The file looks good to me. Is the segfault happening only with agent 000 or with all of them? If it is only 000 I would try completely deleting rootcheck file and running the check again. If you still have the segfault try compiling 2.9 version. I could not trigger the segfault in my environment.
On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare <[email protected]> wrote: > i just checked the queue/rootcheck/rootcheck file, it looks like this > !1439300728!1439195883 Starting syscheck scan. > !1439302513!1439197646 Ending syscheck scan. > !1439318491!1439197686 Starting rootcheck scan. > !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat > Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: > http://www.ossec.net/ . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /tmp is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. > Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439314890!1439197952 Ending rootcheck scan. > !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set > to enforcing. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 . > > > similar to the unresolved issues, when i run the print. > > i'm using the ossec binaries from the atomicorp repository, which is 2.8.2 > ossec-hids-server-2.8.2-49.el6.art.x86_64 > ossec-hids-2.8.2-49.el6.art.x86_64 > > owner/permission of the rootcheck file is the following: > -rw-r-----. 1 ossec ossec 1159 11. Aug 21:48 > /var/ossec/queue/rootcheck/rootcheck > > > > > Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett: > >> I see, somehow my mail client (gmail) was not displaying the whole strace >> output, now I can see it. >> >> The segfault appears after looking into queue/rootcheck/rootcheck and >> writing "No entries found". >> >> Having a look at the code I realized that is done in the function >> _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in >> the same file), which is called at util/rootcheck_control.c when you want >> to update rootcheck database using an agent info (with -L -i options). >> >> How does your queue/rootcheck/rootcheck file looks like? I wonder if it >> is malformed. As well, what ossec version are you using? I am using latest >> github code and run the same command with no issues. >> >> I hope that helps! >> >> Santiago. >> >> >> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 >> fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d03000 >> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348 >> close(3) = 0 >> munmap(0x7ffb97d03000, 4096) = 0 >> setgroups(1, [498]) = 0 >> setresgid(-1, 498, -1) = 0 >> setgid(498) = 0 >> chdir("/var/ossec") = 0 >> chroot("/var/ossec") = 0 >> chdir("/") = 0 >> setuid(498) = 0 >> setresuid(-1, 498, -1) = 0 >> uname({sys="Linux", node="tron", ...}) = 0 >> fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d03000 >> write(1, "\n", 1 >> ) = 1 >> write(1, "Policy and auditing events for l"..., 64Policy and auditing >> events for local system 'tron - 127.0.0.1': >> ) = 64 >> open("/queue/rootcheck/rootcheck", O_RDWR) = 3 >> fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d02000 >> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 >> lseek(3, 0, SEEK_SET) = 0 >> write(1, "\nResolved events: \n\n", 20 >> Resolved events: >> >> ) = 20 >> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 >> read(3, "", 4096) = 0 >> write(1, "** No entries found.\n", 21** No entries found. >> ) = 21 >> lseek(3, 0, SEEK_SET) = 0 >> open("/etc/localtime", O_RDONLY) = 4 >> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 >> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 >> >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d01000 >> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., >> 4096) = 2211 >> lseek(4, -1410, SEEK_CUR) = 801 >> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"..., >> 4096) = 1410 >> close(4) = 0 >> munmap(0x7ffb97d01000, 4096) = 0 >> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} --- >> +++ killed by SIGSEGV +++ >> >> On Tue, Aug 11, 2015 at 1:13 AM, theresa mic-snare <[email protected]> >> wrote: >> >> Hi Santi, >> >> yes the process crashed already from what I can see it.... >> because at the end up the system call it says >> >> >> *--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x8} ---+++ >> killed by SIGSEGV +++* >> >> >> and below that the typical "Segmentation fault" >> >> I called strace with the following parameter "strace -C bin/rootcheck_control >> -L -i 000" >> was this sufficient or do I need something else? >> >> thanks, >> theresa >> >> Am Montag, 10. A >> >> ... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
