#59 closed defect (fixed)
Processcheck reports large number of Fake pid
| Reported by: | Owned by: | rainer | |
|---|---|---|---|
| Priority: | major | Milestone: | 2.3.4 |
| Component: | main | Version: | 2.3.3 |
| Keywords: | Cc: |
Description
My installation of samhain 2.3.3 (compiled with processcheck) reports a huge number of fake pids incidents. The email reports look something like this
[2007-04-17T08:51:21+0200] server1.xxxxxxxxx.xxx CRIT : [2007-04-17T08:36:27+0200] msg=<POLICY [Process] Fake pid: 6189 tests: ps(initial) ps(final)> CRIT : [2007-04-17T08:36:27+0200] msg=<POLICY [Process] Fake pid: 6194 tests: ps(initial) ps(final)> CRIT : [2007-04-17T08:36:27+0200] msg=<POLICY [Process] Fake pid: 6195 tests: ps(initial) ps(final)> MARK : [2007-04-17T08:36:27+0200] msg=<---- TIMESTAMP ----> CRIT : [2007-04-17T08:41:21+0200] msg=<POLICY [Process] Fake pid: 13097 tests: ps(initial) ps(final)> CRIT : [2007-04-17T08:41:21+0200] msg=<POLICY [Process] Fake pid: 13375 tests: ps(initial) ps(final)> CRIT : [2007-04-17T08:46:21+0200] msg=<POLICY [Process] Fake pid: 23443 tests: ps(initial) ps(final)> MARK : [2007-04-17T08:46:22+0200] msg=<---- TIMESTAMP ----> CRIT : [2007-04-17T08:51:21+0200] msg=<POLICY [Process] Fake pid: 1236 tests: ps(initial) ps(final)> CRIT : [2007-04-17T08:51:21+0200] msg=<POLICY [Process] Fake pid: 1523 tests: ps(initial) ps(final)>
The system is Slackware 11.0 installation running linux kernel 2.6.19.2 on a multiprocessor/multikernel architecture.
(and by the way, thanks for a GREAT piece of software)
Change History (2)
comment:1 by , 17 years ago
comment:2 by , 17 years ago
| Milestone: | → 2.3.4 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Fixed in changeset [103].
Note:
See TracTickets
for help on using tickets.
Since these PIDs apparently are in the output of ps (ps -eT by default), do you have any idea what kind of processes these are?