On Tue, Dec 20, 2016 at 1:41 PM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, Dec 20, 2016 at 1:40 PM, David Breise <dbre...@eticainc.com> wrote: >> [root@turpentine ossec]# cat /etc/*release >> CentOS release 6.8 (Final) >> LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch >> CentOS release 6.8 (Final) >> CentOS release 6.8 (Final) >> You have new mail in /var/spool/mail/root >> >> The only evidence left behind is a long running "cat /dev/urandom" process >> hogging CPU. >> > > I've just setup a Centos 7 install (for something else), so I'll try > with that first. > Thanks for the info! >
After correcting the spaces around the "=" issues in the hosts-deny.sh script, it works fine on centos7. (commit that fixed this: https://github.com/ossec/ossec-hids/commit/3e46edf1c032d7b6c8d72e9cf1e443e33a92ce3b) I'll try centos6.8 tomorrow. >> On Tue, Dec 20, 2016 at 10:31 AM, dan (ddp) <ddp...@gmail.com> wrote: >>> >>> On Tue, Dec 20, 2016 at 1:19 PM, David Breise <dbre...@eticainc.com> >>> wrote: >>> > Tested commands manually, no errors returned. This is still a problem >>> > for >>> > us. >>> > >>> >>> Which distribution are you using? I'm wondering why mktemp isn't being >>> used (or why it's failing). >>> >>> > On Wednesday, January 21, 2015 at 9:32:27 AM UTC-8, dan (ddpbsd) wrote: >>> >> >>> >> On Wed, Jan 21, 2015 at 11:11 AM, Gil Vidals <gvi...@gmail.com> wrote: >>> >> > Thanks for the quick reply. >>> >> > >>> >> > I do see that mktemp exists and that the temp files have been created >>> >> > successfully on more than one occasion as you can see below. What >>> >> > other >>> >> > reason could there be for cat and tr running astray and consuming >>> >> > lots >>> >> > of >>> >> > CPU. (cat and tr will run for hours unless killed manually). >>> >> > >>> >> > # which mktemp >>> >> > /bin/mktemp >>> >> > >>> >> > # ls -l /var/ossec/ossec-hosts.* >>> >> > -rw------- 1 root ossec 0 Jan 2 01:15 >>> >> > /var/ossec/ossec-hosts.7aypDtwpES >>> >> > -rw------- 1 root ossec 0 Dec 3 00:31 >>> >> > /var/ossec/ossec-hosts.IeJGMBWseD >>> >> > -rw------- 1 root ossec 0 Nov 2 01:58 >>> >> > /var/ossec/ossec-hosts.IxQvPzkSbn >>> >> > -rw------- 1 root ossec 0 Dec 10 23:31 >>> >> > /var/ossec/ossec-hosts.QV2a7VwilS >>> >> > -rw------- 1 root ossec 0 Nov 10 23:32 >>> >> > /var/ossec/ossec-hosts.Rr0j0L3RTV >>> >> > -rw------- 1 root ossec 0 Jan 17 02:23 >>> >> > /var/ossec/ossec-hosts.SKfz9m2LPG >>> >> > -rw------- 1 root ossec 0 Jan 17 02:39 >>> >> > /var/ossec/ossec-hosts.SrSTWhUNH1 >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > On Tuesday, January 20, 2015 at 3:47:28 PM UTC-8, Gil Vidals wrote: >>> >> >> >>> >> >> We're running ossec 2.8 and are finding instances where cat and tr >>> >> >> are >>> >> >> consuming a lot of CPU. The cat and tr processes have to be killed >>> >> >> with >>> >> >> the >>> >> >> kill command since restarting ossec doesn't kill them. >>> >> >> >>> >> >> How can the run away cat and tr process be prevented? >>> >> >> >>> >> >> I found the portion of the ossec code that calls the cat and tr >>> >> >> functions: >>> >> >> >>> >> >> elif [ "x${ACTION}" = "xdelete" ]; then >>> >> >> lock; >>> >> >> TMP_FILE=`mktemp /var/ossec/ossec-hosts.XXXXXXXXXX` >>> >> >> if [ "X${TMP_FILE}" = "X" ]; then >>> >> >> # Cheap fake tmpfile, but should be harder then no random data >>> >> >> TMP_FILE="/var/ossec/ossec-hosts.`cat /dev/urandom | tr -dc >>> >> >> 'a-zA-Z0-9' | fold -w 32 | head -1 `" >>> >> >> fi >>> >> >> if [ "X$UNAME" = "XFreeBSD" ]; then >>> >> >> cat /etc/hosts.allow | grep -v "ALL : ${IP} : deny$"> >>> >> >> ${TMP_FILE} >>> >> >> mv ${TMP_FILE} /etc/hosts.allow >>> >> >> else >>> >> >> cat /etc/hosts.deny | grep -v "ALL:${IP}$"> ${TMP_FILE} >>> >> >> cat ${TMP_FILE} > /etc/hosts.deny >>> >> >> rm ${TMP_FILE} >>> >> >> fi >>> >> >> unlock; >>> >> >> exit 0; >>> >> >> >>> >> >> Thanks in advance for any help you can provide in resolving this >>> >> >> issue. >>> >> > >>> >> >>> >> Ok, what happens if you run that command manually? >>> >> >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> > send >>> >> > an >>> >> > email to ossec-list+...@googlegroups.com. >>> >> > For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to ossec-list+unsubscr...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ossec-list/VjqjNSC0jiM/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> -- >> David Breise >> Etica, Inc. >> dbre...@eticainc.com >> 760.705.4022 >> >> CONFIDENTIALITY NOTICE: The information contained in this transmission may >> contain privileged and confidential information. It is intended only for >> the use of the person(s) named above. If you are not the intended >> recipient, please contact the sender by reply email and permanently >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
