Hi:
Yeah, it works.
After re-download the newest ossec-hids-2.1.tar.gz, seems fix my
segfault problem
The two machine (one i386, one x86_64) ossec-syscheckd is running fine
over 15 minutes
Thanks, daniel.
$ ls -l ossec-hids-2.1.tar.gz
-rw-r--r-- 1 louie louie 711299 Jul 1 02:39 ossec-hids-2.1.tar.gz
DIRECTORY="/var/ossec"
VERSION="v2.1"
DATE="Wed Jul 1 11:17:38 CST 2009"
TYPE="agent"
--
Louie July 01, 2009 11:19:22
On Tue, Jun 30, 2009 at 12:48:06PM -0600, Md Monk wrote:
> No segfault for me yet, and I've been running it for a bit over an hour.
>
> I am using the snapshot: ossec-hids-090630.tar.gz
>
> -Chuck (MdMonk)
>
> On Tue, Jun 30, 2009 at 11:59 AM, Koski, David <[email protected]> wrote:
>
> >
> > I got a seg fault on the new one as well, I won't have a chance for at
> > least a few hours to gdb it.
> >
> > David
> >
> > -----Original Message-----
> > From:
> > [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>[mailto:
> > [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>]
> > On Behalf Of louie
> > Sent: Tuesday, June 30, 2009 1:28 PM
> > To:
> > [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>
> > Subject: [ossec-list] Re: OSSEC v2.1 released
> >
> > Hi Daniel:
> >
> > I re-download ossec-hids-2.1, but it segfault again
> >
> > $ ls -ltr ossec-hids-2.1*
> > -rw-r--r-- 1 louie louie 711257 Jul 1 00:18 ossec-hids-2.1.tar.gz
> >
> > cat /etc/ossec-init.conf
> > DIRECTORY="/var/ossec"
> > VERSION="v2.1"
> > DATE="Wed Jul 1 00:57:48 CST 2009"
> > TYPE="agent"
> >
> >
> > root 6547 1 0 00:57 ? 00:00:00 /var/ossec/bin/ossec-execd
> > ossec 6551 1 0 00:57 ? 00:00:00 /var/ossec/bin/ossec-agentd
> > root 6555 1 0 00:57 ? 00:00:00
> > /var/ossec/bin/ossec-logcollector
> >
> > the ossec-syschecked is gone
> >
> > /var/log/message
> > Jul 1 01:07:46 print kernel: [10258.274006] ossec-syscheckd[6559]:
> > segfault at 0 ip 40448d sp 7fff8f484ab0 error 4 in
> > ossec-syscheckd[400000+3b000]
> >
> > and gdb's log the same with the ossec-hids-090630.tar.gz, where am I doing
> > wrong?
> >
> > # gdb /var/ossec/bin/ossec-syscheckd
> > Tue Jun 30 23:48:34 CST 2009
> > GNU gdb 6.8-debian
> > Copyright (C) 2008 Free Software Foundation, Inc.
> > License GPLv3+: GNU GPL version 3 or later <
> > http://gnu.org/licenses/gpl.html>
> > This is free software: you are free to change and redistribute it.
> > There is NO WARRANTY, to the extent permitted by law. ?Type "show copying"
> > and "show warranty" for details.
> > This GDB was configured as "x86_64-linux-gnu"...
> > (gdb) set follow-fork-mode child
> > (gdb) run
> > Starting program: /var/ossec/bin/ossec-syscheckd Executing new program:
> > /bin/bash (no debugging symbols found) (no debugging symbols found)
> > [tcsetpgrp failed in terminal_inferior: No such process] (no debugging
> > symbols found) (no debugging symbols found) (no debugging symbols found)
> > Executing new program: /bin/ps (no debugging symbols found) (no debugging
> > symbols found) (no debugging symbols found) (no debugging symbols found)
> >
> > Program exited normally.
