Is this reproducible? Steps to reproduce it will be very helpful. Are you using the default rootcheck _rcl.txt files (under /var/ossec/etc/shared/)? Any customization?
On Monday, October 15, 2012 8:26:51 AM UTC-7, PAL wrote: > > After update to version 2.7 beta2 my ossec-syscheckd on my servers crashed > with coredump. > Tried to debug, but no results: > > $ gdb ./ossec-syscheckd ./ossec-syscheckd-1350312099-6121.core > GNU gdb (GDB) CentOS (7.0.1-42.el5.centos.1) > Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later < > http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-redhat-linux-gnu". > For bug reporting instructions, please see: > <http://www.gnu.org/software/gdb/bugs/>... > Reading symbols from /home/opokhvalit/ossec-syscheckd...done. > [New Thread 6121] > Reading symbols from /lib64/libc.so.6...(no debugging symbols > found)...done. > Loaded symbols for /lib64/libc.so.6 > Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols > found)...done. > Loaded symbols for /lib64/ld-linux-x86-64.so.2 > > warning: no loadable sections found in added symbol-file system-supplied > DSO at 0x7fff13db0000 > Core was generated by `/var/ossec/bin/ossec-syscheckd'. > Program terminated with signal 11, Segmentation fault. > #0 0x0000000000417868 in is_file (file_name=0x7f4430 "\240}\204") at > common.c:676 > > warning: Source file is more recent than executable. > 676 if( (stat(file_name, &statbuf) < 0) && > (gdb) print file_name > $1 = 0x7f4430 "\240}\204" > (gdb) frame 1 > #1 0x0000000000416b58 in _is_str_in_array (ar=0x0, str=0x7fff13c23730 "") > at common.c:33 > 33 ar++; > > Latest records in ossec logs: > 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2012/10/15 10:15:49 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2012/10/15 10:40:45 ossec-syscheckd: INFO: Real time file monitoring > started. > 2012/10/15 10:40:45 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2012/10/15 10:40:59 ossec-syscheckd: INFO: Ending syscheck scan > (forwarding database). > 2012/10/15 10:41:39 ossec-rootcheck: INFO: Starting rootcheck scan. > > Looks like syscheckd crash in begin of rootcheck. > >
