Yes, I ran it as root. My solution was just to add it to the
ossec.conf. Attached is the strace.
On Fri, 2008-10-31 at 14:35 -0300, Daniel Cid wrote:
> Hi Bryan,
>
> It means that it wasn't able to write to the file (and ignore the
> entry). Were you running it as
> root? Can you run it with strace to give us more information?
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Sat, Oct 4, 2008 at 12:24 AM, Bryan Jacobs <[EMAIL PROTECTED]> wrote:
> >
> > Hello,
> >
> > I am currently running v1.6 as a local standalone agent and have set
> > auto ignore to "no" in my ossec.conf file and want to manually add files
> > as I see fit. The issue I am having is that when I try and add a file
> > to the ignore list using the following command I get an error.
> >
> > COMMAND:
> > ./syscheck_control -i 000 -f "/blkid.tab.old" -d
> >
> > which in turn produces this ERROR:
> >
> > Integrity checking changes for local system 'viper01 - 127.0.0.1':
> > Detailed information for entries matching: '/etc/blkid.tab'
> >
> > ** ERROR: fputs failed (unable to update counter).
> >
> >
> > What on earth does this mean or better yet what the heck am I doing
> > wrong? The full path to the file is '/etc/blkid.tab'. In addition
> > there is another file with the same name but with .old at the end of it
> > 'blkid.tab.old'. Would this have anything to do with it? Any help in
> > resolving this would be greatly appreciated.
> >
> >
> >
> >
> >
> > ----------------------------------------------------
> > Virus Free -- Scanned By MailSecurity
> > ----------------------------------------------------
> > This email message is for the sole use of the intended recipient(s) and may
> > contain confidential and privileged information. Any unauthorized review,
> > use, disclosure or distribution is prohibited. If you are not the intended
> > recipient, please contact the sender by reply email and destroy all copies
> > of the original message. Any views expressed in this message are those of
> > the author, except where the sender specifically states them to be the
> > views of BBG, Inc.
> >
----------------------------------------------------
Virus Free -- Scanned By MailSecurity
----------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies of
the original message. Any views expressed in this message are those of the
author, except where the sender specifically states them to be the views of
BBG, Inc.
[EMAIL PROTECTED] /]# strace /var/ossec/bin/syscheck_control -i 000 -f
"/blkid.tab.old" -d
execve("/var/ossec/bin/syscheck_control", ["/var/ossec/bin/syscheck_control",
"-i", "000", "-f", "/blkid.tab.old", "-d"], [/* 33 vars */]) = 0
brk(0) = 0x9320000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=129278, ...}) = 0
mmap2(NULL, 129278, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fdf000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 g\1\0004\0\0\0`"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1537265, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fde000
mmap2(NULL, 1316432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7e9c000
mmap2(0xb7fd8000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13c) = 0xb7fd8000