> >
> >
> > --
> > Louie July 01, 2009 01:10:11
> >
> > On Tue, Jun 30, 2009 at 01:46:23PM -0300, Daniel Cid wrote:
> > >
> > > Hi Louie,
> > >
> > > The log you sent is good. Means it is working now. I updated 2.1 with
> > > the fix. If you had problems, please download it again:
> > > http://www.ossec.net/main/downloads/
> > >
> > > Thanks,
> > >
> > > --
> > > Daniel B. Cid
> > > dcid ( at ) ossec.net
> > >
> > > On Tue, Jun 30, 2009 at 1:36 PM,
> > > louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>>
> > wrote:
> > > > Sorry, forgot the whole logs
> > > >
> > > > # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST 2009
> > > > GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation, Inc.
> > > > License GPLv3+: GNU GPL version 3 or later
> > > > <http://gnu.org/licenses/gpl.html>
> > > > This is free software: you are free to change and redistribute it.
> > > > There is NO WARRANTY, to the extent permitted by law. ?Type "show
> > copying"
> > > > and "show warranty" for details.
> > > > This GDB was configured as "x86_64-linux-gnu"...
> > > > (gdb) set follow-fork-mode child
> > > > (gdb) run
> > > > Starting program: /var/ossec/bin/ossec-syscheckd Executing new
> > > > program: /bin/bash (no debugging symbols found) (no debugging
> > > > symbols found) [tcsetpgrp failed in terminal_inferior: No such
> > > > process] (no debugging symbols found) (no debugging symbols found)
> > > > (no debugging symbols found) Executing new program: /bin/ps (no
> > > > debugging symbols found) (no debugging symbols found) (no debugging
> > > > symbols found) (no debugging symbols found)
> > > >
> > > > Program exited normally.
> > > >
> > > > --
> > > > ? ? ? ? ? ? ? ? ? ? ?Louie July 01, 2009 ? 00:35:47
> > > >
> > > > On Wed, Jul 01, 2009 at 12:26:31AM +0800, louie wrote:
> > > >> Hi, Daniel:
> > > >>
> > > >> Thanks for quick fix, but it segfault again on both one i386 and
> > > >> one x86_64 machine
> > > >>
> > > >> cat /etc/ossec-init.conf
> > > >> DIRECTORY="/var/ossec"
> > > >> VERSION="2.0-SNP-090630"
> > > >> DATE="Tue Jun 30 23:29:49 CST 2009"
> > > >> TYPE="agent"
> > > >>
> > > >> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST 2009
> > > >> GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation,
> > > >> Inc.
> > > >> License GPLv3+: GNU GPL version 3 or later
> > > >> <http://gnu.org/licenses/gpl.html>
> > > >> This is free software: you are free to change and redistribute it.
> > > >> There is NO WARRANTY, to the extent permitted by law. ?Type "show
> > copying"
> > > >> and "show warranty" for details.
> > > >> This GDB was configured as "x86_64-linux-gnu"...
> > > >> (gdb) set follow-fork-mode child
> > > >> (gdb) run
> > > >> Starting program: /var/ossec/bin/ossec-syscheckd
> > > >>
> > > >>
> > > >> --
> > > >> ? ? ? ? ? ? ? ? ? ? ? Louie June 30, 2009 ? 23:49:21
> > > >>
> > > >> On Tue, Jun 30, 2009 at 12:16:39PM -0300, Daniel Cid wrote:
> > > >> >
> > > >> > Hey,
> > > >> >
> > > >> > Thanks for the output. Can you try very quickly the latest snapshot:
> > > >> >
> > > >> > http://ossec.net/files/snapshots/ossec-hids-090630.tar.gz
> > > >> >
> > > >> > I think I got it fixed.
> > > >> >
> > > >> > Thanks,
> > > >> >
> > > >> > On Tue, Jun 30, 2009 at 12:01 PM,
> > > >> > louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>>
> > wrote:
> > > >> > > This maybe no a 64-bit issue, because I had a another 32 bit
> > machine segfault too.
