Hi - I am wondering why OSSEC would be reporting hidden processes on my ovirt nodes? I run OSSEC across the infrastructure and multiple ovirt clusters have assorted nodes that will report a process is running but does not have an entry in /proc and thus "possible rootkit" alert is fired I am well aware that I do not have rootkits on these systems but am wondering what exactly inside ovirt is causing this to trigger? Or any ideas? Below is sample alert. All my google-fu turns up is that a process would have to **try** to hide itself from /proc, so curious what this is inside ovirt. Thanks! ------------- OSSEC HIDS Notification. 2017 Mar 20 11:54:47 Received From: (ovirtnode2.mydomain.com2) any->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Process '24574' hidden from /proc. Possible kernel level rootkit. --END OF NOTIFICATION ------------