I see, somehow my mail client (gmail) was not displaying the whole strace
output, now I can see it.
The segfault appears after looking into queue/rootcheck/rootcheck and
writing "No entries found".
Having a look at the code I realized that is done in the function
_do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in
the same file), which is called at util/rootcheck_control.c when you want
to update rootcheck database using an agent info (with -L -i options).
How does your queue/rootcheck/rootcheck file looks like? I wonder if it is
malformed. As well, what ossec version are you using? I am using latest
github code and run the same command with no issues.
I hope that helps!
Santiago.
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7ffb97d03000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348
close(3) = 0
munmap(0x7ffb97d03000, 4096) = 0
setgroups(1, [498]) = 0
setresgid(-1, 498, -1) = 0
setgid(498) = 0
chdir("/var/ossec") = 0
chroot("/var/ossec") = 0
chdir("/") = 0
setuid(498) = 0
setresuid(-1, 498, -1) = 0
uname({sys="Linux", node="tron", ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7ffb97d03000
write(1, "\n", 1
) = 1
write(1, "Policy and auditing events for l"..., 64Policy and auditing
events for local system 'tron - 127.0.0.1':
) = 64
open("/queue/rootcheck/rootcheck", O_RDWR) = 3
fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7ffb97d02000
read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159
lseek(3, 0, SEEK_SET) = 0
write(1, "\nResolved events: \n\n", 20
Resolved events:
) = 20
read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159
read(3, "", 4096) = 0
write(1, "** No entries found.\n", 21** No entries found.
) = 21
lseek(3, 0, SEEK_SET) = 0
open("/etc/localtime", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7ffb97d01000
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"...,
4096) = 2211
lseek(4, -1410, SEEK_CUR) = 801
read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"...,
4096) = 1410
close(4) = 0
munmap(0x7ffb97d01000, 4096) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---
+++ killed by SIGSEGV +++
On Tue, Aug 11, 2015 at 1:13 AM, theresa mic-snare <[email protected]>
wrote:
> Hi Santi,
>
> yes the process crashed already from what I can see it....
> because at the end up the system call it says
>
>
>> *--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---+++
>> killed by SIGSEGV +++*
>>
>
> and below that the typical "Segmentation fault"
>
> I called strace with the following parameter "strace -C bin/rootcheck_control
> -L -i 000"
> was this sufficient or do I need something else?
>
> thanks,
> theresa
>
> Am Montag, 10. August 2015 23:11:59 UTC+2 schrieb Santiago Bassett:
>>
>> Hi Theresa,
>>
>> did the process crash already? We need it to crash :-)
>>
>>
>>
>> On Mon, Aug 10, 2015 at 2:03 PM, theresa mic-snare <[email protected]>
>> wrote:
>>
>> Hi Santi,
>>
>> I've now run rootcheck_control with strace, but I'm not quite sure what
>> to make of it....
>>
>> strace -C bin/rootcheck_control -L -i 000
>> execve("bin/rootcheck_control", ["bin/rootcheck_control", "-L", "-i",
>> "000"], [/* 18 vars */]) = 0
>> brk(0) = 0x7ffb98ad0000
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97d04000
>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
>> directory)
>> open("/etc/ld.so.cache", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0
>> mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000
>> close(3) = 0
>> open("/lib64/libc.so.6", O_RDONLY) = 3
>> read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\356\1\0\0\0\0\0"
>> ..., 832) = 832
>> fstat(3, {st_mode=S_IFREG|0755, st_size=1921216, ...}) = 0
>> mmap(NULL, 3750152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7ffb97752000
>> mprotect(0x7ffb978dc000, 2097152, PROT_NONE) = 0
>> mmap(0x7ffb97adc000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
>> MAP_DENYWRITE, 3, 0x18a000) = 0x7ffb97adc000
>> mmap(0x7ffb97ae1000, 18696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
>> MAP_ANONYMOUS, -1, 0) = 0x7ffb97ae1000
>> close(3) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97cfe000
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97cfd000
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97cfc000
>> arch_prctl(ARCH_SET_FS, 0x7ffb97cfd700) = 0
>> mprotect(0x7ffb97adc000, 16384, PROT_READ) = 0
>> mprotect(0x7ffb97f2c000, 4096, PROT_READ) = 0
>> mprotect(0x7ffb97d05000, 4096, PROT_READ) = 0
>> munmap(0x7ffb97cff000, 18775) = 0
>> brk(0) = 0x7ffb98ad0000
>> brk(0x7ffb98af1000) = 0x7ffb98af1000
>> socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
>> -1 ENOENT (No such file or directory)
>> close(3) = 0
>> socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
>> -1 ENOENT (No such file or directory)
>> close(3) = 0
>> open("/etc/nsswitch.conf", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97d03000
>> read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688
>> read(3, "", 4096) = 0
>> close(3) = 0
>> munmap(0x7ffb97d03000, 4096) = 0
>> open("/etc/ld.so.cache", O_RDONLY) = 3
>> fstat(3, {st_mode=S_IFREG|0644, st_size=18775, ...}) = 0
>> mmap(NULL, 18775, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ffb97cff000
>> close(3) = 0
>> open("/lib64/libnss_files.so.2", O_RDONLY) = 3
>> read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"
>> ..., 832) = 832
>> fstat(3, {st_mode=S_IFREG|0755, st_size=65928, ...}) = 0
>> mmap(NULL, 2151824, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
>> = 0x7ffb97544000
>> mprotect(0x7ffb97550000, 2097152, PROT_NONE) = 0
>> mmap(0x7ffb97750000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
>> MAP_DENYWRITE, 3, 0xc000) = 0x7ffb97750000
>> close(3) = 0
>> mprotect(0x7ffb97750000, 4096, PROT_READ) = 0
>> munmap(0x7ffb97cff000, 18775) = 0
>> open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
>> fcntl(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
>> fstat(3, {st_mode=S_IFREG|0644, st_size=577, ...}) = 0
>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
>> = 0x7ffb97d03000
>> read(3, "root:x:0:\nbin:x:1:bin,daemon\ndae"..., 4096) = 577
>> close(3) = 0
>> munmap(0x7ffb97d03000, 4096) = 0
>> socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
>> -1 ENOENT (No such file or directory)
>> close(3) = 0
>> socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
>> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) =
>> -1 ENOENT (No such file or directory)
>> close(3) =
>>
>> ...
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
