[Xymon] Bug? procs test going red green every hour

Jeremy Laidman jeremy at laidman.org
Fri Mar 22 00:10:06 CET 2024 

This seems to be an artefact of the "xymon" command, perhaps sanitising
input. If I run this command:

printf "data `uname -n`.TEST\ntesting\    \ntesting\n" | { telnet 127.1
1984; sleep 1; }

the message gets to xymon as is, with a backslash and some trailing
spaces, as in "testing\<space><space><space><newline>testing<newline>". If
I change the command after the pipe to xymon, like so:

printf "data `uname -n`.TEST\ntesting\    \ntesting\n" | xymon 127.1 @

then the message appears as "testingtesting" with all of the whitespace
stripped out. This effect happens for when one or more spaces or tabs
follows a backslash and is then followed by a newline. (Interestingly, a
carriage return in the whitespace seems to also corrupt the string after
the newline - possibly leading to a buffer overflow in some cases - and
while this is unlikely in the output of "ps", there may be other ways to
abuse xymon with this technique.)

So I think the issue is triggered for you when the ps output has "sed ...
security.cron:<space>".

I suspect if you clean up the output of the "ps" line in
xymonclient-linux.sh to remove trailing whitespace, then it might fix your
problem. Something like this:

ps -Aww f -o
pid,ppid,user,start,state,pri,pcpu,time:12,pmem,rsz:10,vsz:10,cmd | sed 's/
*$//'

J


On Fri, 22 Mar 2024 at 07:11, John Horne <john.horne at plymouth.ac.uk> wrote:

> On Thu, 2024-03-21 at 15:38 +0000, John Horne wrote:
> >
> > I need to do more testing, but am a little lost as to whether the bug
> (if it
> > exists) is in the 'ps' output, the way it is recorded in the hostdata
> file or
> > in the processing of the 'procs' test.
> >
> Running tcpdump of what is being sent to the main Xymon server shows that
> the
> corrupted line is occurring on the client. So I need to look into the
> xymonclient side of things.
>
>
> John.
>
> --
> John Horne | Senior Operations Analyst | Technology and Information
> Services
> University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
> ________________________________
> [https://www.plymouth.ac.uk/images/email_footer.gif]<
> http://www.plymouth.ac.uk/worldclass>
>
> This email and any files with it are confidential and intended solely for
> the use of the recipient to whom it is addressed. If you are not the
> intended recipient then copying, distribution or other use of the
> information contained is strictly prohibited and you should not rely on it.
> If you have received this email in error please let the sender know
> immediately and delete it from your system(s). Internet emails are not
> necessarily secure. While we take every care, University of Plymouth
> accepts no responsibility for viruses and it is your responsibility to scan
> emails and their attachments. University of Plymouth does not accept
> responsibility for any changes made after it was sent. Nothing in this
> email or its attachments constitutes an order for goods or services unless
> accompanied by an official order form.
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240322/b756e78e/attachment.htm>

More information about the Xymon mailing list