Re: [ossec-list] Syscheckd scanning directories that aren't included

Mon, 06 Feb 2012 08:55:26 -0800 

On Mon, Feb 6, 2012 at 11:10 AM, Julien Vehent <[email protected]> wrote:
> Hey guys,
>
> I was checking an ignore rule this morning and following syscheckd
> activity with strace, and I noticed that syscheck was looking into
> /proc.
> So I went back to my configuration and confirmed that /proc is not
> included in the list of directories to check
>
>    <!-- Directories to check  (perform all possible verifications) -->
>    <directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>
>    <directories check_all="yes" 
> report_changes="yes">/etc,/tmp,/var/spool/cron</directories>
>    <directories check_all="yes" 
> report_changes="yes">/opt/tools,/opt/utils,/var/www</directories>
>
> But I have clear evidence that syscheck is going into /proc
> regardless:
>
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18575", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)

These look like PIDs. Is the rootcheck scan going when these are popping up?

>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18576", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)
>    open("/proc/18576", O_RDONLY)           = -1 ENOENT (No such file or 
> directory)
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18577", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)
>    open("/proc/18577", O_RDONLY)           = -1 ENOENT (No such file or 
> directory)
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18578", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)
>    open("/proc/18578", O_RDONLY)           = -1 ENOENT (No such file or 
> directory)
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18579", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>    open("18580", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> such file or directory)
>    open("/proc/18580", O_RDONLY)           = -1 ENOENT (No such file or 
> directory)
>    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
>
> Why is it doing this ? It should just ignore /proc and step into the
> directories listed in the configuration only. Is it a bug in the code ?
> (I run 2.6).
>
>
> Thanks,
> Julien

Reply via email to