<div dir="ltr">Unfortunately by the time I am able to SSH to the server and start looking around, that PID is no where to be foundĀ <div><br></div><div>So it seems something winds up in ovirt, runs, doesnt register in /proc (I think even threads register themself in /proc), and then dies off</div><div><br></div><div>Any ideas?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 21, 2017 at 3:10 AM, Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Mar 20, 2017 at 5:59 PM, Charles Kozler <<a href="mailto:ckozleriii@gmail.com">ckozleriii@gmail.com</a>> wrote:<br>
> Hi -<br>
><br>
> I am wondering why OSSEC would be reporting hidden processes on my ovirt<br>
> nodes? I run OSSEC across the infrastructure and multiple ovirt clusters<br>
> have assorted nodes that will report a process is running but does not have<br>
> an entry in /proc and thus "possible rootkit" alert is fired<br>
><br>
> I am well aware that I do not have rootkits on these systems but am<br>
> wondering what exactly inside ovirt is causing this to trigger? Or any<br>
> ideas? Below is sample alert. All my google-fu turns up is that a process<br>
> would have to **try** to hide itself from /proc, so curious what this is<br>
> inside ovirt. Thanks!<br>
><br>
> -------------<br>
><br>
> OSSEC HIDS Notification.<br>
> 2017 Mar 20 11:54:47<br>
><br>
> Received From: (ovirtnode2.mydomain.com2) any->rootcheck<br>
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event<br>
> (rootcheck)."<br>
> Portion of the log(s):<br>
><br>
> Process '24574' hidden from /proc. Possible kernel level rootkit.<br>
<br>
</span>What do you get from:<br>
<br>
ps -eLf | grep -w 24574<br>
<br>
Thanks,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Didi<br>
</font></span></blockquote></div><br></div>