> > > >> > >
> > > >> > >
> > > >> > > This is a x86_64 machine
> > > >> > > debian lenny 5.0.2
> > > >> > > kernel 2.6.26-2-amd64
> > > >> > >
> > > >> > > gdb /var/ossec/bin/ossec-syscheckd GNU gdb 6.8-debian Copyright
> > > >> > > (C) 2008 Free Software Foundation, Inc.
> > > >> > > License GPLv3+: GNU GPL version 3 or later
> > > >> > > <http://gnu.org/licenses/gpl.html>
> > > >> > > This is free software: you are free to change and redistribute it.
> > > >> > > There is NO WARRANTY, to the extent permitted by law. ?Type "show
> > copying"
> > > >> > > and "show warranty" for details.
> > > >> > > This GDB was configured as "x86_64-linux-gnu"...
> > > >> > > (gdb) set follow-fork-mode child
> > > >> > > (gdb) run
> > > >> > > Starting program: /var/ossec/bin/ossec-syscheckd
> > > >> > >
> > > >> > > Program received signal SIGSEGV, Segmentation fault.
> > > >> > > [Switching to process 1989]
> > > >> > > 0x000000000040414b in start_daemon () at run_check.c:278
> > > >> > > 278 ? ? ? ? if(syscheck.realtime->fd >= 0)
> > > >> > > (gdb) bt
> > > >> > > #0 ?0x000000000040414b in start_daemon () at run_check.c:278
> > > >> > > #1 ?0x0000000000402a98 in main (argc=1, argv=0x7fffe574afb8) at
> > > >> > > syscheck.c:337
> > > >> > >
> > > >> > >
> > > >> > > sorry, but I don't know where to use -d -d
> > > >> > >
> > > >> > > gdb -d /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:00:09 CST
> > > >> > > 2009 GNU gdb 6.8-debian Copyright (C) 2008 Free Software
> > > >> > > Foundation, Inc.
> > > >> > > License GPLv3+: GNU GPL version 3 or later
> > > >> > > <http://gnu.org/licenses/gpl.html>
> > > >> > > This is free software: you are free to change and redistribute it.
> > > >> > > There is NO WARRANTY, to the extent permitted by law. ?Type "show
> > copying"
> > > >> > > and "show warranty" for details.
> > > >> > > This GDB was configured as "x86_64-linux-gnu".
> > > >> > >
> > > >> > > warning: /var/ossec/bin/ossec-syscheckd is not a directory.
> > > >> > >
> > > >> > >
> > > >> > > gdb /var/ossec/bin/ossec-syscheckd -d Tue Jun 30 23:00:33 CST
> > > >> > > 2009
> > > >> > > gdb: option `-d' requires an argument Use `gdb --help' for a
> > > >> > > complete list of options.
> > > >> > >
> > > >> > >
> > > >> > > segfault happened within ten minutes
> > > >> > >
> > > >> > > --
> > > >> > > ? ? ? ? ? ? ? ? ? ? ?Louie June 30, 2009 ? 22:58:40
> > > >> > >
> > > >> > > On Tue, Jun 30, 2009 at 11:33:54AM -0300, Daniel Cid wrote:
> > > >> > >>
> > > >> > >> Hey,
> > > >> > >>
> > > >> > >> Thanks for the feedback. We certainly didn't encounter this
> > > >> > >> error in our beta testing, but will try to fix asap.
> > > >> > >>
> > > >> > >> Can any of you run it with gdb? Also, do you have the real
> > > >> > >> time monitoring enabled? Does it happen right away or after a
> > > >> > >> while?
