Hello, I am trying to find a solution I am having with ossec-hids-2.4 on the HP-UX platform. The problem occours when installing the client/agent software on the hosts I need to monitor. I have it working for AIX, Linux, and Sun but still can't find a solution to the problem HP-UX. We are getting a socket busy error (see below):
2010/04/15 13:27:53 ossec-rootcheck: INFO: Started (pid: 3958). 2010/04/15 13:27:53 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2010/04/15 13:27:53 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2010/04/15 13:27:53 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin'. 2010/04/15 13:27:53 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2010/04/15 13:27:53 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2010/04/15 13:27:55 ossec-logcollector: INFO: (unix_domain) Maximum send buffer set to: '32768'. 2010/04/15 13:27:55 ossec-logcollector: DEBUG: Entering LogCollectorStart(). 2010/04/15 13:27:55 ossec-logcollector: INFO: Started (pid: 3954). 2010/04/15 13:28:25 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2010/04/15 13:32:45 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2010/04/15 13:34:45 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). 2010/04/15 13:35:14 ossec-syscheckd: socket busy .. 2010/04/15 13:35:24 ossec-syscheckd: socket busy .. I did see this bit of information (below) about about Unix Domain Sockets while researching the issue and was curious if this could be the culprit. It addresses using domain sockets in a chroot environment. On systems where sockets are implemented on top of Streams (e.g. all SysV-based systems, presumably including Solaris), the socket() function will actually be opening certain special files in /dev. You will need to create a /dev directory under your fake root and populate it with the required device nodes (only). Your system documentation may or may not specify exactly which device nodes are required; I can't help you there (sorry). (Editors note: Adrian Hall ([email protected]<mailto:[email protected]>) suggested checking the man page for ftpd, which should list the files you need to copy and devices you need to create in the chroot'd environment.) A less-obvious issue with chroot() is if you call syslog(), as many daemons do; syslog() opens (depending on the system) either a UDP socket, a FIFO or a Unix-domain socket. So if you use it after a chroot() call, make sure that you call openlog() *before* the chroot.
