The problem, at least in my case, is that I upgraded an OSSEC
installation which had no <syscheck></syscheck> section in the
ossec.conf file (we don't want to use syscheck). When I added a dummy
entry (below), OSSEC started up without a segfault:
<syscheck>
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
</syscheck>
Obviously a bug that needs to be fixed.
TM
On Jul 2, 12:46 pm, David Cottle <[email protected]> wrote:
> Yes agreed I am seeing heaps of segfaults only with 2.1 nothing else
> been changed-
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: anonmap[15387]: segfault at b7fdd000 ip
> b7fdd000 sp bfddfa8c error 15
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: execbss[15398]: segfault at 8049bec ip
> 08049bec sp bfd8824c error 15 in execbss[8049000+1000]
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: execdata[15409]: segfault at 8049bd8 ip
> 08049bd8 sp bfbe789c error 15 in execdata[8049000+1000]
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: execheap[15419]: segfault at 84cf098 ip
> 084cf098 sp bfcc716c error 15
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: execstack[15431]: segfault at bfe8db58
> ip bfe8db58 sp bfe8db4c error 15
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: shlibbss[15712]: segfault at 1135a0 ip
> 001135a0 sp bfe8832c error 15 in shlibtest.so[112000+2000]
>
> --END OF NOTIFICATION
>
> OSSEC HIDS Notification.
> 2009 Jul 02 23:01:02
>
> Received From: server->/var/log/messages
> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
> Portion of the log(s):
>
> Jul 2 23:01:02 server kernel: shlibdata[15723]: segfault at 112580
> ip00112580 sp bfd571fc error 15 in shlibtest.so[112000+2000]
>
> Sent from my iPhone
>
> On 03/07/2009, at 5:00, tm <[email protected]> wrote:
>
>
>
>
>
> > I just downloaded ossec-hids-2.1.tar.gz and did an update on my OSSEC
> > 2.0 installation on a 32-bit SuSE host. It segfaults:
>
> > lillooet:/var/ossec/bin # ./ossec-control start
> > Starting OSSEC HIDS v2.1 (by Trend Micro Inc.)...
> > 2009/07/02 11:50:12 ossec-syscheckd(1702): INFO: No directory provided
> > for syscheck to monitor.
> > ./ossec-control: line 197: 23391 Segmentation fault ${DIR}/bin/$
> > {i} -t
> > ossec-syscheckd: Configuration error. Exiting
>
> > Next steps?
>
> > TM
>
> > On Jun 30, 8:34 pm, louie <[email protected]> wrote:
> >> Hi:
>
> >> Yeah, it works.
>
> >> After re-download the newest ossec-hids-2.1.tar.gz, seems
> >> fix my segfault problem
>
> >> The two machine (one i386, one x86_64) ossec-syscheckd is
> >> running fine over 15 minutes
>
> >> Thanks, daniel.
>
> >> $ ls -l ossec-hids-2.1.tar.gz
> >> -rw-r--r-- 1 louie louie 711299 Jul 1 02:39 ossec-hids-2.1.tar.gz
>
> >> DIRECTORY="/var/ossec"
> >> VERSION="v2.1"
> >> DATE="Wed Jul 1 11:17:38 CST 2009"
> >> TYPE="agent"
>
> >> --
> >> Louie July 01, 2009 11:19:22On Tue, Jun 30, 2009 at 12:48:06PM
> >> -0600, Md Monk wrote:
> >>> No segfault for me yet, and I've been running it for a bit over an
> >>> hour.
>
> >>> I am using the snapshot: ossec-hids-090630.tar.gz
>
> >>> -Chuck (MdMonk)
>
> >>> On Tue, Jun 30, 2009 at 11:59 AM, Koski, David <[email protected]>
> >>> wrote:
>
> >>>> I got a seg fault on the new one as well, I won't have a chance
> >>>> for at
> >>>> least a few hours to gdb it.
