000039083 - RSA NetWitness Platform: Lots of prelink <defunct> process in CentOS6 and RHEL6 linux machines after installing nwe-agent

Document created by RSA Customer Support Employee on Jul 3, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039083
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Insight
RSA Version/Condition:
You may see lots of prelink <defunct> process in CentOS6/RHEL6 linux machines after installing nwe-agent as shown below.
ps -ef | grep prelink
CauseThis issue seems to be happening in certain scenarios when agent calls the rpmVerifyFile API and when the RPM subsystem detects that at least one of file's dependencies has changed since prelinking. 
In this case, RPM is internally invoking the prelink process and since the agent is the caller of that API, the <defunct> processes are associated with our process.
As such prelink is known to interfere with integrity checks on the system and has been disabled by default from CentOS7/RHEL7 onwards.
And if the server is in FIPS mode, as per RHEL 6 documentation (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html-single/security_guide/index  section: Enabling FIPS Mode ), prelink needs to be disabled in which case we will not run into this issue as RPM will not invoke prelink.
WorkaroundYou can resolve this issue with the following 3 options below.
  1. Disable prelink in CentOS6/RedHat6 Linux machines.
  2. If prelink is enabled, make sure /etc/cron.daily/prelink runs right after any yum/rpm updates on the system so that rpm/prelink are in sync
  3. Restart nwe-agent by crontab once or twice a day. prelink process is reset by restarting nwe-agent.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further