good idea. do you want me to run strace with any specific options? Am Montag, 10. August 2015 20:28:20 UTC+2 schrieb Santiago Bassett: > > Haven't seen that before. Try running rootcheck_control with strace to > debug that segfault > > Best > > On Mon, Aug 10, 2015 at 9:54 AM, theresa mic-snare <rockpr...@gmail.com > <javascript:>> wrote: > >> hi all, >> >> as you may have noticed I've been playing around with the rootcheck >> module, e.g for the CIS checks. >> what i've noticed is that the CIS (audit) checks are not really updated >> unless I do a complete restart of ossec (ossec-control restart). >> >> neither a syscheck_update -u local nor a agent_control -r -u 000 or a >> rootcheck_control -u 000 is going to update the CIS benchmark >> >> how I noticed that? >> well, rootcheck_control says the latest outstanding event is e.g this: >> 2015 Aug 10 11:42:06 (first time detected: 2015 Aug 10 11:42:06) >> System Audit: System Audit: CIS - RHEL6 1.4.2 - SELinux not set to >> enforcing. File: /etc/selinux/config. Reference: http:// >> www.ossec.net/wiki/index.php/CIS_RHEL6 . >> >> >> this means the last time the check was updated was over 5 hours ago. >> But my rootcheck is running on an hourly basis, and according to the >> ossec.log it just ran a couple of minutes ago >> >> 2015/08/10 17:56:36 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2015/08/10 18:01:12 ossec-rootcheck: INFO: Ending rootcheck scan. >> >> so this kinda doesn't match. >> >> btw, i can prove that the above mentioned CIS check should be marked as >> resolved because according to "sestatus" i have selinux set to enforcing. >> >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: enforcing >> Mode from config file: enforcing >> Policy version: 24 >> Policy from config file: targeted >> >> then I had a quick look at my own system logs (messages.log) and found >> this >> Aug 10 18:45:23 tron kernel: rootcheck_contr[20641]: segfault at 8 ip >> 00007f851fe8b925 sp 00007ffdc8c73240 error 4 in >> libc-2.12.so[7f851fde8000+18a000] >> >> this is the result when I run *rootcheck_control -L -i 000* >> >> I bet when I restart ossec completely this above mentioned CIS check will >> vanish (it will not be marked as resolved) as somehow the database is >> cleared. >> >> anyone ran into this problem as well? >> >> i'm running the latest ossec version 2.8.2 >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