mmap2(0xb7fdb000, 9808, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fdb000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7e9b000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e9b6c0, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
mprotect(0xb7fd8000, 4096, PROT_READ) = 0
munmap(0xb7fdf000, 129278) = 0
brk(0) = 0x9320000
brk(0x9341000) = 0x9341000
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=238, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7ffe000
read(3, "# Begin /etc/nsswitch.conf\n\npassw"..., 4096) = 238
read(3, ""..., 4096) = 0
close(3) = 0
munmap(0xb7ffe000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=129278, ...}) = 0
mmap2(NULL, 129278, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fdf000
close(3) = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\30\0\0004\0\0\0\340"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=45665, ...}) = 0
mmap2(NULL, 41624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7e90000
mmap2(0xb7e99000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8) = 0xb7e99000
close(3) = 0
munmap(0xb7fdf000, 129278) = 0
open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
fstat64(3, {st_mode=S_IFREG|0644, st_size=590, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7ffe000
read(3, "adm:x:4:root,daemon\naudio:x:92:br"..., 4096) = 590
close(3) = 0
munmap(0xb7ffe000, 4096) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=627, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7ffe000
read(3, "avahi:x:84:84:Avahi daemon:/:/bin"..., 4096) = 627
close(3) = 0
munmap(0xb7ffe000, 4096) = 0
setgroups32(1, [1001]) = 0
setresgid32(-1, 1001, -1) = 0
setgid32(1001) = 0
chdir("/var/ossec") = 0
chroot("/var/ossec") = 0
chdir("/") = 0
setuid32(1001) = 0
setresuid32(-1, 1001, -1) = 0
uname({sys="Linux", node="homlt03", ...}) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 2), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7ffe000
write(1, "\n"..., 1
) = 1
write(1, "Integrity checking changes for lo"..., 67Integrity checking changes
for local system 'homlt03 - 127.0.0.1':
) = 67
write(1, "Detailed information for entries "..., 60Detailed information for
entries matching: '/blkid.tab.old'
) = 60
open("/queue/syscheck/syscheck", O_RDWR|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0640, st_size=613849, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7ffd000
_llseek(3, 0, [0], SEEK_CUR) = 0
read(3, "+++3090:33261:0:0:aae3ecee2d4508c"..., 4096) = 4096
read(3, "44:33261:0:0:96fb48361fa0f4668087"..., 4096) = 4096
read(3, "c/rc.d/i8kmon\n+++3351:33261:0:0:c"..., 4096) = 4096
read(3, "d6c09a63f9e842ad80c1df2c0e3d32cd:"..., 4096) = 4096
read(3, "8eb955 !1223005361 /etc/fonts/con"..., 4096) = 4096
read(3, "++36:41471:0:0:ffaff5bb03548ebe2c"..., 4096) = 4096
read(3, "12e1a !1223005369 /etc/ppp/pppoe-"..., 4096) = 4096
read(3, "47996b5c.0\n+++19:41471:0:0:d1861d"..., 4096) = 4096
read(3, "/certs/Verisign_Class_1_Public_Pr"..., 4096) = 4096
read(3, ":d6208484bca75acf057789c2cba06020"..., 4096) = 4096
read(3, "41471:0:0:2506412ba5f046857dcebf8"..., 4096) = 4096
read(3, "ekom-root-ca-2.pem\n+++26:41471:0:"..., 4096) = 4096
read(3, "cc125d.0\n+++74:41471:0:0:ffbe8ccd"..., 4096) = 4096
read(3, "004f:3c0dad3f11f73ff91796b9390f7a"..., 4096) = 4096
