[ossec-list] Re: ossec run away cat and tr process

[Gil Vidals]

Thanks for the quick reply.

I do see that mktemp exists and that the temp files have been created 
successfully on more than one occasion as you can see below. What other 
reason could there be for cat and tr running astray and consuming lots of 
CPU. (cat and tr will run for hours unless killed manually).

# which mktemp
/bin/mktemp

# ls -l /var/ossec/ossec-hosts.*
-rw------- 1 root ossec 0 Jan  2 01:15 /var/ossec/ossec-hosts.7aypDtwpES
-rw------- 1 root ossec 0 Dec  3 00:31 /var/ossec/ossec-hosts.IeJGMBWseD
-rw------- 1 root ossec 0 Nov  2 01:58 /var/ossec/ossec-hosts.IxQvPzkSbn
-rw------- 1 root ossec 0 Dec 10 23:31 /var/ossec/ossec-hosts.QV2a7VwilS
-rw------- 1 root ossec 0 Nov 10 23:32 /var/ossec/ossec-hosts.Rr0j0L3RTV
-rw------- 1 root ossec 0 Jan 17 02:23 /var/ossec/ossec-hosts.SKfz9m2LPG
-rw------- 1 root ossec 0 Jan 17 02:39 /var/ossec/ossec-hosts.SrSTWhUNH1




On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote:
>
> We're running ossec 2.8 and are finding instances where cat and tr are 
> consuming a lot of CPU. The cat and tr processes have to be killed with the 
> kill command since restarting ossec doesn't kill them.
>
> How can the run away cat and tr process be prevented?
>
> I found the portion of the ossec code that calls the cat and tr functions:
>
> elif [ "x${ACTION}" = "xdelete" ]; then   
>    lock;
>    TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` 
>    if [ "X${TMP_FILE}" = "X" ]; then 
>      # Cheap fake tmpfile, but should be harder then no random data 
>      TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc 
> 'a-zA-Z0-9' | fold -w 32 | head -1 `"
>    fi
>    if [ "X$UNAME" = "XFreeBSD" ]; then
>     cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE}
>     mv ${TMP_FILE} /etc/hosts.allow
>    else
>     cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE}
>     cat ${TMP_FILE} > /etc/hosts.deny
>     rm ${TMP_FILE}
>    fi 
>    unlock;
>    exit 0;
>
> Thanks in advance for any help you can provide in resolving this issue.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.