Hi. I have two problems with ASL. They started appearing few days ago (not at the same time). after install everything seemd fine for couple of weeks and then it hit us:
1. Urchin stopped working and I get this by mail if I wan't to open domain.com:9999/ where urchin was usually running I recieve 500 error + email with the following conent:
OSSEC HIDS Notification. 2008 Jun 24 12:00:15 Received From: www->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jun 24 12:00:14 www kernel: grsec: From 212.118.92.27: denied untrusted exec of /usr/local/urchin/htdocs/session.cgi by /usr/local/urchin/bin/urchinwebd[urchinwebd:30120] uid/euid:99/99 gid/egid:2522/2522, parent /usr/local/urchin/bin/urchinwebd[urchinwebd:30110] uid/euid:99/99 gid/egid:2522/2522
2. Mplayer stopped working and I get this by mail:
OSSEC HIDS Notification.
2008 Jun 25 10:52:18
Received From: www->/var/log/httpd/error_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
/usr/bin/mplayer: error while loading shared libraries: libdv.so.4: cannot enable executable stack as shared object requires: Permission denied
--END OF NOTIFICATION
What can I do?
Problems
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
For urchin, apparently it uses setuid binaries and therefore you cannot use the Trusted Path Execution policy with it. Urchin is aware of this issue, but since they're largely going away probably wont ever fix it. What you can do is remove the user "nobody" from the untrusted group.
Do you use mplayer somehow through apache? If not the latter message could indicate that something malicious is going on.
Do you use mplayer somehow through apache? If not the latter message could indicate that something malicious is going on.
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Gotcha, is that an RPM? You can check with:
rpm -qf /usr/bin/mplayer
As a workaround until I get an update to trigger on that, you can try the following:
execstack -c /usr/bin/mplayer
That removes the bit on the binary where it says it needs an executable stack. 99% of the time when someone says they need that, they're lying.
rpm -qf /usr/bin/mplayer
As a workaround until I get an update to trigger on that, you can try the following:
execstack -c /usr/bin/mplayer
That removes the bit on the binary where it says it needs an executable stack. 99% of the time when someone says they need that, they're lying.
Hi,
well on the first command the output is:
mplayer-1.0-0.38.rc1try2.el4.rf
while on the second there is no output and it also don't seem to do the trick
The Mplayer website: http://www.mplayerhq.hu/design7/dload.html
I will also check with the guys that developed the video script...maybe they have some clue
well on the first command the output is:
mplayer-1.0-0.38.rc1try2.el4.rf
while on the second there is no output and it also don't seem to do the trick
The Mplayer website: http://www.mplayerhq.hu/design7/dload.html
I will also check with the guys that developed the video script...maybe they have some clue
Oh and regarding urchin, removing nobody from untrusted group trigers this:
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jun 25 18:12:48 www kernel: grsec: From 84.20.245.46: denied untrusted exec of /usr/local/urchin/htdocs/session.cgi by /usr/local/urchin/bin/urchinwebd[urchinwebd:16931] uid/euid:99/99 gid/egid:2522/2522, parent /usr/local/urchin/bin/urchinwebd[urchinwebd:16620] uid/euid:99/99 gid/egid:2522/2522
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jun 25 18:12:48 www kernel: grsec: From 84.20.245.46: denied untrusted exec of /usr/local/urchin/htdocs/session.cgi by /usr/local/urchin/bin/urchinwebd[urchinwebd:16931] uid/euid:99/99 gid/egid:2522/2522, parent /usr/local/urchin/bin/urchinwebd[urchinwebd:16620] uid/euid:99/99 gid/egid:2522/2522