i just checked the queue/rootcheck/rootcheck file, it looks like this
!1439300728!1439195883 Starting syscheck scan.
!1439302513!1439197646 Ending syscheck scan.
!1439318491!1439197686 Starting rootcheck scan.
!1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat
Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference:
http://www.ossec.net/ .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations -
Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab
. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations -
Robust partition scheme - /var is not on its own partition. File: /etc/fstab
. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations -
Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab.
Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 .
!1439314890!1439197952 Ending rootcheck scan.
!1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set to
enforcing. File: /etc/selinux/config. Reference:
http://www.ossec.net/wiki/index.php/CIS_RHEL6
.
similar to the unresolved issues, when i run the print.
i'm using the ossec binaries from the atomicorp repository, which is 2.8.2
ossec-hids-server-2.8.2-49.el6.art.x86_64
ossec-hids-2.8.2-49.el6.art.x86_64
owner/permission of the rootcheck file is the following:
-rw-r-----. 1 ossec ossec 1159 11. Aug 21:48
/var/ossec/queue/rootcheck/rootcheck
Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett:
>
> I see, somehow my mail client (gmail) was not displaying the whole strace
> output, now I can see it.
>
> The segfault appears after looking into queue/rootcheck/rootcheck and
> writing "No entries found".
>
> Having a look at the code I realized that is done in the function
> _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in
> the same file), which is called at util/rootcheck_control.c when you want
> to update rootcheck database using an agent info (with -L -i options).
>
> How does your queue/rootcheck/rootcheck file looks like? I wonder if it is
> malformed. As well, what ossec version are you using? I am using latest
> github code and run the same command with no issues.
>
> I hope that helps!
>
> Santiago.
>
>
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7ffb97d03000
> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348
> close(3) = 0
> munmap(0x7ffb97d03000, 4096) = 0
> setgroups(1, [498]) = 0
> setresgid(-1, 498, -1) = 0
> setgid(498) = 0
> chdir("/var/ossec") = 0
> chroot("/var/ossec") = 0
> chdir("/") = 0
> setuid(498) = 0
> setresuid(-1, 498, -1) = 0
> uname({sys="Linux", node="tron", ...}) = 0
> fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7ffb97d03000
> write(1, "\n", 1
> ) = 1
> write(1, "Policy and auditing events for l"..., 64Policy and auditing
> events for local system 'tron - 127.0.0.1':
> ) = 64
> open("/queue/rootcheck/rootcheck", O_RDWR) = 3
> fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7ffb97d02000
> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159
> lseek(3, 0, SEEK_SET) = 0
> write(1, "\nResolved events: \n\n", 20
> Resolved events:
>
> ) = 20
> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159
> read(3, "", 4096) = 0
> write(1, "** No entries found.\n", 21** No entries found.
> ) = 21
> lseek(3, 0, SEEK_SET) = 0
> open("/etc/localtime", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0
>
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7ffb97d01000
> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"...,
> 4096) = 2211
> lseek(4, -1410, SEEK_CUR) = 801
> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"...,
> 4096) = 1410
> close(4) = 0
> munmap(0x7ffb97d01000, 4096) = 0
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---
> +++ killed by SIGSEGV +++
>
> On Tue, Aug 11, 2015 at 1:13 AM, theresa mic-snare <[email protected]
> <javascript:>> wrote:
>
> Hi Santi,
>
> yes the process crashed already from what I can see it....
> because at the end up the system call it says
>
>
> *--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---+++
> killed by SIGSEGV +++*
>
>
> and below that the typical "Segmentation fault"
>
> I called strace with the following parameter "strace -C bin/rootcheck_control
> -L -i 000"
> was this sufficient or do I need something else?
>
> thanks,
> theresa
>
> Am Montag, 10. A
>
> ...
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
