Article Number
000001990
Applies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Insight
RSA Version/Condition: 11.3.2.1
Issue
You may see lots of prelink <defunct> process in CentOS6/RHEL6 linux machines after installing nwe-agent as shown below.
Image descriptionImage description
Cause
This issue seems to be happening in certain scenarios when agent calls the rpmVerifyFile API and when the RPM subsystem detects that at least one of file's dependencies has changed since prelinking.
In this case, RPM is internally invoking the prelink process and since the agent is the caller of that API, the <defunct> processes are associated with our process.
As such prelink is known to interfere with integrity checks on the system and has been disabled by default from CentOS7/RHEL7 onwards.
And if the server is in FIPS mode, as per RHEL 6 documentation (
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/security_guide/index section: Enabling FIPS Mode ), prelink needs to be disabled in which case we will not run into this issue as RPM will not invoke prelink.
Workaround
You can resolve this issue with the following 3 options below.
- Disable prelink in CentOS6/RedHat6 Linux machines.
- If prelink is enabled, make sure /etc/cron.daily/prelink runs right after any yum/rpm updates on the system so that rpm/prelink are in sync
- Restart nwe-agent by crontab once or twice a day. prelink process is reset by restarting nwe-agent.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further
assistance.