> > > >> > >>
> > > >> > >> To run with gdb:
> > > >> > >>
> > > >> > >> # gdb /var/ossec/bin/ossec-syscheckd
> > > >> > >>
> > > >> > >> Inside gdb:
> > > >> > >>
> > > >> > >> (gdb) set follow-fork-mode child
> > > >> > >> (gdb) run
> > > >> > >>
> > > >> > >>
> > > >> > >> When it seg faults:
> > > >> > >>
> > > >> > >> (gdb) bt
> > > >> > >>
> > > >> > >>
> > > >> > >> If you can do that (and run with -d -d to enable debug) would
> > really help.
> > > >> > >>
> > > >> > >>
> > > >> > >> Thanks,
> > > >> > >>
> > > >> > >> --
> > > >> > >> Daniel B. Cid
> > > >> > >> dcid ( at ) ossec.net
> > > >> > >>
> > > >> > >>
> > > >> > >> On Tue, Jun 30, 2009 at 11:12 AM,
> > > >> > >> louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>>
> > wrote:
> > > >> > >> > It's a me too reply ^_^
> > > >> > >> >
> > > >> > >> > just upgraded to 2.1
> > > >> > >> >
> > > >> > >> > [534986.676528] ossec-syscheckd[19422]: segfault at 0 ip
> > > >> > >> > 40414b sp 7fffbd4e3b10 error 4 in
> > > >> > >> > ossec-syscheckd[400000+3b000]
> > > >> > >> >
> > > >> > >> > debian lenny 5.0.2
> > > >> > >> > kernel 2.6.26-2-amd64
> > > >> > >> >
> > > >> > >> > --
> > > >> > >> > ? ? ? ? ? ? ? ? ? ? ?Louie June 30, 2009 ? 22:10:35
> > > >> > >> >
> > > >> > >> > On Tue, Jun 30, 2009 at 09:16:54AM -0400, Koski, David wrote:
> > > >> > >> >>
> > > >> > >> >> Just upgraded and my ossec-syscheckd segfaulted on its first
> > run (RHEL5 x64) on the main server:
> > > >> > >> >>
> > > >> > >> >> kernel: ossec-syscheckd[1853]: segfault at 0000000000000000
> > > >> > >> >> rip 0000000000403dbe rsp 00007fff14946db0 error 4
> > > >> > >> >>
> > > >> > >> >> ? ? ? David
> > > >> > >> >>
> > > >> > >> >> -----Original Message-----
> > > >> > >> >> From:
> > > >> > >> >> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>
> > > >> > >> >> [mailto:[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>]
> > On Behalf Of Daniel
> > > >> > >> >> Cid
> > > >> > >> >> Sent: Tuesday, June 30, 2009 8:38 AM
> > > >> > >> >> To:
> > > >> > >> >> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>;
> > [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>
> > > >> > >> >> Subject: [ossec-list] OSSEC v2.1 released
> > > >> > >> >>
> > > >> > >> >>
> > > >> > >> >> Hi list,
> > > >> > >> >>
> > > >> > >> >> We are happy to announce that OSSEC version 2.1 is available
> > now.
> > > >> > >> >>
> > > >> > >> >> This new version is the first one with support for
> > > >> > >> >> centralized configurations and realtime integrity monitoring
> > on Linux.
> > > >> > >> >> It also includes many other features and bug fixes:
> > > >> > >> >>
> > > >> > >> >> ? ? * Centralized configuration - The agent.conf file was
> > > >> > >> >> introduced to allow granular configuration of the agents
> > > >> > >> >> directly on the manager side.
> > > >> > >> >> ? ? * Remote agent restart - Functionality was added to
> > > >> > >> >> restart the agents remotely using the agent_control tool.
> > > >> > >> >> ? ? * Real time integrity checking - Real time integrity
> > > >> > >> >> checking was added to Linux systems.
> > > >> > >> >> ? ? * New Log Rules Support - We added support for Windows
> > > >> > >> >> DHCP logs and fixed/improved many of the other rules for
> > different messages.
