After troubleshooting the issue with Theresa, finally found it. It is a bug in the way localtime function is called in shared/read-agents.c
Fixed in version 2.9 by cgzones. See commit here: https://github.com/ossec/ossec-hids/commit/e87f415eeef268f6d95b04d569b8d51e260bbc27#diff-7c75ce14fc99e77cf2ac6208fbb99946 Theresa, if you compile version 2.9 it will work ;-) On Wed, Aug 12, 2015 at 1:50 PM, theresa mic-snare <[email protected]> wrote: > oh and I've also deleted the rootcheck file (or moved it somewhere else). > still the same problem with the segfaults :( > > Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett: >> >> The file looks good to me. Is the segfault happening only with agent 000 >> or with all of them? If it is only 000 I would try completely deleting >> rootcheck file and running the check again. If you still have the segfault >> try compiling 2.9 version. I could not trigger the segfault in my >> environment. >> >> On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare <[email protected]> >> wrote: >> >> i just checked the queue/rootcheck/rootcheck file, it looks like this >> !1439300728!1439195883 Starting syscheck scan. >> !1439302513!1439197646 Ending syscheck scan. >> !1439318491!1439197686 Starting rootcheck scan. >> !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red >> Hat Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. >> Reference: http://www.ossec.net/ . >> !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - >> Robust partition scheme - /tmp is not on its own partition. File: /etc/ >> fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . >> !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - >> Robust partition scheme - /var is not on its own partition. File: /etc/ >> fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . >> !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - >> Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. >> Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . >> !1439314890!1439197952 Ending rootcheck scan. >> !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set >> to enforcing. File: /etc/selinux/config. Reference: http:// >> www.ossec.net/wiki/index.php/CIS_RHEL6 . >> >> >> similar to the unresolved issues, when i run the print. >> >> i'm using the ossec binaries from the atomicorp repository, which is 2.8.2 >> ossec-hids-server-2.8.2-49.el6.art.x86_64 >> ossec-hids-2.8.2-49.el6.art.x86_64 >> >> owner/permission of the rootcheck file is the following: >> -rw-r-----. 1 ossec ossec 1159 11. Aug 21:48 >> /var/ossec/queue/rootcheck/rootcheck >> >> >> >> >> Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett: >> >> I see, somehow my mail client (gmail) was not displaying the whole strace >> output, now I can see it. >> >> The segfault appears after looking into queue/rootcheck/rootcheck and >> writing "No entries found". >> >> Having a look at the code I realized that is done in the function >> _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in >> the same file), which is called at util/rootcheck_control.c when you want >> to update rootcheck database using an agent info (with -L -i options). >> >> How does your queue/rootcheck/rootcheck file looks like? I wonder if it >> is malformed. As well, what ossec version are you using? I am using latest >> github code and run the same command with no issues. >> >> I hope that helps! >> >> Santiago. >> >> >> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 >> fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d03000 >> read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348 >> close(3) = 0 >> munmap(0x7ffb97d03000, 4096) = 0 >> setgroups(1, [498]) = 0 >> setresgid(-1, 498, -1) = 0 >> setgid(498) = 0 >> chdir("/var/ossec") = 0 >> chroot("/var/ossec") = 0 >> chdir("/") = 0 >> setuid(498) = 0 >> setresuid(-1, 498, -1) = 0 >> uname({sys="Linux", node="tron", ...}) = 0 >> fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d03000 >> write(1, "\n", 1 >> ) = 1 >> write(1, "Policy and auditing events for l"..., 64Policy and auditing >> events for local system 'tron - 127.0.0.1': >> ) = 64 >> open("/queue/rootcheck/rootcheck", O_RDWR) = 3 >> fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0 >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d02000 >> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 >> lseek(3, 0, SEEK_SET) = 0 >> write(1, "\nResolved events: \n\n", 20 >> Resolved events: >> >> ) = 20 >> read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 >> read(3, "", 4096) = 0 >> write(1, "** No entries found.\n", 21** No entries found. >> ) = 21 >> lseek(3, 0, SEEK_SET) = 0 >> open("/etc/localtime", O_RDONLY) = 4 >> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 >> fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 >> >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7ffb97d01000 >> read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., >> 4096) = 2211 >> lseek(4, - >> >> ... > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
