[ossec-list] Syscheckd scanning directories that aren't included

Mon, 06 Feb 2012 08:27:08 -0800 

Hey guys,

I was checking an ignore rule this morning and following syscheckd
activity with strace, and I noticed that syscheck was looking into
/proc.
So I went back to my configuration and confirmed that /proc is not
included in the list of directories to check

    <!-- Directories to check  (perform all possible verifications) --> 
    <directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes" 
report_changes="yes">/etc,/tmp,/var/spool/cron</directories>
    <directories check_all="yes" 
report_changes="yes">/opt/tools,/opt/utils,/var/www</directories>

But I have clear evidence that syscheck is going into /proc
regardless:

    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18575", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18576", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc/18576", O_RDONLY)           = -1 ENOENT (No such file or 
directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18577", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc/18577", O_RDONLY)           = -1 ENOENT (No such file or 
directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18578", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc/18578", O_RDONLY)           = -1 ENOENT (No such file or 
directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18579", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    open("18580", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No such 
file or directory)
    open("/proc/18580", O_RDONLY)           = -1 ENOENT (No such file or 
directory)
    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
    
Why is it doing this ? It should just ignore /proc and step into the
directories listed in the configuration only. Is it a bug in the code ?
(I run 2.6).


Thanks,
Julien

Reply via email to