Hi Louie, The log you sent is good. Means it is working now. I updated 2.1 with the fix. If you had problems, please download it again: http://www.ossec.net/main/downloads/
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jun 30, 2009 at 1:36 PM, louie<[email protected]> wrote: > Sorry, forgot the whole logs > > # gdb /var/ossec/bin/ossec-syscheckd > Tue Jun 30 23:48:34 CST 2009 > GNU gdb 6.8-debian > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu"... > (gdb) set follow-fork-mode child > (gdb) run > Starting program: /var/ossec/bin/ossec-syscheckd > Executing new program: /bin/bash > (no debugging symbols found) > (no debugging symbols found) > [tcsetpgrp failed in terminal_inferior: No such process] > (no debugging symbols found) > (no debugging symbols found) > (no debugging symbols found) > Executing new program: /bin/ps > (no debugging symbols found) > (no debugging symbols found) > (no debugging symbols found) > (no debugging symbols found) > > Program exited normally. > > -- > Louie July 01, 2009 00:35:47 > > On Wed, Jul 01, 2009 at 12:26:31AM +0800, louie wrote: >> Hi, Daniel: >> >> Thanks for quick fix, but it segfault again on both one i386 and one x86_64 >> machine >> >> cat /etc/ossec-init.conf >> DIRECTORY="/var/ossec" >> VERSION="2.0-SNP-090630" >> DATE="Tue Jun 30 23:29:49 CST 2009" >> TYPE="agent" >> >> # gdb /var/ossec/bin/ossec-syscheckd >> Tue Jun 30 23:48:34 CST 2009 >> GNU gdb 6.8-debian >> Copyright (C) 2008 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-linux-gnu"... >> (gdb) set follow-fork-mode child >> (gdb) run >> Starting program: /var/ossec/bin/ossec-syscheckd >> >> >> -- >> Louie June 30, 2009 23:49:21 >> >> On Tue, Jun 30, 2009 at 12:16:39PM -0300, Daniel Cid wrote: >> > >> > Hey, >> > >> > Thanks for the output. Can you try very quickly the latest snapshot: >> > >> > http://ossec.net/files/snapshots/ossec-hids-090630.tar.gz >> > >> > I think I got it fixed. >> > >> > Thanks, >> > >> > On Tue, Jun 30, 2009 at 12:01 PM, louie<[email protected]> wrote: >> > > This maybe no a 64-bit issue, because I had a another 32 bit machine >> > > segfault too. >> > > >> > > >> > > This is a x86_64 machine >> > > debian lenny 5.0.2 >> > > kernel 2.6.26-2-amd64 >> > > >> > > gdb /var/ossec/bin/ossec-syscheckd >> > > GNU gdb 6.8-debian >> > > Copyright (C) 2008 Free Software Foundation, Inc. >> > > License GPLv3+: GNU GPL version 3 or later >> > > <http://gnu.org/licenses/gpl.html> >> > > This is free software: you are free to change and redistribute it. >> > > There is NO WARRANTY, to the extent permitted by law. ?Type "show >> > > copying" >> > > and "show warranty" for details. >> > > This GDB was configured as "x86_64-linux-gnu"... >> > > (gdb) set follow-fork-mode child >> > > (gdb) run >> > > Starting program: /var/ossec/bin/ossec-syscheckd >> > > >> > > Program received signal SIGSEGV, Segmentation fault. >> > > [Switching to process 1989] >> > > 0x000000000040414b in start_daemon () at run_check.c:278 >> > > 278 ? ? ? ? if(syscheck.realtime->fd >= 0) >> > > (gdb) bt >> > > #0 ?0x000000000040414b in start_daemon () at run_check.c:278 >> > > #1 ?0x0000000000402a98 in main (argc=1, argv=0x7fffe574afb8) at >> > > syscheck.c:337 >> > > >> > > >> > > sorry, but I don't know where to use -d -d >> > > >> > > gdb -d /var/ossec/bin/ossec-syscheckd >> > > Tue Jun 30 23:00:09 CST 2009 >> > > GNU gdb 6.8-debian >> > > Copyright (C) 2008 Free Software Foundation, Inc. >> > > License GPLv3+: GNU GPL version 3 or later >> > > <http://gnu.org/licenses/gpl.html> >> > > This is free software: you are free to change and redistribute it. >> > > There is NO WARRANTY, to the extent permitted by law. ?Type "show >> > > copying" >> > > and "show warranty" for details. >> > > This GDB was configured as "x86_64-linux-gnu". >> > > >> > > warning: /var/ossec/bin/ossec-syscheckd is not a directory. >> > > >> > > >> > > gdb /var/ossec/bin/ossec-syscheckd -d >> > > Tue Jun 30 23:00:33 CST 2009 >> > > gdb: option `-d' requires an argument >> > > Use `gdb --help' for a complete list of options. >> > > >> > > >> > > segfault happened within ten minutes >> > > >> > > -- >> > > ? ? ? ? ? ? ? ? ? ? ?Louie June 30, 2009 ? 