Hi Theresa, did the process crash already? We need it to crash :-)
On Mon, Aug 10, 2015 at 2:03 PM, theresa mic-snare <[email protected]> wrote: > Hi Santi, > > I've now run rootcheck_control with strace, but I'm not quite sure what to > make of it.... > > strace -C bin/rootcheck_control -L -i 000 > execve("bin/rootcheck_control", ["bin/rootcheck_control", "-L", "-i", > "000"], [/* 18 vars */]) = 0 > brk(0) = 0x7ffb98ad0000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d04000 > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0 > mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000 > close(3) = 0 > open("/lib64/libc.so.6", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\356\1\0\0\0\0\0" > ..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=1921216, ...}) = 0 > mmap(NULL, 3750152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7ffb97752000 > mprotect(0x7ffb978dc000, 2097152, PROT_NONE) = 0 > mmap(0x7ffb97adc000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| > MAP_DENYWRITE, 3, 0x18a000) = 0x7ffb97adc000 > mmap(0x7ffb97ae1000, 18696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| > MAP_ANONYMOUS, -1, 0) = 0x7ffb97ae1000 > close(3) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97cfe000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97cfd000 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97cfc000 > arch_prctl(ARCH_SET_FS, 0x7ffb97cfd700) = 0 > mprotect(0x7ffb97adc000, 16384, PROT_READ) = 0 > mprotect(0x7ffb97f2c000, 4096, PROT_READ) = 0 > mprotect(0x7ffb97d05000, 4096, PROT_READ) = 0 > munmap(0x7ffb97cff000, 18775) = 0 > brk(0) = 0x7ffb98ad0000 > brk(0x7ffb98af1000) = 0x7ffb98af1000 > socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = - > 1 ENOENT (No such file or directory) > close(3) = 0 > socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = - > 1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/nsswitch.conf", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688 > read(3, "", 4096) = 0 > close(3) = 0 > munmap(0x7ffb97d03000, 4096) = 0 > open("/etc/ld.so.cache", O_RDONLY) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0 > mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000 > close(3) = 0 > open("/lib64/libnss_files.so.2", O_RDONLY) = 3 > read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0" > ..., 832) = 832 > fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0 > mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7ffb97544000 > mprotect(0x7ffb97550000, 2097152, PROT_NONE) = 0 > mmap(0x7ffb97750000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| > MAP_DENYWRITE, 3, 0xc000) = 0x7ffb97750000 > close(3) = 0 > mprotect(0x7ffb97750000, 4096, PROT_READ) = 0 > munmap(0x7ffb97cff000, 18775) = 0 > open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 > fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) > fstat(3, {st_mode=S_IFREG|0644, st_size=577, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > read(3, "root:x:0:\nbin:x:1:bin,daemon\ndae"..., 4096) = 577 > close(3) = 0 > munmap(0x7ffb97d03000, 4096) = 0 > socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = - > 1 ENOENT (No such file or directory) > close(3) = 0 > socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 > connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = - > 1 ENOENT (No such file or directory) > close(3) = 0 > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348 > close(3) = 0 > munmap(0x7ffb97d03000, 4096) = 0 > setgroups(1, [498]) = 0 > setresgid(-1, 498, -1) = 0 > setgid(498) = 0 > chdir("/var/ossec") = 0 > chroot("/var/ossec") = 0 > chdir("/") = 0 > setuid(498) = 0 > setresuid(-1, 498, -1) = 0 > uname({sys="Linux", node="tron", ...}) = 0 > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > write(1, "\n", 1 > ) = 1 > write(1, "Policy and auditing events for l"..., 64Policy and auditing > events for local system 'tron - 127.0.0.1': > ) = 64 > open("/queue/rootcheck/rootcheck", O_RDWR) = 3 > fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d02000 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > lseek(3, 0, SEEK_SET) = 0 > write(1, "\nResolved events: \n\n", 20 > Resolved events: > > ) = 20 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > read(3, "", 4096) = 0 > write(1, "** No entries found.