read(3, "3005401 /etc/ssl/certs/9772ca32.0"..., 4096) = 4096
read(3, "c3d42d3476e !1223005405 /etc/ssl/"..., 4096) = 4096
read(3, "tc/slp.conf\n+++2510:33188:0:0:65d"..., 4096) = 4096
read(3, "33188:0:0:96b9878a7788deea00b2e10"..., 4096) = 4096
read(3, "852723bbe4f96 !1223005417 /etc/gc"..., 4096) = 4096
read(3, "f-tree-br.xml\n#++203206:33188:0:0"..., 4096) = 4096
read(3, "cbde375e438997ae49b0db8911f4:fc1f"..., 4096) = 4096
read(3, "1c358b9c474d08c661b75d6342ca0:86f"..., 4096) = 4096
read(3, "0:0:633758e7771b751844cdcacc039b6"..., 4096) = 4096
read(3, "tplug/usb/hplj1000\n+++25:41471:0:"..., 4096) = 4096
read(3, "47dc8c2d5f13f93217d58534116d5e899"..., 4096) = 4096
read(3, "f5019e1adc9645027571e !1223005445"..., 4096) = 4096
read(3, "d6eea321dcbd4099e5e:911d68bfae964"..., 4096) = 4096
read(3, "1d6edf02e968527fd5685dc11625582e "..., 4096) = 4096
read(3, "188:0:0:757bf42b3d24175576cf234fd"..., 4096) = 4096
read(3, "pc\n#++24867:33188:0:0:e4c2f7cb52c"..., 4096) = 4096
read(3, "s/lm_lid.sh\n+++111:33216:0:0:4081"..., 4096) = 4096
read(3, ":93f9dac0d24fee79b2083f5f3865a74f"..., 4096) = 4096
read(3, "3188:0:0:dd66b34cd318ac6cf92faa0a"..., 4096) = 4096
read(3, "150ac6833429416cbbbeb76aee:977b58"..., 4096) = 4096
read(3, "01b6cce005ad8fadba5:ca2ee9fd48654"..., 4096) = 4096
read(3, "9c1f9c048da345a798b161274 !122300"..., 4096) = 4096
read(3, "uth\n+++27544:33261:0:0:400055c47f"..., 4096) = 4096
read(3, "5991ea4a05f:ab81af44fb121b1e3a7bf"..., 4096) = 4096
read(3, "9d17c6824dcc3c9ec232fffed !122300"..., 4096) = 4096
read(3, "6c84bfa8a81890eaa1cd641a0f49298d5"..., 4096) = 4096
read(3, "db597ec12a09f48e1bd9da508 !122300"..., 4096) = 4096
read(3, "f78a9d32b6ad !1223005973 /usr/bin"..., 4096) = 4096
read(3, "/bin/as\n+++146344:33261:0:0:2a9f6"..., 4096) = 4096
read(3, "a27e685d3f9efc40f021:35041ee00f57"..., 4096) = 4096
read(3, "632e874f528bcfdba9686f3 !12230059"..., 4096) = 4096
read(3, "sr/bin/foo2hiperc\n+++106052:33261"..., 4096) = 4096
read(3, "3261:0:0:f406c66ff3de9f9ac70646da"..., 4096) = 4096
read(3, "aea46a4ab68e3b6bdf9759ca757:0f875"..., 4096) = 4096
read(3, "39df3ca2cb19554d5a188670deace3867"..., 4096) = 4096
read(3, "c054ea346c8b293a6d203 !1223006010"..., 4096) = 4096
read(3, ":0:0:79209913a9167bf2b4a46b666392"..., 4096) = 4096
read(3, "1:0:0:99017a9567fadb5def09865a548"..., 4096) = 4096
read(3, "2862a4046cb:483ff0c0269de6d9ab8d3"..., 4096) = 4096
read(3, "4a9:a16eaed53eb4b5eef9e1483ac3313"..., 4096) = 4096
read(3, "0bd415fd74ba1e6a7bd5d28b79a70 !12"..., 4096) = 4096
read(3, "1223006036 /usr/bin/fax2ps\n+++310"..., 4096) = 4096
read(3, "1d3cd88834c329de9f9648bd1c270cee1"..., 4096) = 4096
read(3, "ac422658419bd34fd4e19676f0920b1bd"..., 4096) = 4096
read(3, "b55aa2de !1223006050 /usr/bin/thu"..., 4096) = 4096
read(3, "3f9d7ec88846dbfec !1223006054 /us"..., 4096) = 4096
read(3, "6220bdd6efd6:bc62dee8e1cc6f53191e"..., 4096) = 4096
read(3, "a2c8ccc0a6ffb0da1f74cafa00c2f61 !"..., 4096) = 4096
read(3, "407ec64df423d2d16d !1223006068 /u"..., 4096) = 4096
read(3, "223006072 /usr/bin/snmptable\n+++1"..., 4096) = 4096
read(3, "6076 /usr/bin/catchsegv\n+++51728:"..., 4096) = 4096
read(3, "r\n+++144348:33261:0:0:63c0f7e3933"..., 4096) = 4096
read(3, "c10ffc14921f:a43bef3a2b21ea8c0ae3"..., 4096) = 4096
