[ossec-list] Re: Active-Response will cause a zombie process

Fri, 02 Aug 2019 05:12:21 -0700 

Hi EXP,

Is the process execd still running when the zombie process is detected?
In high concurrency environments, the system might drop the return signal 
of some child processes. In that case, the child sent his signal but execd 
did not receive it, so the child process gets converted into a zombie 
process.
At this moment, execd has a reactive behaviour, it expects the return code 
from the child to kill him.
If execd is still alive and the problem is the concurrency we would add to 
the roadmap a feature to execd in order to explore the child processes to 
kill those who are finished.

Regards,
Pablo.

On Wednesday, July 31, 2019 at 8:28:08 AM UTC+2, EXP wrote:
>
> Wazuh-Agent version : 3.9.1-1
> AR script : filter_files.sh
>
> [image: zombie.png]
>
>
>
> The script is simple, but it may be a lot of concurrency.
>
> It only append the filepath to the log via echo. 
>
>
> source code :
>
>
>
> #!/bin/bash
> # ------------------------------------------------------------------
> # Example : 
> # /var/ossec/active-response/bin/filter_files.sh add - - 1559112882.461842 
> 554 (ip-1-2-3-4) 1.2.3.4->syscheck /var/www/html/155911288077.php
> #-------------------------------------------------------------------
>
>
> FILEPATH=${8}
> LOG_FILE=/var/ossec/logs/php.log
>
> if [ ! -f "${FILEPATH}" ]; then
>   echo "`date '+%Y-%m-%d %H:%M:%S'`- not found : [${FILEPATH}]" >> 
> ${LOG_FILE}
>   exit 0
> fi
>
>
>
> MAX_FILESIZE=$(expr 1024 \* 1024 \* 1)
> FILESIZE=$(ls -l ${FILEPATH} | awk '{print $5}')
> typeset -l FILENAME
> FILENAME=$(basename -- "${FILEPATH}")
> FILE_EXT=".*?\.(php|php3|php4|php5)$"
> if [[ ! ${FILENAME} =~ ${FILE_EXT} ]] || [ ${FILESIZE} -gt ${MAX_FILESIZE} 
> ]; then
>   echo "`date '+%Y-%m-%d %H:%M:%S'`- not upload : [${FILEPATH}]" >> 
> ${LOG_FILE}
>   exit 0
> fi
>
>
> QUEUE_PATH=/var/ossec/tmp/queue_produces.dat
> echo "${FILEPATH}" >> ${QUEUE_PATH}
> echo "`date '+%Y-%m-%d %H:%M:%S'`- push into upload queue : [${FILEPATH}]" 
> >> ${LOG_FILE}
>
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/bf299049-021e-44e7-8c2e-6338fb185b97%40googlegroups.com.

Reply via email to