>
> >>>> David
>
> >>>> -----Original Message-----
> >>>> From:
> >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr
> >>>> ...>[mailto:
> >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr
> >>>> ...>]
> >>>> On Behalf Of louie
> >>>> Sent: Tuesday, June 30, 2009 1:28 PM
> >>>> To:
> >>>> [email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&to=ossec-l...@googlegr
> >>>> ...>
> >>>> Subject: [ossec-list] Re: OSSEC v2.1 released
>
> >>>> Hi Daniel:
>
> >>>> I re-download ossec-hids-2.1, but it segfault again
>
> >>>> $ ls -ltr ossec-hids-2.1*
> >>>> -rw-r--r-- 1 louie louie 711257 Jul 1 00:18 ossec-hids-2.1.tar.gz
>
> >>>> cat /etc/ossec-init.conf
> >>>> DIRECTORY="/var/ossec"
> >>>> VERSION="v2.1"
> >>>> DATE="Wed Jul 1 00:57:48 CST 2009"
> >>>> TYPE="agent"
>
> >>>> root 6547 1 0 00:57 ? 00:00:00 /var/ossec/bin/
> >>>> ossec-execd
> >>>> ossec 6551 1 0 00:57 ? 00:00:00 /var/ossec/bin/
> >>>> ossec-agentd
> >>>> root 6555 1 0 00:57 ? 00:00:00
> >>>> /var/ossec/bin/ossec-logcollector
>
> >>>> the ossec-syschecked is gone
>
> >>>> /var/log/message
> >>>> Jul 1 01:07:46 print kernel: [10258.274006] ossec-syscheckd[6559]:
> >>>> segfault at 0 ip 40448d sp 7fff8f484ab0 error 4 in
> >>>> ossec-syscheckd[400000+3b000]
>
> >>>> and gdb's log the same with the ossec-hids-090630.tar.gz, where
> >>>> am I doing
> >>>> wrong?
>
> >>>> # gdb /var/ossec/bin/ossec-syscheckd
> >>>> Tue Jun 30 23:48:34 CST 2009
> >>>> GNU gdb 6.8-debian
> >>>> Copyright (C) 2008 Free Software Foundation, Inc.
> >>>> License GPLv3+: GNU GPL version 3 or later <
> >>>>http://gnu.org/licenses/gpl.html>
> >>>> This is free software: you are free to change and redistribute it.
> >>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show
> >>>> copying"
> >>>> and "show warranty" for details.
> >>>> This GDB was configured as "x86_64-linux-gnu"...
> >>>> (gdb) set follow-fork-mode child
> >>>> (gdb) run
> >>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new
> >>>> program:
> >>>> /bin/bash (no debugging symbols found) (no debugging symbols found)
> >>>> [tcsetpgrp failed in terminal_inferior: No such process] (no
> >>>> debugging
> >>>> symbols found) (no debugging symbols found) (no debugging symbols
> >>>> found)
> >>>> Executing new program: /bin/ps (no debugging symbols found) (no
> >>>> debugging
> >>>> symbols found) (no debugging symbols found) (no debugging symbols
> >>>> found)
>
> >>>> Program exited normally.
>
> >>>> --
> >>>> Louie July 01, 2009 01:10:11
>
> >>>> On Tue, Jun 30, 2009 at 01:46:23PM -0300, Daniel Cid wrote:
>
> >>>>> Hi Louie,
>
> >>>>> The log you sent is good. Means it is working now. I updated 2.1
> >>>>> with
> >>>>> the fix. If you had problems, please download it again:
> >>>>>http://www.ossec.net/main/downloads/
>
> >>>>> Thanks,
>
> >>>>> --
> >>>>> Daniel B. Cid
> >>>>> dcid ( at ) ossec.net
>
> >>>>> On Tue, Jun 30, 2009 at 1:36 PM,
> >>>>> louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]
>
> >>>> wrote:
> >>>>>> Sorry, forgot the whole logs
>
> >>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST 2009
> >>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation,
> >>>>>> Inc.
