OSSEC有个BUG，某些情况下异常结束进程之后，留下了pid文件比如/var/ossec/var/run/ossec-execd-17180.pid，如果之后有个新进程pid与此相同
在ossec 再次关闭时，会kill所有/var/ossec/var/run/下pid进程，同时因未检测此PID是否是OSSEC自身的进程，而误杀了17180进程。我改了改代码，解决了这个问题。如下所述：

[root@xti9er bin]# ps -ef |grep ossec
root     16908     1  0 16:31 ?        00:00:00 /var/ossec/bin/ossec-execd
ossecm   17122     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-maild
root     17126     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-execd
ossec    17130     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-analysisd
root     17134     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-logcollector
ossecr   17139     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-remoted
root     17145     1  2 16:40 ?        00:00:05 /var/ossec/bin/ossec-syscheckd
ossec    17149     1  0 16:40 ?        00:00:00 /var/ossec/bin/ossec-monitord
root     17178 12487  0 16:44 pts/0    00:00:00 grep ossec
[root@xti9er bin]# cat ~/sp.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

int a=0;
main()
{
signal(SIGINT,SIG_DFL);
while(1)
{
sleep(1);
printf("%d",a);
a++;
}
}
[root@xti9er bin]# ~/sp&
[2] 17180
[root@xti9er bin]# ll /var/ossec/var/run/*exe*
-rw-r--r--  1 root ossec 6 Aug 27 16:40 /var/ossec/var/run/ossec-execd-17126.pid
[root@xti9er bin]# cp /var/ossec/var/run/ossec-execd-17126.pid /var/ossec/var/run/ossec-execd-17180.pid
[root@xti9er bin]# echo 17180 > /var/ossec/var/run/ossec-execd-17180.pid
[root@xti9er bin]#
[root@xti9er bin]# ./ossec-control.bak.2009-08-27 stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
OSSEC HIDS v2.1 Stopped
[2]+  Terminated              ~/sp
[root@xti9er bin]# ~/sp&
[2] 17229
[root@xti9er bin]# ./ossec-control start
Starting OSSEC HIDS v2.1 (by Trend Micro Inc.)...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.
[root@xti9er bin]# ll /var/ossec/var/run/*exe*
-rw-r--r--  1 root ossec 6 Aug 27 16:47 /var/ossec/var/run/ossec-execd-17264.pid
[root@xti9er bin]# cp /var/ossec/var/run/ossec-execd-17264.pid /var/ossec/var/run/ossec-execd-17229.pid
[root@xti9er bin]# echo 17229 > /var/ossec/var/run/ossec-execd-17229.pid
[root@xti9er bin]# ./ossec-control stop
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
17229 is not ossec program..
OSSEC HIDS v2.1 Stopped

[root@xti9er bin]# diff ossec-control ossec-control.bak.2009-08-27
261,272c261,262
<             for j in `cat ${DIR}/var/run/${i}*.pid 2>/dev/null`; do
<                             ps -ef |grep ${DIR}/bin |grep `cat ${DIR}/var/run/${i}-$j.pid` > /dev/null 2>&1   
<                             if [ $? = 0 ]; then
<                                                             echo "Killing ${i} .. ";
<                                                             kill `cat ${DIR}/var/run/${i}-$j.pid`;
<                                                        else
<                                     echo `cat ${DIR}/var/run/${i}-$j.pid` " is not ossec program..";
<                                     rm -f ${DIR}/var/run/${i}-$j.pid
<                                                        fi
<             done    
---
>                         echo "Killing ${i} .. ";
>                         kill `cat ${DIR}/var/run/${i}*.pid`;