22:58:40 >> > > >> > > On Tue, Jun 30, 2009 at 11:33:54AM -0300, Daniel Cid wrote: >> > >> >> > >> Hey, >> > >> >> > >> Thanks for the feedback. We certainly didn't encounter this error in >> > >> our beta testing, but will try to fix asap. >> > >> >> > >> Can any of you run it with gdb? Also, do you have the real time >> > >> monitoring enabled? Does it happen right away >> > >> or after a while? >> > >> >> > >> To run with gdb: >> > >> >> > >> # gdb /var/ossec/bin/ossec-syscheckd >> > >> >> > >> Inside gdb: >> > >> >> > >> (gdb) set follow-fork-mode child >> > >> (gdb) run >> > >> >> > >> >> > >> When it seg faults: >> > >> >> > >> (gdb) bt >> > >> >> > >> >> > >> If you can do that (and run with -d -d to enable debug) would really >> > >> help. >> > >> >> > >> >> > >> Thanks, >> > >> >> > >> -- >> > >> Daniel B. Cid >> > >> dcid ( at ) ossec.net >> > >> >> > >> >> > >> On Tue, Jun 30, 2009 at 11:12 AM, louie<[email protected]> wrote: >> > >> > It's a me too reply ^_^ >> > >> > >> > >> > just upgraded to 2.1 >> > >> > >> > >> > [534986.676528] ossec-syscheckd[19422]: segfault at 0 ip 40414b sp >> > >> > 7fffbd4e3b10 error 4 in ossec-syscheckd[400000+3b000] >> > >> > >> > >> > debian lenny 5.0.2 >> > >> > kernel 2.6.26-2-amd64 >> > >> > >> > >> > -- >> > >> > ? ? ? ? ? ? ? ? ? ? ?Louie June 30, 2009 ? 22:10:35 >> > >> > >> > >> > On Tue, Jun 30, 2009 at 09:16:54AM -0400, Koski, David wrote: >> > >> >> >> > >> >> Just upgraded and my ossec-syscheckd segfaulted on its first run >> > >> >> (RHEL5 x64) on the main server: >> > >> >> >> > >> >> kernel: ossec-syscheckd[1853]: segfault at 0000000000000000 rip >> > >> >> 0000000000403dbe rsp 00007fff14946db0 error 4 >> > >> >> >> > >> >> ? ? ? David >> > >> >> >> > >> >> -----Original Message----- >> > >> >> From: [email protected] >> > >> >> [mailto:[email protected]] On Behalf Of Daniel Cid >> > >> >> Sent: Tuesday, June 30, 2009 8:38 AM >> > >> >> To: [email protected]; [email protected] >> > >> >> Subject: [ossec-list] OSSEC v2.1 released >> > >> >> >> > >> >> >> > >> >> Hi list, >> > >> >> >> > >> >> We are happy to announce that OSSEC version 2.1 is available now. >> > >> >> >> > >> >> This new version is the first one with support for centralized >> > >> >> configurations and realtime integrity monitoring on Linux. >> > >> >> It also includes many other features and bug fixes: >> > >> >> >> > >> >> ? ? * Centralized configuration - The agent.conf file was introduced >> > >> >> to allow granular configuration of the agents directly on the manager >> > >> >> side. >> > >> >> ? ? * Remote agent restart - Functionality was added to restart the >> > >> >> agents remotely using the agent_control tool. >> > >> >> ? ? * Real time integrity checking - Real time integrity checking was >> > >> >> added to Linux systems. >> > >> >> ? ? * New Log Rules Support - We added support for Windows DHCP logs >> > >> >> and fixed/improved many of the other rules for different messages. >> > >> >> >> > >> >> Source: >> > >> >> http://www.ossec.net/main/ossec-v21-released >> > >> >> >> > >> >> Download from here: >> > >> >> http://www.ossec.net/main/downloads >> > >> >> >> > >> >> >> > >> >> Full changelog (If I forgot somone, please let me know and I will >> > >> >> update it asap): >> > >> >> http://www.ossec.net/announcements/v2.1-2009-06-30.txt >> > >> >> >> > >> >> -Added additional rules to detect the enumeration of extensions >> > >> >> (Patch by Chris Bailes <chris at paeenterprises.co.uk>). >> > >> >> >> > >> >> -Added support for glob (regular expressions) when specifying the >> > >> >> directories >> > >> >> to check on syscheck. >> > >> >> >> > >> >> -Added support for syslog-ng ISODATE (conforming to ISO-8601) date >> > >> >> formats >> > >> >> in the syslog header. >> > >> >> >> > >> >> -Added support for rsyslog non-standard date format (RFC 5425). >> > >> >> >> > >> >> -Added the log testing tool to the default build (now available at >> > >> >> ?