> >>>>>> License GPLv3+: GNU GPL version 3 or later
> >>>>>> <http://gnu.org/licenses/gpl.html>
> >>>>>> This is free software: you are free to change and redistribute
> >>>>>> it.
> >>>>>> There is NO WARRANTY, to the extent permitted by law. ?Type "show
> >>>> copying"
> >>>>>> and "show warranty" for details.
> >>>>>> This GDB was configured as "x86_64-linux-gnu"...
> >>>>>> (gdb) set follow-fork-mode child
> >>>>>> (gdb) run
> >>>>>> Starting program: /var/ossec/bin/ossec-syscheckd Executing new
> >>>>>> program: /bin/bash (no debugging symbols found) (no debugging
> >>>>>> symbols found) [tcsetpgrp failed in terminal_inferior: No such
> >>>>>> process] (no debugging symbols found) (no debugging symbols
> >>>>>> found)
> >>>>>> (no debugging symbols found) Executing new program: /bin/ps (no
> >>>>>> debugging symbols found) (no debugging symbols found) (no
> >>>>>> debugging
> >>>>>> symbols found) (no debugging symbols found)
>
> >>>>>> Program exited normally.
>
> >>>>>> --
> >>>>>> ? ? ? ? ? ? ? ? ? ? ?Louie July 01, 2009 ? 00:35:47
>
> >>>>>> On Wed, Jul 01, 2009 at 12:26:31AM +0800, louie wrote:
> >>>>>>> Hi, Daniel:
>
> >>>>>>> Thanks for quick fix, but it segfault again on both one i386 and
> >>>>>>> one x86_64 machine
>
> >>>>>>> cat /etc/ossec-init.conf
> >>>>>>> DIRECTORY="/var/ossec"
> >>>>>>> VERSION="2.0-SNP-090630"
> >>>>>>> DATE="Tue Jun 30 23:29:49 CST 2009"
> >>>>>>> TYPE="agent"
>
> >>>>>>> # gdb /var/ossec/bin/ossec-syscheckd Tue Jun 30 23:48:34 CST
> >>>>>>> 2009
> >>>>>>> GNU gdb 6.8-debian Copyright (C) 2008 Free Software Foundation,
> >>>>>>> Inc.
> >>>>>>> License GPLv3+: GNU GPL version 3 or later
> >>>>>>> <http://gnu.org/licenses/gpl.html>
> >>>>>>> This is free software: you are free to change and redistribute
> >>>>>>> it.
> >>>>>>> There is NO WARRANTY, to the extent permitted by law. ?Type
> >>>>>>> "show
> >>>> copying"
> >>>>>>> and "show warranty" for details.
> >>>>>>> This GDB was configured as "x86_64-linux-gnu"...
> >>>>>>> (gdb) set follow-fork-mode child
> >>>>>>> (gdb) run
> >>>>>>> Starting program: /var/ossec/bin/ossec-syscheckd
>
> >>>>>>> --
> >>>>>>> ? ? ? ? ? ? ? ? ? ? ? Louie June 30, 2009 ? 23:49:21
>
> >>>>>>> On Tue, Jun 30, 2009 at 12:16:39PM -0300, Daniel Cid wrote:
>
> >>>>>>>> Hey,
>
> >>>>>>>> Thanks for the output. Can you try very quickly the latest
> >>>>>>>> snapshot:
>
> >>>>>>>>http://ossec.net/files/snapshots/ossec-hids-090630.tar.gz
>
> >>>>>>>> I think I got it fixed.
>
> >>>>>>>> Thanks,
>
> >>>>>>>> On Tue, Jun 30, 2009 at 12:01 PM,
> >>>>>>>> louie<[email protected]<https://mail.google.com/mail?view=cm&tf=0&ui=1&[email protected]
>
> >>>> wrote:
> >>>>>>>>> This maybe no a 64-bit issue, because I had a another 32 bit
> >>>> machine segfault too.
>
> >>>>>>>>> This is a x86_64 machine
> >>>>>>>>> debian lenny 5.0.2
>
> ...
>
> read more »- Hide quoted text -
>
> - Show quoted text -
