[root@turpentine ossec]# cat /etc/*release
CentOS release 6.8 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
CentOS release 6.8 (Final)
CentOS release 6.8 (Final)
You have new mail in /var/spool/mail/root
The only evidence left behind is a long running "cat /dev/urandom" process
hogging CPU.
On Tue, Dec 20, 2016 at 10:31 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Tue, Dec 20, 2016 at 1:19 PM, David Breise <dbre...@eticainc.com>
> wrote:
> > Tested commands manually, no errors returned. This is still a problem
> for
> > us.
> >
>
> Which distribution are you using? I'm wondering why mktemp isn't being
> used (or why it's failing).
>
> > On Wednesday, January 21, 2015 at 9:32:27 AM UTC-8, dan (ddpbsd) wrote:
> >>
> >> On Wed, Jan 21, 2015 at 11:11 AM, Gil Vidals <gvi...@gmail.com> wrote:
> >> > Thanks for the quick reply.
> >> >
> >> > I do see that mktemp exists and that the temp files have been created
> >> > successfully on more than one occasion as you can see below. What
> other
> >> > reason could there be for cat and tr running astray and consuming lots
> >> > of
> >> > CPU. (cat and tr will run for hours unless killed manually).
> >> >
> >> > # which mktemp
> >> > /bin/mktemp
> >> >
> >> > # ls -l /var/ossec/ossec-hosts.*
> >> > -rw------- 1 root ossec 0 Jan 2 01:15 /var/ossec/ossec-hosts.
> 7aypDtwpES
> >> > -rw------- 1 root ossec 0 Dec 3 00:31 /var/ossec/ossec-hosts.
> IeJGMBWseD
> >> > -rw------- 1 root ossec 0 Nov 2 01:58 /var/ossec/ossec-hosts.
> IxQvPzkSbn
> >> > -rw------- 1 root ossec 0 Dec 10 23:31 /var/ossec/ossec-hosts.
> QV2a7VwilS
> >> > -rw------- 1 root ossec 0 Nov 10 23:32 /var/ossec/ossec-hosts.
> Rr0j0L3RTV
> >> > -rw------- 1 root ossec 0 Jan 17 02:23 /var/ossec/ossec-hosts.
> SKfz9m2LPG
> >> > -rw------- 1 root ossec 0 Jan 17 02:39 /var/ossec/ossec-hosts.
> SrSTWhUNH1
> >> >
> >> >
> >> >
> >> >
> >> > On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote:
> >> >>
> >> >> We're running ossec 2.8 and are finding instances where cat and tr
> are
> >> >> consuming a lot of CPU. The cat and tr processes have to be killed
> with
> >> >> the
> >> >> kill command since restarting ossec doesn't kill them.
> >> >>
> >> >> How can the run away cat and tr process be prevented?
> >> >>
> >> >> I found the portion of the ossec code that calls the cat and tr
> >> >> functions:
> >> >>
> >> >> elif [ "x${ACTION}" = "xdelete" ]; then
> >> >> lock;
> >> >> TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX`
> >> >> if [ "X${TMP_FILE}" = "X" ]; then
> >> >> # Cheap fake tmpfile, but should be harder then no random data
> >> >> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc
> >> >> 'a-zA-Z0-9' | fold -w 32 | head -1 `"
> >> >> fi
> >> >> if [ "X$UNAME" = "XFreeBSD" ]; then
> >> >> cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> ${TMP_FILE}
> >> >> mv ${TMP_FILE} /etc/hosts.allow
> >> >> else
> >> >> cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE}
> >> >> cat ${TMP_FILE} > /etc/hosts.deny
> >> >> rm ${TMP_FILE}
> >> >> fi
> >> >> unlock;
> >> >> exit 0;
> >> >>
> >> >> Thanks in advance for any help you can provide in resolving this
> issue.
> >> >
> >>
> >> Ok, what happens if you run that command manually?
> >>
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/VjqjNSC0jiM/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
*David Breise*
Etica, Inc.
dbre...@eticainc.com
760.705.4022
CONFIDENTIALITY NOTICE: The information contained in this transmission may
contain privileged and confidential information. It is intended only for
the use of the person(s) named above. If you are not the intended
recipient, please contact the sender by reply email and permanently
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
