Unfortunately by the time I am able to SSH to the server and start looking around, that PID is no where to be found
So it seems something winds up in ovirt, runs, doesnt register in /proc (I think even threads register themself in /proc), and then dies off Any ideas? On Tue, Mar 21, 2017 at 3:10 AM, Yedidyah Bar David <d...@redhat.com> wrote: > On Mon, Mar 20, 2017 at 5:59 PM, Charles Kozler <ckozler...@gmail.com> > wrote: > > Hi - > > > > I am wondering why OSSEC would be reporting hidden processes on my ovirt > > nodes? I run OSSEC across the infrastructure and multiple ovirt clusters > > have assorted nodes that will report a process is running but does not > have > > an entry in /proc and thus "possible rootkit" alert is fired > > > > I am well aware that I do not have rootkits on these systems but am > > wondering what exactly inside ovirt is causing this to trigger? Or any > > ideas? Below is sample alert. All my google-fu turns up is that a process > > would have to **try** to hide itself from /proc, so curious what this is > > inside ovirt. Thanks! > > > > ------------- > > > > OSSEC HIDS Notification. > > 2017 Mar 20 11:54:47 > > > > Received From: (ovirtnode2.mydomain.com2) any->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > > Process '24574' hidden from /proc. Possible kernel level rootkit. > > What do you get from: > > ps -eLf | grep -w 24574 > > Thanks, > -- > Didi >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users