On Tue, Apr 1, 2014 at 8:17 PM, Julien T <[email protected]> wrote: > > > 2014-03-25 11:20 GMT-04:00 dan (ddp) <[email protected]>: > >> > another point, I need to discuss on the list is the cpu usage of ossec. >> > On >> > my test mac, it is often eating 50-90% of CPU. >> >> I don't recall seeing this type of resource consumption on other >> systems during most operations. This may just be one of the risks of >> running a niche OS. > > > maybe. it could be also more restricted/latent on other platforms. >
Definitely possible. It's hard to debug when I can't recreate the issue. > >> The ossec.log should have entries for a scan starting and finishing. >> internal_options.conf has some options for adjusting the speed of >> syscheck (making it go slower can make it less resource intensive). > > > I don't think the real problem is the hash scan. From what is seen by > dtrace, the process seems just to access syscheck and localtime files almost > constantly. Is there any reason or part of the code where it should happen? > It's possible. If the code checks the current time, knowing the timezone would make sense. Your original email only listed 7 attempts at accessing the localtime file though, or did I misread something? Syscheck accessing the syscheck database frequently makes sense though. It could be more efficient , but I don't think there are any current plans to move to another storage technology. > I tried to enable syscheck.debug but I don't see any extra information in > ossec.log (put debug=2 in internal_options.conf and > /var/ossec/bin/ossec-control enable debug) > > If I disable syscheck (adding '<disabled>yes</disabled>' in ossec.conf), the > cpu consumption is normal but i get alert I didn't before, mostly rootcheck: > > Files hidden inside directory '/var/log/com.apple.launchd'. Link count does > not match number of files (167,2). > Files hidden inside directory '/var/tmp'. Link count does not match number > of files (16,5). > $ ls -1U /var/tmp/| wc -l > 17 > $ ls -ld /var/tmp > drwxrwxrwt 5 root wheel 646 30 mar 16:30 /var/tmp/ > It seems a false positive, I saw some other references online (and on > FreeBSD9) but no solution > https://www.mail-archive.com/[email protected]/msg04921.html > http://ossec.uservoice.com/forums/18254-general/suggestions/2621080-there-is-a-false-positive-on-freebsd9-rootcheck-r > http://marc.info/?l=ossec-dev&m=121268090827199 (ossec bugzilla dead) > > code seems to say darwin is already a bit special (l.292) > https://github.com/ossec/ossec-hids/blob/4d557bc9d24f113980a3d4b00373f9c55f3d74be/src/rootcheck/check_rc_sys.c > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