/var/ossec/bin/ossec-logtest ). >> > >> >> >> > >> >> -Added agentless script for Foundry switches >> > >> >> (Thanks to Matt <mgoldsberry at gmail.com> for the help). >> > >> >> >> > >> >> -Added support for real time integrity checking. >> > >> >> >> > >> >> -Added support for sending OSSEC alerts to twitter via active >> > >> >> response. >> > >> >> >> > >> >> -Added support for Windows DHCP logs >> > >> >> (Thanks to [email protected] for the help). >> > >> >> >> > >> >> -Adding changes to support ASA/FWSM on the agentless monitoring >> > >> >> (Thanks to Michael Starks for the patch) >> > >> >> >> > >> >> -Added option to restart an ossec agent remotely. >> > >> >> >> > >> >> -Added agent config on the manager side. >> > >> >> >> > >> >> -Added the ability to fully build an Windows ossec agent directly >> > >> >> from >> > >> >> the (Linux) server. >> > >> >> >> > >> >> -Fixed rootcheck to do not monitor read-only file systems during the >> > >> >> rc_sys_check >> > >> >> (Reported by Dennis Golden). >> > >> >> >> > >> >> -Fixed Windows policy that was looking for the wrong value to check >> > >> >> if >> > >> >> the firewall >> > >> >> was enabled or not >> > >> >> (Reported by Aaron Bliss). >> > >> >> >> > >> >> -Fixed debian rules that were matching on Juniper messages >> > >> >> (Reported by Reggie Griffin). >> > >> >> >> > >> >> -Fixed yum rules that we matching on another events. >> > >> >> >> > >> >> -Fixed syscheck_control that was segfaulting on 64 bit systems. >> > >> >> >> > >> >> -Fixed mcafee rule that was triggering deleted viruses as uncontained >> > >> >> (Thanks to Michael Starks for the patch). >> > >> >> >> > >> >> -Fixed sshd rule to support new log format >> > >> >> (Thanks to j.bromley at bristol.ac.uk for the report). >> > >> >> >> > >> >> -Fixed ssh_integrity_check_linux agentless script that had some >> > >> >> extra spaces >> > >> >> causing it to hang >> > >> >> (Thanks to Mark Ibrahim for the report). >> > >> >> >> > >> >> -Fixed support for systems without proper syslog hostname (solaris >> > >> >> 8/9 >> > >> >> most of the time). >> > >> >> >> > >> >> -Added System32 Restore directory to the list of ignore files for >> > >> >> integrity checking >> > >> >> (it was causing too many false positives). >> > >> >> >> > >> >> -Fixed iptables active-response scripts that was not properly deleted >> > >> >> all the entries. >> > >> >> >> > >> >> -Added agentless devices to the listing tools (agent_control -l, >> > >> >> syscheck_control, -l ,etc). >> > >> >> >> > >> >> -Fixed bug when reading /dev/fd on FreeBSD that was causing ossec to >> > >> >> loop. >> > >> >> (Patch by Danny Fullerton - dfullerton at mantor.org ) >> > >> >> >> > >> >> -Fixed file descriptor leak on execd. >> > >> >> (Patch by Slava Semushin - php-coder at altlinux.org ) >> > >> >> >> > >> >> -Fixed bug where descriptions with new lines would break the alert >> > >> >> file. >> > >> >> (Reported by Bill Mathews <billford at gmail.com>) >> > >> >> >> > >> >> -Fixed init scripts for Darwin. >> > >> >> (patch by Peter <peter.wolanin at acquia.com>) >> > >> >> >> > >> >> -Added support for strftime on globbed files. >> > >> >> >> > >> >> -Added the option to decrease syscheck sleep time to 0 (and run as >> > >> >> fast as possible). >> > >> >> (thanks to Michael Altfield <michael.sa at gmail.com> for the >> > >> >> suggestion) >> > >> >> >> > >> >> >> > >> >> Thanks, >> > >> >> >> > >> >> -- >> > >> >> Daniel B. Cid >> > >> >> dcid ( at ) ossec.net >> > >> >> >> > >> > >> > >> > -----BEGIN PGP SIGNATURE----- >> > >> > Version: GnuPG v1.4.9 (GNU/Linux) >> > >> > >> > >> > iEYEARECAAYFAkpKHTgACgkQtUibo3x6GXE90wCeJnR9lq9OgVf9hATy07ps+/mN >> > >> > MiMAoKEtsR3qCtanjTP3CS6DbxMonePj >> > >> > =Wf0K >> > >> > -----END PGP SIGNATURE----- >> > >> > >> > >> > >> > >> >> > > >> > > -----BEGIN PGP SIGNATURE----- >> > > Version: GnuPG v1.4.9 (GNU/Linux) >> > > >> > > iEYEARECAAYFAkpKKMIACgkQtUibo3x6GXGTkwCdHvfqmcGyL6m1Lp8dArKOeedm >> > > GcEAn2PtP0ybNfGhreoA54i7KwHB8Nay >> > > =HjTe >> > > -----END PGP SIGNATURE----- >> > > >> > > >> > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkpKPxMACgkQtUibo3x6GXEOPwCbBzjFFAWM59kgzPQlA6AVFTIU > rxAAoK9mjBIvPj8POBhsQtz5VPNZgYPf > =U96d > -----END PGP SIGNATURE----- > >