> > > >> > >> >>
> > > >> > >> >> Source:
> > > >> > >> >> http://www.ossec.net/main/ossec-v21-released
> > > >> > >> >>
> > > >> > >> >> Download from here:
> > > >> > >> >> http://www.ossec.net/main/downloads
> > > >> > >> >>
> > > >> > >> >>
> > > >> > >> >> Full changelog (If I forgot somone, please let me know and
> > > >> > >> >> I will update it asap):
> > > >> > >> >> http://www.ossec.net/announcements/v2.1-2009-06-30.txt
> > > >> > >> >>
> > > >> > >> >> -Added additional rules to detect the enumeration of
> > > >> > >> >> extensions (Patch by Chris Bailes <chris at
> > paeenterprises.co.uk>).
> > > >> > >> >>
> > > >> > >> >> -Added support for glob (regular expressions) when
> > > >> > >> >> specifying the directories to check on syscheck.
> > > >> > >> >>
> > > >> > >> >> -Added support for syslog-ng ISODATE (conforming to
> > > >> > >> >> ISO-8601) date formats in the syslog header.
> > > >> > >> >>
> > > >> > >> >> -Added support for rsyslog non-standard date format (RFC
> > 5425).
> > > >> > >> >>
> > > >> > >> >> -Added the log testing tool to the default build (now
> > > >> > >> >> available at ?/var/ossec/bin/ossec-logtest ).
> > > >> > >> >>
> > > >> > >> >> -Added agentless script for Foundry switches (Thanks to
> > > >> > >> >> Matt <mgoldsberry at gmail.com> for the help).
> > > >> > >> >>
> > > >> > >> >> -Added support for real time integrity checking.
> > > >> > >> >>
> > > >> > >> >> -Added support for sending OSSEC alerts to twitter via active
> > response.
> > > >> > >> >>
> > > >> > >> >> -Added support for Windows DHCP logs (Thanks to
> > > >> > >> >> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]>for
> > > >> > >> >> the help).
> > > >> > >> >>
> > > >> > >> >> -Adding changes to support ASA/FWSM on the agentless
> > > >> > >> >> monitoring (Thanks to Michael Starks for the patch)
> > > >> > >> >>
> > > >> > >> >> -Added option to restart an ossec agent remotely.
> > > >> > >> >>
> > > >> > >> >> -Added agent config on the manager side.
> > > >> > >> >>
> > > >> > >> >> -Added the ability to fully build an Windows ossec agent
> > > >> > >> >> directly from the (Linux) server.
> > > >> > >> >>
> > > >> > >> >> -Fixed rootcheck to do not monitor read-only file systems
> > > >> > >> >> during the rc_sys_check (Reported by Dennis Golden).
> > > >> > >> >>
> > > >> > >> >> -Fixed Windows policy that was looking for the wrong value
> > > >> > >> >> to check if the firewall was enabled or not (Reported by
> > > >> > >> >> Aaron Bliss).
> > > >> > >> >>
> > > >> > >> >> -Fixed debian rules that were matching on Juniper messages
> > > >> > >> >> (Reported by Reggie Griffin).
> > > >> > >> >>
> > > >> > >> >> -Fixed yum rules that we matching on another events.
> > > >> > >> >>
> > > >> > >> >> -Fixed syscheck_control that was segfaulting on 64 bit
> > systems.
> > > >> > >> >>
> > > >> > >> >> -Fixed mcafee rule that was triggering deleted viruses as
> > > >> > >> >> uncontained (Thanks to Michael Starks for the patch).
> > > >> > >> >>
> > > >> > >> >> -Fixed sshd rule to support new log format (Thanks to
> > > >> > >> >> j.bromley at bristol.ac.uk for the report).
> > > >> > >> >>
> > > >> > >> >> -Fixed ssh_integrity_check_linux agentless script that had
> > > >> > >> >> some extra spaces causing it to hang (Thanks to Mark
> > > >> > >> >> Ibrahim for the report).
