-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
some false positive reports #1
Comments
|
Since the output is 2000+ lines, I've place the file for you here: Additional I've created a port prototype: |
I've installed jenkins and reproduced 1st of your cases. It might be that JRE creates some executable code on-the-fly (possibly by JIT), mmaps it for read+execute, then unlinks the underlying file. Sadly once file is gone, its file-system path can no longer be recovered (or at least I have no knowledge how to do so); only information left is file system id and an inode, but I couldn't reproduce Apache case, but it seems your configuration is pretty large and loads lots of modules. Any suggestions how to deal with it? |
This is what I came up with:
Even better, a new feature might be implemented, allowing |
I just finished checking some other systems where apache is running and none of the other systems was showing the same output, so at the moment I assume lsop was correct in case of the httpd process. In case of jenkins, I suspect that's something from /usr/sbin/daemon will do some additional tests. |
I've made an initial implementation of whitelisting (a separate branch), perhaps you can give it a try...? |
Not sure if I used the tool the correct way, but it fails on the postfix process.
I know postfix recycles periodically child processes, but I'm sure I've started / stopped postfix also in previous tests. will wait some time and then look again after postfix recycled the child processes |
Sadly, after reproducing your case with postfix, and digging through the source code, it turned out
Whereas |
I think it is good to know the limitations, lsop is in every case a fantastic utility to check which process needs a restart after updating installed packages or applying OS patches (I've already deployed it on 40+ systems). What do you think about the port prototype (https://people.freebsd.org/~ohauer/diffs/lsop/lsop.shar)? |
I have some ideas about how to bypass this restriction, although it requires a major rewrite and will take awhile: Basically Thanks for the port prototype, but I'll have to read a manual or two first, as I've no idea what is the next step to follow. |
Thanks, this seems to be a really useful tool, specially if someone manage hosts with automation like salt/pupet/...
I suspect this are some false positives, specially if process is started via daemon or forked process changes the UID to unprivileged user
The text was updated successfully, but these errors were encountered: