo Montoro(Sp0oKeR) wrote: >>>>> Try >>>>> >>>>> >>>>> http://www.ossec.net/dcid/?p=130 >>>>> >>>>> http://www.ossec.net/dcid/?p=142 >>>>> >>>>> >>>>> >>>>> >>>>> Hope it helps! >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> Rodrigo Montoro(Sp0oKeR) >>>>> >>>>> On Sun, Sep 28, 2008 at 7:21 AM, Byran Jacobs <[EMAIL PROTECTED]> >>>>> wrote: >>>>> >>>>> How do I manually invoke a system check? I have a few laptops >>>>> that >>>>> OSSEC is installed on and they do not get used all that often >>>>> but when >>>>> they do I usually run updates on them, do what I need to, and >>>>> shut them >>>>> down. I would like to manually run a system check after the >>>>> updates >>>>> have been installed/run so all alerts of changed files will be >>>>> processed >>>>> at the time the updates are run and not weeks/months later >>>>> when the >>>>> laptop(s) are turned back on and used. >>>>> >>>>> Thanks In Advance, >>>>> >>>>> BKJ >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------- >>>>> Virus Free -- Scanned By MailSecurity >>>>> ---------------------------------------------------- >>>>> This email message is for the sole use of the intended >>>>> recipient(s) and may contain confidential and privileged >>>>> information. Any unauthorized review, use, disclosure or >>>>> distribution is prohibited. If you are not the intended >>>>> recipient, please contact the sender by reply email and >>>>> destroy all copies of the original message. Any views >>>>> expressed in this message are those of the author, except >>>>> where the sender specifically states them to be the views of >>>>> BBG, Inc. >>>>> >>>>> >>>>> >>>>> -- >>>>> =========================== >>>>> Rodrigo Montoro (Sp0oKeR) >>>>> Security Analyst >>>>> SnortCP / RHCE / LPIC-I / MCSO >>>>> http://www.spooker.com.br >>>>> http://www.snort.org.br >>>>> http://www.linkedin.com/in/spooker >>>>> =========================== >>>>> >>>> >>>> ---------------------------------------------------- >>>> Virus Free -- Scanned By MailSecurity >>>> ---------------------------------------------------- >>>> This email message is for the sole use of the intended recipient(s) and >>>> may contain confidential and privileged information. Any unauthorized >>>> review, use, disclosure or distribution is prohibited. If you are not the >>>> intended recipient, please contact the sender by reply email and destroy >>>> all copies of the original message. Any views expressed in this message >>>> are those of the author, except where the sender specifically states them >>>> to be the views of BBG, Inc. >
