This seems to be an artefact of the "xymon" command, perhaps sanitising input. If I run this command:
printf "data uname -n.TEST\ntesting\ \ntesting\n" | { telnet 127.1
1984; sleep 1; }
the message gets to xymon as is, with a backslash and some trailing spaces, as in "testing\<space><space><space><newline>testing<newline>". If I change the command after the pipe to xymon, like so:
printf "data uname -n.TEST\ntesting\ \ntesting\n" | xymon 127.1 @
then the message appears as "testingtesting" with all of the whitespace stripped out. This effect happens for when one or more spaces or tabs follows a backslash and is then followed by a newline. (Interestingly, a carriage return in the whitespace seems to also corrupt the string after the newline - possibly leading to a buffer overflow in some cases - and while this is unlikely in the output of "ps", there may be other ways to abuse xymon with this technique.)
So I think the issue is triggered for you when the ps output has "sed ... security.cron:<space>".
I suspect if you clean up the output of the "ps" line in xymonclient-linux.sh to remove trailing whitespace, then it might fix your problem. Something like this:
ps -Aww f -o pid,ppid,user,start,state,pri,pcpu,time:12,pmem,rsz:10,vsz:10,cmd | sed 's/ *$//'
J
On Fri, 22 Mar 2024 at 07:11, John Horne <john.horne at plymouth.ac.uk> wrote:
On Thu, 2024-03-21 at 15:38 +0000, John Horne wrote:
I need to do more testing, but am a little lost as to whether the bug
(if it
exists) is in the 'ps' output, the way it is recorded in the hostdata file or in the processing of the 'procs' test.
Running tcpdump of what is being sent to the main Xymon server shows that the corrupted line is occurring on the client. So I need to look into the xymonclient side of things.
John.
-- John Horne | Senior Operations Analyst | Technology and Information Services University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
[https://www.plymouth.ac.uk/images/email_footer.gif]<; http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, University of Plymouth accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. University of Plymouth does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon