Help with pignore / Ubuntu Landscape

autumnwalker · Post by **autumnwalker** » 12 Oct 2019, 12:39

Hi Folks,

I've been reading the forums and the readme and I cannot get this sorted out. I have a server running Ubuntu Landscape and the following four "command line" items keep triggering CSF for excessive research usage:

/usr/bin/python3 /usr/bin/landscape-monitor --ignore-sigint --quiet
/usr/bin/python3 /usr/bin/landscape-broker --ignore-sigint --quiet
/usr/bin/python3 /usr/bin/landscape-package-reporter
/usr/bin/python3 /usr/bin/landscape-package-changer --quiet

Example email:

Time: Sat Oct 12 08:20:15 2019 -0300
Account: landscape
Resource: Virtual Memory Size
Exceeded: 274 > 256 (MB)
Executable: /usr/bin/python3.6
Command Line: /usr/bin/python3 /usr/bin/landscape-package-reporter --quiet
PID: 8052 (Parent PID:23501)
Killed: No

I've tried various combinations of cmd: and pcmd: to ignore them, but nothing is working. What is the right way to ignore these commands?

Thanks!

autumnwalker · Post by **autumnwalker** » 13 Oct 2019, 12:18

I've tried:

exe:/usr/bin/python3.6
pexe:/usr/bin/python3.*
cmd:/usr/bin/python3 /usr/bin/landscape-monitor
pcmd:/usr/bin/python3 /usr/bin/landscape-*

Nothing is working. Still getting hammered by alerts.

BallyBasic79 · Post by **BallyBasic79** » 15 Oct 2019, 07:49

# [*]You must remember to escape characters correctly when using regex's, e.g.:
# pexe:/home/.*/public_html/cgi-bin/script\.cgi

The . needs to be escaped:
exe:/usr/bin/python3\.6

HTH

autumnwalker · Post by **autumnwalker** » 15 Oct 2019, 18:24

I ended up going with user:landscape which seems to have stopped the emails.

What is the right way to ignore these processes?

BallyBasic79 · Post by **BallyBasic79** » 15 Oct 2019, 19:33

For detail, refer to 8. Process Tracking in https://download.configserver.com/csf/readme.txt (if you haven't already.)

There are several notes in the readme on identifying the source of the process that CSF uses for evaluation (/proc), where to get more information, and a caution about a problematic NULL character that can be inadvertently copied into the pignore file.

I hope this helps you solve this.

autumnwalker · Post by **autumnwalker** » 15 Oct 2019, 19:38

Thanks @BallyBasic79. I did read the readme, but it has not answered my question.

What is the right way to ignore this process? Should I ignore python altogether (seems wrong) or should I ignore the command (it's suggested that is dangerous)? I've ignored the user which (in my environment) is likely ok, but could be problematic if that user is compromised.

BallyBasic79 · Post by **BallyBasic79** » 15 Oct 2019, 20:00

You could try:
exe:/usr/bin/python3.6 (sorry, exe does not need to be escaped.)
pcmd:/usr/bin/python3 /usr/bin/landscape-.* (fixed .* at end)

You can also raise the 256 (MB) Virtual Memory Size threshold.

ConfigServer Community Forum

Help with pignore / Ubuntu Landscape

Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape

Re: Help with pignore / Ubuntu Landscape