[ovirt-users] OSSEC reporting hidden processes

Charles Kozler ckozleriii at gmail.com
Mon Mar 20 15:59:49 UTC 2017


Hi -

I am wondering why OSSEC would be reporting hidden processes on my ovirt
nodes? I run OSSEC across the infrastructure and multiple ovirt clusters
have assorted nodes that will report a process is running but does not have
an entry in /proc and thus "possible rootkit" alert is fired

I am well aware that I do not have rootkits on these systems but am
wondering what exactly inside ovirt is causing this to trigger? Or any
ideas? Below is sample alert. All my google-fu turns up is that a process
would have to **try** to hide itself from /proc, so curious what this is
inside ovirt. Thanks!

-------------

OSSEC HIDS Notification.
2017 Mar 20 11:54:47

Received From: (ovirtnode2.mydomain.com2) any->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
(rootcheck)."
Portion of the log(s):

Process '24574' hidden from /proc. Possible kernel level rootkit.



 --END OF NOTIFICATION

------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170320/2722457b/attachment.html>


More information about the Users mailing list