2014-03-25 11:20 GMT-04:00 dan (ddp) <[email protected]>:
> > another point, I need to discuss on the list is the cpu usage of ossec.
> On
> > my test mac, it is often eating 50-90% of CPU.
>
> I don't recall seeing this type of resource consumption on other
> systems during most operations. This may just be one of the risks of
> running a niche OS.
>
maybe. it could be also more restricted/latent on other platforms.
The ossec.log should have entries for a scan starting and finishing.
> internal_options.conf has some options for adjusting the speed of
> syscheck (making it go slower can make it less resource intensive).
>
I don't think the real problem is the hash scan. From what is seen by
dtrace, the process seems just to access syscheck and localtime files
almost constantly. Is there any reason or part of the code where it should
happen?
I tried to enable syscheck.debug but I don't see any extra information in
ossec.log (put debug=2 in internal_options.conf and
/var/ossec/bin/ossec-control enable debug)
If I disable syscheck (adding '<disabled>yes</disabled>' in ossec.conf),
the cpu consumption is normal but i get alert I didn't before, mostly
rootcheck:
Files hidden inside directory '/var/log/com.apple.launchd'. Link count does
not match number of files (167,2).
Files hidden inside directory '/var/tmp'. Link count does not match number
of files (16,5).
$ ls -1U /var/tmp/| wc -l
17
$ ls -ld /var/tmp
drwxrwxrwt 5 root wheel 646 30 mar 16:30 /var/tmp/
It seems a false positive, I saw some other references online (and on
FreeBSD9) but no solution
https://www.mail-archive.com/[email protected]/msg04921.html
http://ossec.uservoice.com/forums/18254-general/suggestions/2621080-there-is-a-false-positive-on-freebsd9-rootcheck-r
http://marc.info/?l=ossec-dev&m=121268090827199 (ossec bugzilla dead)
code seems to say darwin is already a bit special (l.292)
https://github.com/ossec/ossec-hids/blob/4d557bc9d24f113980a3d4b00373f9c55f3d74be/src/rootcheck/check_rc_sys.c
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
