Yes, it happened every time when I start ossec No rootcheck customization, just files from source package used OS: CentOS 5.8 x86_64, kernel 2.6.18
I can't debug coredump because frame1 return me to incorrect point :( вторник, 16 октября 2012 г., 1:26:57 UTC+3 пользователь Jb Cheng написал: > > Is this reproducible? Steps to reproduce it will be very helpful. > > Are you using the default rootcheck _rcl.txt files (under > /var/ossec/etc/shared/)? Any customization? > > On Monday, October 15, 2012 8:26:51 AM UTC-7, PAL wrote: >> >> After update to version 2.7 beta2 my ossec-syscheckd on my servers >> crashed with coredump. >> Tried to debug, but no results: >> >> $ gdb ./ossec-syscheckd ./ossec-syscheckd-1350312099-6121.core >> GNU gdb (GDB) CentOS (7.0.1-42.el5.centos.1) >> Copyright (C) 2009 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later < >> http://gnu.org/licenses/gpl.html> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "show copying" >> and "show warranty" for details. >> This GDB was configured as "x86_64-redhat-linux-gnu". >> For bug reporting instructions, please see: >> <http://www.gnu.org/software/gdb/bugs/>... >> Reading symbols from /home/opokhvalit/ossec-syscheckd...done. >> [New Thread 6121] >> Reading symbols from /lib64/libc.so.6...(no debugging symbols >> found)...done. >> Loaded symbols for /lib64/libc.so.6 >> Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols >> found)...done. >> Loaded symbols for /lib64/ld-linux-x86-64.so.2 >> >> warning: no loadable sections found in added symbol-file system-supplied >> DSO at 0x7fff13db0000 >> Core was generated by `/var/ossec/bin/ossec-syscheckd'. >> Program terminated with signal 11, Segmentation fault. >> #0 0x0000000000417868 in is_file (file_name=0x7f4430 "\240}\204") at >> common.c:676 >> >> warning: Source file is more recent than executable. >> 676 if( (stat(file_name, &statbuf) < 0) && >> (gdb) print file_name >> $1 = 0x7f4430 "\240}\204" >> (gdb) frame 1 >> #1 0x0000000000416b58 in _is_str_in_array (ar=0x0, str=0x7fff13c23730 >> "") at common.c:33 >> 33 ar++; >> >> Latest records in ossec logs: >> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck scan >> (forwarding database). >> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Starting syscheck database >> (pre-scan). >> 2012/10/15 10:15:49 ossec-syscheckd: INFO: Initializing real time file >> monitoring (not started). >> 2012/10/15 10:40:45 ossec-syscheckd: INFO: Real time file monitoring >> started. >> 2012/10/15 10:40:45 ossec-syscheckd: INFO: Finished creating syscheck >> database (pre-scan completed). >> 2012/10/15 10:40:59 ossec-syscheckd: INFO: Ending syscheck scan >> (forwarding database). >> 2012/10/15 10:41:39 ossec-rootcheck: INFO: Starting rootcheck scan. >> >> Looks like syscheckd crash in begin of rootcheck. >> >>