On Mon, Mar 20, 2017 at 5:59 PM, Charles Kozler <ckozler...@gmail.com> wrote: > Hi - > > I am wondering why OSSEC would be reporting hidden processes on my ovirt > nodes? I run OSSEC across the infrastructure and multiple ovirt clusters > have assorted nodes that will report a process is running but does not have > an entry in /proc and thus "possible rootkit" alert is fired > > I am well aware that I do not have rootkits on these systems but am > wondering what exactly inside ovirt is causing this to trigger? Or any > ideas? Below is sample alert. All my google-fu turns up is that a process > would have to **try** to hide itself from /proc, so curious what this is > inside ovirt. Thanks! > > ------------- > > OSSEC HIDS Notification. > 2017 Mar 20 11:54:47 > > Received From: (ovirtnode2.mydomain.com2) any->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Process '24574' hidden from /proc. Possible kernel level rootkit.
What do you get from: ps -eLf | grep -w 24574 Thanks, -- Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
