Upgrading has not solved the problem.
Still appears to be some form of port / bind issue based on the backtrace.
To obfuscate things, this was my ossec master (wazuh docker image), so it
was running in a docker container, on a virtual machine under VMWare.
Nothing complicated there, right?
to follow up to my own post-- First, the problem was indeed happening
during ossec-rootcheck, but I was unable to determine what was failing.
Secondly, the affected servers all were at one time or another, exporting a
CIFS or NFS share. Disabling the share didn't prevent ossec-rootcheck from
That is probably rootcheck trying to detect system anomalies and kernel
level rootkits. It does it by comparing the output of netstat with its own
results binding ports to check if they are open.
Remember that syscheckd not only does FIM, but also Rootchecks (policy
monitoring checks and
Followup. ossec-syscheckd appears to be doing some bind operation:
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET, sin_port=htons(12310),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
close(6) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
bind(6, {sa_family=AF_INET,