And some more detail to add to what ddpbsd is looking for. What OS are you on and version please also let us know the versions of tr and cat. My guess is hpux but I could be really wrong.
> On Jan 21, 2015, at 12:32 PM, dan (ddp) <[email protected]> wrote: > >> On Wed, Jan 21, 2015 at 11:11 AM, Gil Vidals <[email protected]> wrote: >> Thanks for the quick reply. >> >> I do see that mktemp exists and that the temp files have been created >> successfully on more than one occasion as you can see below. What other >> reason could there be for cat and tr running astray and consuming lots of >> CPU. (cat and tr will run for hours unless killed manually). >> >> # which mktemp >> /bin/mktemp >> >> # ls -l /var/ossec/ossec-hosts.* >> -rw------- 1 root ossec 0 Jan 2 01:15 /var/ossec/ossec-hosts.7aypDtwpES >> -rw------- 1 root ossec 0 Dec 3 00:31 /var/ossec/ossec-hosts.IeJGMBWseD >> -rw------- 1 root ossec 0 Nov 2 01:58 /var/ossec/ossec-hosts.IxQvPzkSbn >> -rw------- 1 root ossec 0 Dec 10 23:31 /var/ossec/ossec-hosts.QV2a7VwilS >> -rw------- 1 root ossec 0 Nov 10 23:32 /var/ossec/ossec-hosts.Rr0j0L3RTV >> -rw------- 1 root ossec 0 Jan 17 02:23 /var/ossec/ossec-hosts.SKfz9m2LPG >> -rw------- 1 root ossec 0 Jan 17 02:39 /var/ossec/ossec-hosts.SrSTWhUNH1 >> >> >> >> >>> On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote: >>> >>> We're running ossec 2.8 and are finding instances where cat and tr are >>> consuming a lot of CPU. The cat and tr processes have to be killed with the >>> kill command since restarting ossec doesn't kill them. >>> >>> How can the run away cat and tr process be prevented? >>> >>> I found the portion of the ossec code that calls the cat and tr functions: >>> >>> elif [ "x${ACTION}" = "xdelete" ]; then >>> lock; >>> TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` >>> if [ "X${TMP_FILE}" = "X" ]; then >>> # Cheap fake tmpfile, but should be harder then no random data >>> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc >>> 'a-zA-Z0-9' | fold -w 32 | head -1 `" >>> fi >>> if [ "X$UNAME" = "XFreeBSD" ]; then >>> cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE} >>> mv ${TMP_FILE} /etc/hosts.allow >>> else >>> cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE} >>> cat ${TMP_FILE} > /etc/hosts.deny >>> rm ${TMP_FILE} >>> fi >>> unlock; >>> exit 0; >>> >>> Thanks in advance for any help you can provide in resolving this issue. > > Ok, what happens if you run that command manually? > >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