> > > >> > >> >>
> > > >> > >> >> -Fixed support for systems without proper syslog hostname
> > > >> > >> >> (solaris 8/9 most of the time).
> > > >> > >> >>
> > > >> > >> >> -Added System32 Restore directory to the list of ignore
> > > >> > >> >> files for integrity checking (it was causing too many false
> > > >> > >> >> positives).
> > > >> > >> >>
> > > >> > >> >> -Fixed iptables active-response scripts that was not
> > > >> > >> >> properly deleted all the entries.
> > > >> > >> >>
> > > >> > >> >> -Added agentless devices to the listing tools
> > > >> > >> >> (agent_control -l, syscheck_control, -l ,etc).
> > > >> > >> >>
> > > >> > >> >> -Fixed bug when reading /dev/fd on FreeBSD that was causing
> > ossec to loop.
> > > >> > >> >> (Patch by Danny Fullerton - dfullerton at mantor.org )
> > > >> > >> >>
> > > >> > >> >> -Fixed file descriptor leak on execd.
> > > >> > >> >> (Patch by Slava Semushin - php-coder at altlinux.org )
> > > >> > >> >>
> > > >> > >> >> -Fixed bug where descriptions with new lines would break the
> > alert file.
> > > >> > >> >> (Reported by Bill Mathews <billford at gmail.com>)
> > > >> > >> >>
> > > >> > >> >> -Fixed init scripts for Darwin.
> > > >> > >> >> (patch by Peter <peter.wolanin at acquia.com>)
> > > >> > >> >>
> > > >> > >> >> -Added support for strftime on globbed files.
> > > >> > >> >>
> > > >> > >> >> -Added the option to decrease syscheck sleep time to 0 (and
> > > >> > >> >> run as fast as possible).
> > > >> > >> >> (thanks to Michael Altfield <michael.sa at gmail.com> for
> > > >> > >> >> the suggestion)
> > > >> > >> >>
> > > >> > >> >>
> > > >> > >> >> Thanks,
> > > >> > >> >>
> > > >> > >> >> --
> > > >> > >> >> Daniel B. Cid
> > > >> > >> >> dcid ( at ) ossec.net
> > > >> > >> >>
> > > >> > >> >
> > > >> > >> > -----BEGIN PGP SIGNATURE-----
> > > >> > >> > Version: GnuPG v1.4.9 (GNU/Linux)
> > > >> > >> >
> > > >> > >> >
> > iEYEARECAAYFAkpKHTgACgkQtUibo3x6GXE90wCeJnR9lq9OgVf9hATy07ps+/mN
> > > >> > >> > MiMAoKEtsR3qCtanjTP3CS6DbxMonePj =Wf0K -----END PGP
> > > >> > >> > SIGNATURE-----
> > > >> > >> >
> > > >> > >> >
> > > >> > >>
> > > >> > >
> > > >> > > -----BEGIN PGP SIGNATURE-----
> > > >> > > Version: GnuPG v1.4.9 (GNU/Linux)
> > > >> > >
> > > >> > > iEYEARECAAYFAkpKKMIACgkQtUibo3x6GXGTkwCdHvfqmcGyL6m1Lp8dArKOeed
> > > >> > > m GcEAn2PtP0ybNfGhreoA54i7KwHB8Nay =HjTe -----END PGP
> > > >> > > SIGNATURE-----
> > > >> > >
> > > >> > >
> > > >> >
> > > >
> > > >
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: GnuPG v1.4.9 (GNU/Linux)
> > > >
> > > > iEYEARECAAYFAkpKPxMACgkQtUibo3x6GXEOPwCbBzjFFAWM59kgzPQlA6AVFTIU
> > > > rxAAoK9mjBIvPj8POBhsQtz5VPNZgYPf
> > > > =U96d
> > > > -----END PGP SIGNATURE-----
> > > >
> > > >
> > >
> >
signature.asc
Description: Digital signature
