[ossec-list] Problem (and fix) with agentd on Solaris.

[Dan Pop]

Hello,

After an out of the box ossec agent (2.7.1) installation on Solaris 10, I 
got the following problem when attempting to start ossec:

2014/04/16 17:06:40 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:06:40 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:06:46 ossec-logcollector(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:06:46 ossec-logcollector(1211): ERROR: Unable to access 
queue: '/var/ossec/queue/ossec/queue'. Giving up..
2014/04/16 17:06:48 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:06:48 ossec-rootcheck(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:07:01 ossec-syscheckd(1210): ERROR: Queue 
'/var/ossec/queue/ossec/queue' not accessible: 'Destination address 
required'.
2014/04/16 17:07:01 ossec-rootcheck(1211): ERROR: Unable to access queue: 
'/var/ossec/queue/ossec/queue'. Giving up..

The problem was caused by the fact that, by the time ossec-syscheckd was 
starting, ossec-agentd was already dead, so there was nobody bound to 
/var/ossec/queue/ossec/queue.
Investigating the cause of death of ossec-agentd, I discovered that it died 
inside os_write_agent_info(), because the last argument, cfg_profile_name, 
was a null pointer. Not being familiar enough with ossec to investigate why 
it was a null pointer, I resorted to the following quick and dirty fix:

    if (cfg_profile_name == NULL) {
        cfg_profile_name = "unknown";
    }

and got the thing to start with no complaints. Someone with a better 
understanding of ossec might continue the investigation and/or provide a 
better fix.

While investigating the problem, I found another bug. In 
OS_BindUnixDomain() and OS_ConnectUnixDomain(), socket() is called with 
AF_UNIX as its first argument, which is wrong, because a protocol family is 
expected (PF_UNIX), not an address family (AF_UNIX). The bug is harmless, 
because both constants have, usually, the same value (1), but it's still a 
coding mistake and should be fixed.

Best regards,
Dan Pop

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.