On Thu, Sep 19, 2013 at 4:09 PM, MDACC-Luckie <[email protected]> wrote:
> Any thoughts? A client.keys file issue? All files/permissions should as
> they were when OSSEC was running properly so it is perplexing to me what
> might be wrong. Since I have over 500 agents, a reinstall and new key
> deployment is a bit frightening.
>
> Thanks!
>
What version of OSSEC are you using?
Here are the permissions I have for client.keys:
[ddp@arrakis] :; ls -l /var/ossec/etc/client.keys
-r--r----- 1 root ossec 260 Feb 20 2013 /var/ossec/etc/client.keys
It looks to me like line 88 in msgs.c shouldn't be reached if the
client.keys file is actually being read. Are you limiting the file
descriptors available to ossec users?
I wish the fopen had better error handling a few lines earlier in
msgs.c. Even something silly like this:
diff -r 2ca06529ece9 src/os_crypto/shared/msgs.c
--- a/src/os_crypto/shared/msgs.c Wed Aug 14 08:57:09 2013 -0400
+++ b/src/os_crypto/shared/msgs.c Tue Sep 24 11:56:19 2013 -0400
@@ -76,6 +76,10 @@
}
keys->keyentries[i]->fp = fopen(rids_file, "r+");
+ if(!keys->keyentries[i]->fp)
+ {
+ debug1("failed to open client.keys (%d): %s\n", errno,
strerror(errno));
+ }
/* If nothing is there, try to open as write only */
if(!keys->keyentries[i]->fp)
>
> On Wednesday, September 18, 2013 2:18:10 PM UTC-5, MDACC-Luckie wrote:
>>
>> Dan:
>>
>> Still following the issue of my ossec server that stopped running due to
>> permissions that were changed on ossec directories and subdirectories. I
>> opted to get our storage team to recover all files with appropriate
>> permission from a given date/time. Things are coming along but now I am
>> facing an issue with ossec-remoted not running. Everything appears to start
>> when OSSEC starts but afer doing a status, I see the following:
>>
>> # /opt/ossec/bin/ossec-control status
>> ossec-monitord is running...
>> ossec-logcollector is running...
>> ossec-remoted: Process 7541 not used by ossec, removing ..
>> ossec-remoted not running...
>> ossec-syscheckd is running...
>> ossec-analysisd is running...
>> ossec-maild is running...
>> ossec-execd not running...
>> Following recommendations you made to someone in another post in this
>> group, I ran remoted in gdb. I really am not sure what I am looking at in
>> the output of gdb below to further troubleshoot the issue. Any suggestions
>> or recommendations would be greatly appreciated.
>>
>> GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-42.el5_8.1)
>> Copyright (C) 2009 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later
>> <http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law. Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-redhat-linux-gnu".
>> For bug reporting instructions, please see:
>> <http://www.gnu.org/software/gdb/bugs/>...
>> Reading symbols from /opt/ossec/bin/ossec-remoted...done.
>> (gdb) set follow-fork-mode child
>> (gdb) run -df
>> Starting program: /opt/ossec/bin/ossec-remoted -df
>> warning: no loadable sections found in added symbol-file system-supplied
>> DSO at 0x2aaaaaaab000
>> [Thread debugging using libthread_db enabled]
>> 2013/09/18 14:03:39 ossec-remoted: DEBUG: Starting ...
>> 2013/09/18 14:03:39 ossec-remoted: INFO: Started (pid: 26892).
>> [New process 26895]
>> [Thread debugging using libthread_db enabled]
>> 2013/09/18 14:03:39 ossec-remoted: DEBUG: Forking remoted: '0'.
>> 2013/09/18 14:03:40 ossec-remoted: INFO: Started (pid: 26895).
>> 2013/09/18 14:03:40 ossec-remoted: DEBUG: Running manager_init
>> [New Thread 0x40a00940 (LWP 26896)]
>> [New Thread 0x41401940 (LWP 26897)]
>> 2013/09/18 14:03:40 ossec-remoted: INFO: (unix_domain) Maximum send buffer
>> set to: '262144'.
>> 2013/09/18 14:03:40 ossec-remoted(4111): INFO: Maximum number of agents
>> allowed: '1024'.
>> 2013/09/18 14:03:40 ossec-remoted(1410): INFO: Reading authentication keys
>> file.
>> 2013/09/18 14:03:40 ossec-remoted: DEBUG: OS_StartCounter.
>> 2013/09/18 14:03:40 ossec-remoted: OS_StartCounter: keysize: 455
>> Program received signal SIGSEGV, Segmentation fault.
>> [Switching to Thread 0x2aaaaaac5af0 (LWP 26895)]
>> 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88
>> 88 if((keys->keyentries[i -1]->fp) && (i > 10))
>> (gdb)
>> (gdb) bt
>> #0 0x000000000042191b in OS_StartCounter (keys=0x64e700) at msgs.c:88
>> #1 0x000000000040421d in HandleSecure () at secure.c:84
>> #2 0x00000000004040e1 in HandleRemote (position=0, uid=955) at
>> remoted.c:101
>> #3 0x0000000000402c90 in main (argc=2, argv=0x7fffffffe988) at main.c:150
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
