This seems like it might be a 64-bit issue. I upgraded a RHEL 5 64-bit box and got the same ossec-syscheckd segfault as mentioned below. I then upgraded a CentOS 5 32-bit box and haven't seen any ossec-syscheckd segfault so far.
Output of "uname -a" on RHEL 5 64-bit box with segfault: 2.6.18-128.1.14.el5 #1 SMP Mon Jun 1 15:52:58 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux Output of "uname -a" on CentOS 5 32-bit box with NO segfault: 2.6.18-128.1.14.el5 #1 SMP Wed Jun 17 06:40:54 EDT 2009 i686 i686 i386 GNU/Linux Thanks, Doug Burks -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of louie Sent: Tuesday, June 30, 2009 10:12 AM To: [email protected] Subject: [ossec-list] Re: OSSEC v2.1 released It's a me too reply ^_^ just upgraded to 2.1 [534986.676528] ossec-syscheckd[19422]: segfault at 0 ip 40414b sp 7fffbd4e3b10 error 4 in ossec-syscheckd[400000+3b000] debian lenny 5.0.2 kernel 2.6.26-2-amd64 -- Louie June 30, 2009 22:10:35 On Tue, Jun 30, 2009 at 09:16:54AM -0400, Koski, David wrote: > > Just upgraded and my ossec-syscheckd segfaulted on its first run (RHEL5 x64) on the main server: > > kernel: ossec-syscheckd[1853]: segfault at 0000000000000000 rip > 0000000000403dbe rsp 00007fff14946db0 error 4 > > David > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Daniel Cid > Sent: Tuesday, June 30, 2009 8:38 AM > To: [email protected]; [email protected] > Subject: [ossec-list] OSSEC v2.1 released > > > Hi list, > > We are happy to announce that OSSEC version 2.1 is available now. > > This new version is the first one with support for centralized > configurations and realtime integrity monitoring on Linux. > It also includes many other features and bug fixes: > > * Centralized configuration - The agent.conf file was introduced > to allow granular configuration of the agents directly on the manager > side. > * Remote agent restart - Functionality was added to restart the > agents remotely using the agent_control tool. > * Real time integrity checking - Real time integrity checking was > added to Linux systems. > * New Log Rules Support - We added support for Windows DHCP logs > and fixed/improved many of the other rules for different messages. > > Source: > http://www.ossec.net/main/ossec-v21-released > > Download from here: > http://www.ossec.net/main/downloads > > > Full changelog (If I forgot somone, please let me know and I will > update it asap): > http://www.ossec.net/announcements/v2.1-2009-06-30.txt > > -Added additional rules to detect the enumeration of extensions (Patch > by Chris Bailes <chris at paeenterprises.co.uk>). > > -Added support for glob (regular expressions) when specifying the > directories to check on syscheck. > > -Added support for syslog-ng ISODATE (conforming to ISO-8601) date > formats in the syslog header. > > -Added support for rsyslog non-standard date format (RFC 5425). > > -Added the log testing tool to the default build (now available at > /var/ossec/bin/ossec-logtest ). > > -Added agentless script for Foundry switches (Thanks to Matt > <mgoldsberry at gmail.com> for the help). > > -Added support for real time integrity checking. > > -Added support for sending OSSEC alerts to twitter via active response. > > -Added support for Windows DHCP logs > (Thanks to [email protected] for the help). > > -Adding changes to support ASA/FWSM on the agentless monitoring > (Thanks to Michael Starks for the patch) > > -Added option to restart an ossec agent remotely. > > -Added agent config on the manager side. > > -Added the ability to fully build an Windows ossec agent directly from > the (Linux) server. > > -Fixed rootcheck to do not monitor read-only file systems during the > rc_sys_check (Reported by Dennis Golden). > > -Fixed Windows policy that was looking for the wrong value to check if > the firewall was enabled or not (Reported by Aaron Bliss). > > -Fixed debian rules that were matching on Juniper messages (Reported > by Reggie Griffin). > > -Fixed yum rules that we matching on another events. > > -Fixed syscheck_control that was segfaulting on 64 bit systems. > > -Fixed mcafee rule that was triggering deleted viruses as uncontained > (Thanks to Michael Starks for the patch). > > -Fixed sshd rule to support new log format (Thanks to j.bromley at > bristol.ac.uk for the report). > > -Fixed ssh_integrity_check_linux agentless script that had some extra > spaces causing it to hang (Thanks to Mark Ibrahim for the report). > > -Fixed support for systems without proper syslog hostname (solaris 8/9 > most of the time). > > -Added System32 Restore directory to the list of ignore files for > integrity checking (it was causing too many false positives). > > -Fixed iptables active-response scripts that was not properly deleted > all the entries. > > -Added agentless devices to the listing tools (agent_control -l, > syscheck_control, -l ,etc). > > -Fixed bug when reading /dev/fd on FreeBSD that was causing ossec to loop. > (Patch by Danny Fullerton - dfullerton at mantor.org ) > > -Fixed file descriptor leak on execd. > (Patch by Slava Semushin - php-coder at altlinux.org ) > > -Fixed bug where descriptions with new lines would break the alert file. > (Reported by Bill Mathews <billford at gmail.com>) > > -Fixed init scripts for Darwin. > (patch by Peter <peter.wolanin at acquia.com>) > > -Added support for strftime on globbed files. > > -Added the option to decrease syscheck sleep time to 0 (and run as > fast as possible). > (thanks to Michael Altfield <michael.sa at gmail.com> for the > suggestion) > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net >
