[Sguil-devel] New sguil ports for FreeBSD

Bamm Visscher bamm.visscher at gmail.com
Wed Apr 9 21:33:48 UTC 2008 

My guess is your script is passing sguild the arg '-u sguil'.  Where
in your startup script that could be, I don't know.



On Wed, Apr 9, 2008 at 2:37 PM, Paul Schmehl <pauls at utdallas.edu> wrote:
> Note: I'm crossposting this to freebsd-ports and the sguil-devel list, hoping
>  that someone can find the obvious problem that I'm missing.
>
>  I'm working on the new (0.7.0) sguil-server port, and I've run into a strange
>  problem that I can't seem to figure out.  If I try to start sguild with my
>  startup script (which worked fine in 0.6.x), I get this:
>
>  # /usr/local/etc/rc.d/sguild start
>  Starting sguild.
>  pid(3349)  ERROR: sguil does not exist
>  Usage: /usr/local/bin/sguild [-D] [-h] [-c <filename>] [-u <filename>] [-P
>  <filename>]
>          [-O <filename>] [-C <directory]
>        /usr/local/bin/sguild [-u <filename] [-adduser <username>] [-deluser
>  <username]
>   -c <filename>: PATH to the sguild config (sguild.conf) file.
>   -a <filename>: PATH to the autocat config (autocat.conf) file.
>   -g <filename>: PATH to the sguild global queries (sguild.queries) file.
>   -u <filename>: PATH to the sguild users (sguild.users) file.
>   -P <filename>: Name of file to write the PID to.
>                  Default is /var/run/sguild.pid
>   -l <filepath>: PATH to sguild libraries.
>   -O <filename>: Define PATH to tls (tcl openssl) lib (libtls1.x.so)
>   -C <directory>: Directory that contains sguild.pem and sguild.key
>   -D Runs sguild in daemon mode.
>   -adduser <username>: Add user to sguild.users
>   -deluser <username>: Delete user from sguild.users
>   -A <filename>: PATH to sguild.access file.
>   -d <0|1|2>: Set DEBUG level
>   -h Display this help
>  SGUILD: Exiting...
>
>  I've got no idea where this error is coming from or what it refers to.  It's
>  not in any of the source files for the distro (that I can find.)  The only
>  thing that comes close is 'puts "ERROR: $USERS_FILE does not exist"' in sguild,
>  but I would expect the commandline to throw the same error if that were true
>  *and* the sguild.users file *does* exist.
>
>  If I start sguild from the commandline I get this:
>
>  # /usr/local/bin/sguild
>  pid(3377)  Loading access list: /usr/local/etc/sguil-server/sguild.access
>  pid(3377)  Sensor access list set to ALLOW ANY.
>  pid(3377)  Client access list set to ALLOW ANY.
>  pid(3377)  Email Configuration:
>  pid(3377)    Config file: /usr/local/etc/sguil-server/sguild.email
>  pid(3377)    Enabled: Yes
>  pid(3377)    Server: localhost
>  pid(3377)    Rcpt To: root at localhost
>  pid(3377)    From: root at localhost
>  pid(3377)    Classes: successful-admin trojan-activity attempted-admin
>  attempted-user
>  pid(3377)    Priorities: 0
>  pid(3377)    Disabled Sig IDs: 0
>  pid(3377)    Enabled Sig IDs: 1000003
>  pid(3377)  Connecting to localhost on 3306 as sguild
>  pid(3377)  MySQL Version: version 5.0.51a
>  pid(3377)  SguilDB Version: 0.12
>  pid(3378)  Loaderd Forked
>  pid(3379)  Queryd Forked
>  pid(3377)  Retrieving DB info...
>  pid(3377)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE
>  active='Y' ORDER BY net_name, sid ASC
>  pid(3377)  Warning: Event table appears to be empty.
>  pid(3377)  If this is a new DB, then you can safely ignore this warning.
>  pid(3377)  Retrieving DB info...
>  pid(3377)    Getting a list of tables.
>  pid(3377)    ...Getting info on history.
>  pid(3377)    ...Getting info on nessus.
>  pid(3377)    ...Getting info on nessus_data.
>  pid(3377)    ...Getting info on pads.
>  pid(3377)    ...Getting info on portscan.
>  pid(3377)    ...Getting info on sensor.
>  pid(3377)    ...Getting info on status.
>  pid(3377)    ...Getting info on user_info.
>  pid(3377)    ...Getting info on version.
>  pid(3377)  Sguild Initialized.
>
>  Or, as a daemon:
>
>  # /usr/local/bin/sguild -D
>  pid(3380)  Loading access list: /usr/local/etc/sguil-server/sguild.access
>  pid(3380)  Sensor access list set to ALLOW ANY.
>  pid(3380)  Client access list set to ALLOW ANY.
>  pid(3380)  Email Configuration:
>  pid(3380)    Config file: /usr/local/etc/sguil-server/sguild.email
>  pid(3380)    Enabled: Yes
>  pid(3380)    Server: localhost
>  pid(3380)    Rcpt To: root at localhost
>  pid(3380)    From: root at localhost
>  pid(3380)    Classes: successful-admin trojan-activity attempted-admin
>  attempted-user
>  pid(3380)    Priorities: 0
>  pid(3380)    Disabled Sig IDs: 0
>  pid(3380)    Enabled Sig IDs: 1000003
>
>  Clearly something is different about my startup script, but I'll be damned if I
>  know what it is.  What's really frustrating is, there's almost nothing to a
>  FreeBSD startup script, because it sources rcorder and the other rc components.
>
>  This is literally how simple it is:
>
>  . /etc/rc.subr
>
>  name="sguild"
>  rcvar=`set_rcvar`
>
>  command="/usr/local/bin/${name}"
>
>  load_rc_config ${name}
>  run_rc_command "$1"
>
>  Stop works.  Status works.  Start fails.  :-(
>
>  Anyone have a hint?
>
>  --
>  Paul Schmehl (pauls at utdallas.edu)
>  Senior Information Security Analyst
>  The University of Texas at Dallas
>  http://www.utdallas.edu/ir/security/
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>  Don't miss this year's exciting event. There's still time to save $100.
>  Use priority code J8TL2D2.
>  http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>  _______________________________________________
>  Sguil-devel mailing list
>  Sguil-devel at lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/sguil-devel
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

More information about the freebsd-ports mailing list