On Mon, Mar 20, 2017 at 5:59 PM, Charles Kozler <ckozleriii@gmail.com> wrote:
> Hi -
>
> I am wondering why OSSEC would be reporting hidden processes on my ovirt
> nodes? I run OSSEC across the infrastructure and multiple ovirt clusters
> have assorted nodes that will report a process is running but does not have
> an entry in /proc and thus "possible rootkit" alert is fired
>
> I am well aware that I do not have rootkits on these systems but am
> wondering what exactly inside ovirt is causing this to trigger? Or any
> ideas? Below is sample alert. All my google-fu turns up is that a process
> would have to **try** to hide itself from /proc, so curious what this is
> inside ovirt. Thanks!
>
> -------------
>
> OSSEC HIDS Notification.
> 2017 Mar 20 11:54:47
>
> Received From: (ovirtnode2.mydomain.com2) any->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)."
> Portion of the log(s):
>
> Process '24574' hidden from /proc. Possible kernel level rootkit.
What do you get from:
ps -eLf | grep -w 24574
Thanks,
--
Didi