read(3, "daebc6a87 !1223006090 /usr/bin/ge"..., 4096) = 4096
read(3, "2d1452c16ef9e0ea009a1238a7fcc:92f"..., 4096) = 4096
read(3, "f52ccaf713493155a7d26d !122300609"..., 4096) = 4096
read(3, "/svnsync\n+++6272:33261:0:0:d2dae1"..., 4096) = 4096
read(3, "71:0:0:8ac1237ad8f3c098338a916e72"..., 4096) = 4096
read(3, "07157ee0827f5cbd606c2b:7123d0ba6b"..., 4096) = 4096
read(3, "f02f686fe2 !1223006116 /usr/bin/w"..., 4096) = 4096
read(3, "!1223006120 /usr/bin/gsl-config\n+"..., 4096) = 4096
read(3, "4 /usr/bin/xdg-desktop-icon\n+++76"..., 4096) = 4096
read(3, "0:29d099dff2acbeb2c07842ce036f358"..., 4096) = 4096
read(3, "e0ec46e !1223006135 /usr/bin/perl"..., 4096) = 4096
read(3, "7a2913 !1223006139 /usr/bin/infok"..., 4096) = 4096
read(3, "631a97bfd174498cc3df2de63a8dfccc0"..., 4096) = 4096
read(3, "a89b341529 !1223006147 /usr/bin/p"..., 4096) = 4096
read(3, "b0ed9bcc284a2b4e0b2912189f526:f3b"..., 4096) = 4096
read(3, "47ae473a61042611bdb3921b50f:86f58"..., 4096) = 4096
read(3, "e60f:ab7e57a8a442645bcd3300285ba8"..., 4096) = 4096
read(3, "6:b4668dce4d66d8749ac96866ec91805"..., 4096) = 4096
read(3, "88328ebc4e3e3426adefc6f892b6d5fd8"..., 4096) = 4096
read(3, "647a1e19c3e47991fc6317046e82c85a "..., 4096) = 4096
read(3, "mcopy\n#++104592:33261:0:0:08f42a3"..., 4096) = 4096
read(3, "8a6612463b15df99f1823e !122300618"..., 4096) = 4096
read(3, "3006187 /usr/bin/flock\n+++699:332"..., 4096) = 4096
read(3, "t-csd\n+++31064:33261:0:0:6253d7c2"..., 4096) = 4096
read(3, "197 /usr/sbin/rarpd\n+++2676:33261"..., 4096) = 4096
read(3, "01 /usr/sbin/foomatic-replaceoldp"..., 4096) = 4096
read(3, "f156a87e3e2f0f7570f7d !1223006205"..., 4096) = 4096
read(3, "05e6035acafc3:20d39168fd82fb744e4"..., 4096) = 4096
read(3, "998604fd8:eb71e11c2206617f001a569"..., 4096) = 4096
read(3, "893e98b7b7e:e2835d6c3feac427b5aea"..., 4096) = 4096
read(3, "/usr/sbin/pppoe-status\n+++4716:33"..., 4096) = 4096
read(3, "621349dd6d9d7 !1223006227 /usr/sb"..., 4096) = 4096
read(3, "1 /bin/false\n+++4728:33261:0:0:af"..., 4096) = 4096
read(3, "1fc6a889a4a1204f5b025cc5ff091eb !"..., 4096) = 4096
read(3, "6791e652 !1223006242 /sbin/minilo"..., 4096) = 4096
read(3, "3261:0:0:00c472f4517313941449f5ff"..., 4096) = 4096
read(3, "ault\n+++144204:33261:0:0:5c0b73db"..., 4096) = 4096
read(3, "e\n+++12920:33261:0:0:35ee23e6fa28"..., 4096) = 4096
read(3, "4c93564bd0dedd8aceab26e51e12d3eb6"..., 4096) = 4096
read(3, "264 /sbin/fsck.reiserfs\n+++3:4147"..., 4096) = 4096
read(3, "223075830 /etc/udev/rules.d/60-pc"..., 4096) = 4096
read(3, "/usr/bin/MagickWand-config\n#++133"..., 4096) = 4096
read(3, "33b821e966980 !1223195931 /etc/ac"..., 4096) = 4096
read(3, "12:33261:0:0:60f879da4c96bac1ecc8"..., 4096) = 4096
read(3, "44248e6b546a97b5ed9b3dd096e2f837f"..., 4096) = 4096
read(3, "les/iptables.rules\n!++1237:33188:"..., 4096) = 4096
read(3, "0be0fd53e257b3a !1223356639 /usr/"..., 4096) = 4096
read(3, "/usr/bin/chm2pdf\n#!!47:33188:0:0:"..., 4096) = 4096
_llseek(3, 471040, [471040], SEEK_SET) = 0
write(1, "\n"..., 1
) = 1
write(1, "** ERROR: fputs failed (unable to"..., 51** ERROR: fputs failed
(unable to update counter).
) = 51
_llseek(3, -784, [470256], SEEK_CUR) = 0
write(3, "!!?"..., 3) = 3
close(3) = 0
munmap(0xb7ffd000, 4096) = 0
exit_group(0) = ?
