Site Navigation

Date:      Wed, 09 Apr 2008 15:37:12 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        sguil-devel@lists.sourceforge.net
Cc:        FreeBSD Ports <freebsd-ports@freebsd.org>
Subject:   New sguil ports for FreeBSD
Message-ID:  <2496DCB6636B3F0F4644C8AA@utd65257.utdallas.edu>

---

next in thread | raw e-mail | index | archive | help

---

Note: I'm crossposting this to freebsd-ports and the sguil-devel list, hoping 
that someone can find the obvious problem that I'm missing.

I'm working on the new (0.7.0) sguil-server port, and I've run into a strange 
problem that I can't seem to figure out.  If I try to start sguild with my 
startup script (which worked fine in 0.6.x), I get this:

# /usr/local/etc/rc.d/sguild start
Starting sguild.
pid(3349)  ERROR: sguil does not exist
Usage: /usr/local/bin/sguild [-D] [-h] [-c <filename>] [-u <filename>] [-P 
<filename>]
         [-O <filename>] [-C <directory]
       /usr/local/bin/sguild [-u <filename] [-adduser <username>] [-deluser 
<username]
  -c <filename>: PATH to the sguild config (sguild.conf) file.
  -a <filename>: PATH to the autocat config (autocat.conf) file.
  -g <filename>: PATH to the sguild global queries (sguild.queries) file.
  -u <filename>: PATH to the sguild users (sguild.users) file.
  -P <filename>: Name of file to write the PID to.
                 Default is /var/run/sguild.pid
  -l <filepath>: PATH to sguild libraries.
  -O <filename>: Define PATH to tls (tcl openssl) lib (libtls1.x.so)
  -C <directory>: Directory that contains sguild.pem and sguild.key
  -D Runs sguild in daemon mode.
  -adduser <username>: Add user to sguild.users
  -deluser <username>: Delete user from sguild.users
  -A <filename>: PATH to sguild.access file.
  -d <0|1|2>: Set DEBUG level
  -h Display this help
SGUILD: Exiting...

I've got no idea where this error is coming from or what it refers to.  It's 
not in any of the source files for the distro (that I can find.)  The only 
thing that comes close is 'puts "ERROR: $USERS_FILE does not exist"' in sguild, 
but I would expect the commandline to throw the same error if that were true 
*and* the sguild.users file *does* exist.

If I start sguild from the commandline I get this:

# /usr/local/bin/sguild
pid(3377)  Loading access list: /usr/local/etc/sguil-server/sguild.access
pid(3377)  Sensor access list set to ALLOW ANY.
pid(3377)  Client access list set to ALLOW ANY.
pid(3377)  Email Configuration:
pid(3377)    Config file: /usr/local/etc/sguil-server/sguild.email
pid(3377)    Enabled: Yes
pid(3377)    Server: localhost
pid(3377)    Rcpt To: root@localhost
pid(3377)    From: root@localhost
pid(3377)    Classes: successful-admin trojan-activity attempted-admin 
attempted-user
pid(3377)    Priorities: 0
pid(3377)    Disabled Sig IDs: 0
pid(3377)    Enabled Sig IDs: 1000003
pid(3377)  Connecting to localhost on 3306 as sguild
pid(3377)  MySQL Version: version 5.0.51a
pid(3377)  SguilDB Version: 0.12
pid(3378)  Loaderd Forked
pid(3379)  Queryd Forked
pid(3377)  Retrieving DB info...
pid(3377)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE 
active='Y' ORDER BY net_name, sid ASC
pid(3377)  Warning: Event table appears to be empty.
pid(3377)  If this is a new DB, then you can safely ignore this warning.
pid(3377)  Retrieving DB info...
pid(3377)    Getting a list of tables.
pid(3377)    ...Getting info on history.
pid(3377)    ...Getting info on nessus.
pid(3377)    ...Getting info on nessus_data.
pid(3377)    ...Getting info on pads.
pid(3377)    ...Getting info on portscan.
pid(3377)    ...Getting info on sensor.
pid(3377)    ...Getting info on status.
pid(3377)    ...Getting info on user_info.
pid(3377)    ...Getting info on version.
pid(3377)  Sguild Initialized.

Or, as a daemon:

# /usr/local/bin/sguild -D
pid(3380)  Loading access list: /usr/local/etc/sguil-server/sguild.access
pid(3380)  Sensor access list set to ALLOW ANY.
pid(3380)  Client access list set to ALLOW ANY.
pid(3380)  Email Configuration:
pid(3380)    Config file: /usr/local/etc/sguil-server/sguild.email
pid(3380)    Enabled: Yes
pid(3380)    Server: localhost
pid(3380)    Rcpt To: root@localhost
pid(3380)    From: root@localhost
pid(3380)    Classes: successful-admin trojan-activity attempted-admin 
attempted-user
pid(3380)    Priorities: 0
pid(3380)    Disabled Sig IDs: 0
pid(3380)    Enabled Sig IDs: 1000003

Clearly something is different about my startup script, but I'll be damned if I 
know what it is.  What's really frustrating is, there's almost nothing to a 
FreeBSD startup script, because it sources rcorder and the other rc components.

This is literally how simple it is:

. /etc/rc.subr

name="sguild"
rcvar=`set_rcvar`

command="/usr/local/bin/${name}"

load_rc_config ${name}
run_rc_command "$1"

Stop works.  Status works.  Start fails.  :-(

Anyone have a hint?

-- 
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2496DCB6636B3F0F4644C8AA>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact