bad news...looks like I have to compile the github version 2.9 ...meh maybe I'm lazy, but I love the comfort of using binaries (e.g rpm's or deb's) not just for me in my test-environment, but furthermore for my company as well.
I've just had another segfault with the other agent. Aug 12 22:42:17 tron kernel: rootcheck_contr[19479]: segfault at 8 ip 00007f66580f1925 sp 00007fff5c392440 error 4 in libc-2.12.so[7f665804e000+ 18a000] this was definitely coming from the agent bin/rootcheck_control -L -i 002 > > Policy and auditing events for agent 'concave (002) - ': > > Resolved events: > > ** No entries found. > Segmentation fault. > If this really is a bug, and I just happened to be stumbled upon it, then it would be cool if it could be addressed. But at the moment I'm kinda the only one who's running into this problem, using the atomicorp rpm's right?! I would love to have RPMs for mass-deployment... hmm :( Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett: > > The file looks good to me. Is the segfault happening only with agent 000 > or with all of them? If it is only 000 I would try completely deleting > rootcheck file and running the check again. If you still have the segfault > try compiling 2.9 version. I could not trigger the segfault in my > environment. > > On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare <[email protected] > <javascript:>> wrote: > > i just checked the queue/rootcheck/rootcheck file, it looks like this > !1439300728!1439195883 Starting syscheck scan. > !1439302513!1439197646 Ending syscheck scan. > !1439318491!1439197686 Starting rootcheck scan. > !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat > Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: > http://www.ossec.net/ . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /tmp is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. > Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439314890!1439197952 Ending rootcheck scan. > !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set > to enforcing. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 . > > > similar to the unresolved issues, when i run the print. > > i'm using the ossec binaries from the atomicorp repository, which is 2.8.2 > ossec-hids-server-2.8.2-49.el6.art.x86_64 > ossec-hids-2.8.2-49.el6.art.x86_64 > > owner/permission of the rootcheck file is the following: > -rw-r-----. 1 ossec ossec 1159 11. Aug 21:48 > /var/ossec/queue/rootcheck/rootcheck > > > > > Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett: > > I see, somehow my mail client (gmail) was not displaying the whole strace > output, now I can see it. > > The segfault appears after looking into queue/rootcheck/rootcheck and > writing "No entries found". > > Having a look at the code I realized that is done in the function > _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in > the same file), which is called at util/rootcheck_control.c when you want > to update rootcheck database using an agent info (with -L -i options). > > How does your queue/rootcheck/rootcheck file looks like? I wonder if it is > malformed. As well, what ossec version are you using? I am using latest > github code and run the same command with no issues. > > I hope that helps! > > Santiago. > > > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348 > close(3) = 0 > munmap(0x7ffb97d03000, 4096) = 0 > setgroups(1, [498]) = 0 > setresgid(-1, 498, -1) = 0 > setgid(498) = 0 > chdir("/var/ossec") = 0 > chroot("/var/ossec") = 0 > chdir("/") = 0 > setuid(498) = 0 > setresuid(-1, 498, -1) = 0 > uname({sys="Linux", node="tron", ...}) = 0 > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > write(1, "\n", 1 > ) = 1 > write(1, "Policy and auditing events for l"..., 64Policy and auditing > events for local system 'tron - 127.0.0.1': > ) = 64 > open("/queue/rootcheck/rootcheck", O_RDWR) = 3 > fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d02000 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > lseek(3, 0, SEEK_SET) = 0 > write(1, "\nResolved events: \n\n", 20 > Resolved events: > > ) = 20 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > read(3, "", 4096) = 0 > write(1, "** No entries found.\n", 21** No entries found. > ) = 21 > lseek(3, 0, SEEK_SET) = 0 > open("/etc/localtime", O_RDONLY) = 4 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d01000 > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., > 4096) = 2211 > lseek(4, - > > ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