\n", 21** No entries found. > ) = 21 > lseek(3, 0, SEEK_SET) = 0 > open("/etc/localtime", O_RDONLY) = 4 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d01000 > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., > 4096) = 2211 > lseek(4, -1410, SEEK_CUR) = 801 > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"..., > 4096) = 1410 > close(4) = 0 > munmap(0x7ffb97d01000, 4096) = 0 > --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} --- > +++ killed by SIGSEGV +++ > % time seconds usecs/call calls errors syscall > ------ ----------- ----------- --------- --------- ---------------- > 0.00 0.000000 0 11 read > 0.00 0.000000 0 4 write > 0.00 0.000000 0 9 open > 0.00 0.000000 0 12 close > 0.00 0.000000 0 11 fstat > 0.00 0.000000 0 3 lseek > 0.00 0.000000 0 17 mmap > 0.00 0.000000 0 6 mprotect > 0.00 0.000000 0 6 munmap > 0.00 0.000000 0 3 brk > 0.00 0.000000 0 1 1 access > 0.00 0.000000 0 4 socket > 0.00 0.000000 0 4 4 connect > 0.00 0.000000 0 1 execve > 0.00 0.000000 0 1 uname > 0.00 0.000000 0 1 fcntl > 0.00 0.000000 0 2 chdir > 0.00 0.000000 0 1 setuid > 0.00 0.000000 0 1 setgid > 0.00 0.000000 0 1 setgroups > 0.00 0.000000 0 1 setresuid > 0.00 0.000000 0 1 setresgid > 0.00 0.000000 0 1 arch_prctl > 0.00 0.000000 0 1 chroot > ------ ----------- ----------- --------- --------- ---------------- > 100.00 0.000000 103 5 total > Segmentation fault > > > > > Am Montag, 10. August 2015 20:28:20 UTC+2 schrieb Santiago Bassett: >> >> Haven't seen that before. Try running rootcheck_control with strace to >> debug that segfault >> >> Best >> >> On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare <[email protected]> >> wrote: >> >>> hi all, >>> >>> as you may have noticed I've been playing around with the rootcheck >>> module, e.g for the CIS checks. >>> what i've noticed is that the CIS (audit) checks are not really updated >>> unless I do a complete restart of ossec (ossec-control restart). >>> >>> neither a syscheck_update -u local nor a agent_control -r -u 000 or a >>> rootcheck_control -u 000 is going to update the CIS benchmark >>> >>> how I noticed that? >>> well, rootcheck_control says the latest outstanding event is e.g this: >>> 2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06) >>> System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to >>> enforcing. File: /etc/selinux/config. Reference: http:// >>> www.ossec.net/wiki/index.php/CIS_RHEL6 . >>> >>> >>> this means the last time the check was updated was over 5 hours ago. >>> But my rootcheck is running on an hourly basis, and according to the >>> ossec.log it just ran a couple of minutes ago >>> >>> 2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan. >>> 2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan. >>> >>> so this kinda doesn't match. >>> >>> btw, i can prove that the above mentioned CIS check should be marked as >>> resolved because according to "sestatus" i have selinux set to enforcing. >>> >>> SELinux status: enabled >>> SELinuxfs mount: /selinux >>> Current mode: enforcing >>> Mode from config file: enforcing >>> Policy version: 24 >>> Policy from config file: targeted >>> >>> then I had a quick look at my own system logs (messages.log) and found >>> this >>> Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip >>> 00007f851fe8b925 sp 00007ffdc8c73240 error 4 in >>> libc-2.12.so[7f851fde8000+18a000] >>> >>> this is the result when I run *rootcheck_control -L -i 000* >>> >>> I bet when I restart ossec completely this above mentioned CIS check >>> will vanish (it will not be marked as resolved) as somehow the database is >>> cleared. >>> >>> anyone ran into this problem as well? >>> >>> i'm running the latest ossec version 2.8.2 >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
