Thanks to Santi for troubleshooting with me!! Brilliant work, I'd have been so lost without you.
i have no problem with compiling 2.9 from github, but when do you think will it get officially released? for my test-environment it's fine but production-wise i'd rather stick with official releases and repos. it will make life easier for mass-deployments and also to update the agents and the master. is there a timeline when 2.9 will get released? who's running the atomicorp repositories? :) Am Donnerstag, 13. August 2015 01:33:51 UTC+2 schrieb Santiago Bassett: > > After troubleshooting the issue with Theresa, finally found it. It is a > bug in the way localtime function is called in shared/read-agents.c > > Fixed in version 2.9 by cgzones. See commit here: > > > https://github.com/ossec/ossec-hids/commit/e87f415eeef268f6d95b04d569b8d51e260bbc27#diff-7c75ce14fc99e77cf2ac6208fbb99946 > > Theresa, if you compile version 2.9 it will work ;-) > > On Wed, Aug 12, 2015 at 1:50 PM, theresa mic-snare <rockpr...@gmail.com > <javascript:>> wrote: > > oh and I've also deleted the rootcheck file (or moved it somewhere else). > still the same problem with the segfaults :( > > Am Mittwoch, 12. August 2015 00:48:49 UTC+2 schrieb Santiago Bassett: > > The file looks good to me. Is the segfault happening only with agent 000 > or with all of them? If it is only 000 I would try completely deleting > rootcheck file and running the check again. If you still have the segfault > try compiling 2.9 version. I could not trigger the segfault in my > environment. > > On Tue, Aug 11, 2015 at 12:48 PM, theresa mic-snare <rockpr...@gmail.com> > wrote: > > i just checked the queue/rootcheck/rootcheck file, it looks like this > !1439300728!1439195883 Starting syscheck scan. > !1439302513!1439197646 Ending syscheck scan. > !1439318491!1439197686 Starting rootcheck scan. > !1439318493!1439197688 System Audit: CIS - Testing against the CIS Red Hat > Enterprise Linux 5 Benchmark v2.1.0. File: /etc/redhat-release. Reference: > http://www.ossec.net/ . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /tmp is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var is not on its own partition. File: /etc/ > fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439318493!1439197688 System Audit: CIS - RHEL6 - Build considerations - > Robust partition scheme - /var/tmp is bound to /tmp. File: /etc/fstab. > Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL6 . > !1439314890!1439197952 Ending rootcheck scan. > !1439199726!1439199726 System Audit: CIS - RHEL6 1.4.2 - SELinux not set > to enforcing. File: /etc/selinux/config. Reference: http:// > www.ossec.net/wiki/index.php/CIS_RHEL6 . > > > similar to the unresolved issues, when i run the print. > > i'm using the ossec binaries from the atomicorp repository, which is 2.8.2 > ossec-hids-server-2.8.2-49.el6.art.x86_64 > ossec-hids-2.8.2-49.el6.art.x86_64 > > owner/permission of the rootcheck file is the following: > -rw-r-----. 1 ossec ossec 1159 11. Aug 21:48 > /var/ossec/queue/rootcheck/rootcheck > > > > > Am Dienstag, 11. August 2015 21:18:30 UTC+2 schrieb Santiago Bassett: > > I see, somehow my mail client (gmail) was not displaying the whole strace > output, now I can see it. > > The segfault appears after looking into queue/rootcheck/rootcheck and > writing "No entries found". > > Having a look at the code I realized that is done in the function > _do_print_rootcheck (shared/read-agent.c), called by print_rootcheck (in > the same file), which is called at util/rootcheck_control.c when you want > to update rootcheck database using an agent info (with -L -i options). > > How does your queue/rootcheck/rootcheck file looks like? I wonder if it is > malformed. As well, what ossec version are you using? I am using latest > github code and run the same command with no issues. > > I hope that helps! > > Santiago. > > > open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 > fstat(3, {st_mode=S_IFREG|0644, st_size=1348, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1348 > close(3) = 0 > munmap(0x7ffb97d03000, 4096) = 0 > setgroups(1, [498]) = 0 > setresgid(-1, 498, -1) = 0 > setgid(498) = 0 > chdir("/var/ossec") = 0 > chroot("/var/ossec") = 0 > chdir("/") = 0 > setuid(498) = 0 > setresuid(-1, 498, -1) = 0 > uname({sys="Linux", node="tron", ...}) = 0 > fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d03000 > write(1, "\n", 1 > ) = 1 > write(1, "Policy and auditing events for l"..., 64Policy and auditing > events for local system 'tron - 127.0.0.1': > ) = 64 > open("/queue/rootcheck/rootcheck", O_RDWR) = 3 > fstat(3, {st_mode=S_IFREG|0640, st_size=1159, ...}) = 0 > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d02000 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > lseek(3, 0, SEEK_SET) = 0 > write(1, "\nResolved events: \n\n", 20 > Resolved events: > > ) = 20 > read(3, "!1439226925!1439195883 Starting "..., 4096) = 1159 > read(3, "", 4096) = 0 > write(1, "** No entries found.\n", 21** No entries found. > ) = 21 > lseek(3, 0, SEEK_SET) = 0 > open("/etc/localtime", O_RDONLY) = 4 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > fstat(4, {st_mode=S_IFREG|0644, st_size=2211, ...}) = 0 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7ffb97d01000 > read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0"..., > 4096) > > ... -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
