Re: [ossec-list] Syscheckd scanning directories that aren't included

Mon, 06 Feb 2012 09:26:25 -0800 

On Mon  6.Feb'12 at 11:55:11 -0500, dan (ddp) wrote:
> On Mon, Feb 6, 2012 at 11:10 AM, Julien Vehent <[email protected]> wrote:
> > Hey guys,
> >
> > I was checking an ignore rule this morning and following syscheckd
> > activity with strace, and I noticed that syscheck was looking into
> > /proc.
> > So I went back to my configuration and confirmed that /proc is not
> > included in the list of directories to check
> >
> >    <!-- Directories to check  (perform all possible verifications) -->
> >    <directories check_all="yes">/bin,/sbin,/usr/bin,/usr/sbin</directories>
> >    <directories check_all="yes" 
> > report_changes="yes">/etc,/tmp,/var/spool/cron</directories>
> >    <directories check_all="yes" 
> > report_changes="yes">/opt/tools,/opt/utils,/var/www</directories>
> >
> > But I have clear evidence that syscheck is going into /proc
> > regardless:
> >
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18575", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> 
> These look like PIDs. Is the rootcheck scan going when these are popping up?


Is rootcheckd launched as under the PID of syscheckd ? Because I was
stracing syscheckd.



> 
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18576", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> >    open("/proc/18576", O_RDONLY)           = -1 ENOENT (No such file or 
> > directory)
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18577", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> >    open("/proc/18577", O_RDONLY)           = -1 ENOENT (No such file or 
> > directory)
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18578", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> >    open("/proc/18578", O_RDONLY)           = -1 ENOENT (No such file or 
> > directory)
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18579", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >    open("18580", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = -1 ENOENT (No 
> > such file or directory)
> >    open("/proc/18580", O_RDONLY)           = -1 ENOENT (No such file or 
> > directory)
> >    open("/proc", O_RDONLY|O_NONBLOCK|O_DIRECTORY|0x80000) = 6
> >
> > Why is it doing this ? It should just ignore /proc and step into the
> > directories listed in the configuration only. Is it a bug in the code ?
> > (I run 2.6).
> >
> >
> > Thanks,
> > Julien

Reply via email to