Haven't seen that before. Try running rootcheck_control with strace to debug that segfault
Best On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare <[email protected]> wrote: > hi all, > > as you may have noticed I've been playing around with the rootcheck > module, e.g for the CIS checks. > what i've noticed is that the CIS (audit) checks are not really updated > unless I do a complete restart of ossec (ossec-control restart). > > neither a syscheck_update -u local nor a agent_control -r -u 000 or a > rootcheck_control -u 000 is going to update the CIS benchmark > > how I noticed that? > well, rootcheck_control says the latest outstanding event is e.g this: > 2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06) > System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to > enforcing. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 . > > > this means the last time the check was updated was over 5 hours ago. > But my rootcheck is running on an hourly basis, and according to the > ossec.log it just ran a couple of minutes ago > > 2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan. > 2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan. > > so this kinda doesn't match. > > btw, i can prove that the above mentioned CIS check should be marked as > resolved because according to "sestatus" i have selinux set to enforcing. > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 24 > Policy from config file: targeted > > then I had a quick look at my own system logs (messages.log) and found this > Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip > 00007f851fe8b925 sp 00007ffdc8c73240 error 4 in > libc-2.12.so[7f851fde8000+18a000] > > this is the result when I run *rootcheck_control -L -i 000* > > I bet when I restart ossec completely this above mentioned CIS check will > vanish (it will not be marked as resolved) as somehow the database is > cleared. > > anyone ran into this problem as well? > > i'm running the latest ossec version 2.8.2 > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
