Unfortunately by the time I am able to SSH to the server and start looking around, that PID is no where to be foundĀ 

So it seems something winds up in ovirt, runs, doesnt register in /proc (I think even threads register themself in /proc), and then dies off

Any ideas?

On Tue, Mar 21, 2017 at 3:10 AM, Yedidyah Bar David <didi@redhat.com> wrote:
On Mon, Mar 20, 2017 at 5:59 PM, Charles Kozler <ckozleriii@gmail.com> wrote:
> Hi -
>
> I am wondering why OSSEC would be reporting hidden processes on my ovirt
> nodes? I run OSSEC across the infrastructure and multiple ovirt clusters
> have assorted nodes that will report a process is running but does not have
> an entry in /proc and thus "possible rootkit" alert is fired
>
> I am well aware that I do not have rootkits on these systems but am
> wondering what exactly inside ovirt is causing this to trigger? Or any
> ideas? Below is sample alert. All my google-fu turns up is that a process
> would have to **try** to hide itself from /proc, so curious what this is
> inside ovirt. Thanks!
>
> -------------
>
> OSSEC HIDS Notification.
> 2017 Mar 20 11:54:47
>
> Received From: (ovirtnode2.mydomain.com2) any->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)."
> Portion of the log(s):
>
> Process '24574' hidden from /proc. Possible kernel level rootkit.

What do you get from:

ps -eLf | grep -w 24574

Thanks,
--
Didi