[ossec-list] Re: Ossec 2.7beta2 ossec-syscheckd crash

Tue, 16 Oct 2012 08:25:22 -0700 

Yes, it happened every time when I start ossec
No rootcheck customization, just files from source package used
OS: CentOS 5.8 x86_64, kernel 2.6.18

I can't debug coredump because frame1 return me to incorrect point :(

вторник, 16 октября 2012 г., 1:26:57 UTC+3 пользователь Jb Cheng написал:
>
> Is this reproducible? Steps to reproduce it will be very helpful.
>
> Are you using the default rootcheck _rcl.txt files (under 
> /var/ossec/etc/shared/)? Any customization? 
>
> On Monday, October 15, 2012 8:26:51 AM UTC-7, PAL wrote:
>>
>> After update to version 2.7 beta2 my ossec-syscheckd on my servers 
>> crashed with coredump.
>> Tried to debug, but no results:
>>
>> $ gdb ./ossec-syscheckd ./ossec-syscheckd-1350312099-6121.core 
>> GNU gdb (GDB) CentOS (7.0.1-42.el5.centos.1)
>> Copyright (C) 2009 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <
>> http://gnu.org/licenses/gpl.html>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
>> and "show warranty" for details.
>> This GDB was configured as "x86_64-redhat-linux-gnu".
>> For bug reporting instructions, please see:
>> <http://www.gnu.org/software/gdb/bugs/>...
>> Reading symbols from /home/opokhvalit/ossec-syscheckd...done.
>> [New Thread 6121]
>> Reading symbols from /lib64/libc.so.6...(no debugging symbols 
>> found)...done.
>> Loaded symbols for /lib64/libc.so.6
>> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols 
>> found)...done.
>> Loaded symbols for /lib64/ld-linux-x86-64.so.2
>>
>> warning: no loadable sections found in added symbol-file system-supplied 
>> DSO at 0x7fff13db0000
>> Core was generated by `/var/ossec/bin/ossec-syscheckd'.
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x0000000000417868 in is_file (file_name=0x7f4430 "\240}\204") at 
>> common.c:676
>>
>> warning: Source file is more recent than executable.
>> 676        if( (stat(file_name, &statbuf) < 0) &&
>> (gdb) print file_name
>> $1 = 0x7f4430 "\240}\204"
>> (gdb) frame 1
>> #1  0x0000000000416b58 in _is_str_in_array (ar=0x0, str=0x7fff13c23730 
>> "") at common.c:33
>> 33            ar++;
>>
>> Latest records in ossec logs:
>> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck scan 
>> (forwarding database).
>> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck database 
>> (pre-scan).
>> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Initializing real time file 
>> monitoring (not started).
>> 2012/10/15 10:40:45 ossec-syscheckd: INFO: Real time file monitoring 
>> started.
>> 2012/10/15 10:40:45 ossec-syscheckd: INFO: Finished creating syscheck 
>> database (pre-scan completed).
>> 2012/10/15 10:40:59 ossec-syscheckd: INFO: Ending syscheck scan 
>> (forwarding database).
>> 2012/10/15 10:41:39 ossec-rootcheck: INFO: Starting rootcheck scan.
>>
>> Looks like syscheckd crash in begin of rootcheck.
>>
>>

Reply via email to