Argus fails to start with ARGUS_INTERFACE=ind:all

Jesse Bowling jesseb at uga.edu
Mon May 23 12:51:28 EDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3.0.2, we use the "-u" and "-g" flags to run argus without root privs (on FreeBSD 8)

i.e.:
/usr/local/sbin/argus -u argus -g argus -i igb3 -B 127.0.0.1 -P 561 -Z -d

Perhaps this would work?  Or perhaps I've missed the issue...

Cheers,

Jesse

On 05/23/2011 12:11 PM, Carter Bullard wrote:
> Argus can't open devices it doesn't have permission to open.  You can't open
> the networking interfaces of a Linux machines without root privileges.
> So you either have to run as root, or you have to change the permissions on the
> interfaces, so they can be opened.  Changing the permissions is not a good idea.
> 
> Argus can be installed "setuid", so that it runs as root, regardless of who calls it, 
> but that is not a good idea either, as there are lots of issues with setuid programs.
> 
> The best solution is to run argus as root.
> 
> Carter
> 
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
> 
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
> 
> On May 23, 2011, at 11:55 AM, Harry Hoffman wrote:
> 
>> Hi Carter,
>>
>> So, I did a little bit more troubleshooting and it appears to be a problem
>> with setting the uid/gid for dropping privs.
>>
>> If argus runs as root all is ok (both with and without your patch below).
>> But if I create a user and group called argus (and set perms on the
>> directory properly) then argus won't start.
>>
>> Also, argusbug is in both argus and argus-clients. This causes install
>> conflicts with rpm/yum. Think one of them can be renamed so that argus and
>> argus-clients can be installed on the same box without requiring a --force
>> to rpm install?
>>
>> Cheers,
>> Harry
>>
>>
>>
>> -----Original Message-----
>> From: Carter Bullard [mailto:carter at qosient.com] 
>> Sent: Monday, May 23, 2011 10:38 AM
>> To: Harry Hoffman
>> Cc: argus-info at lists.andrew.cmu.edu
>> Subject: Re: [ARGUS] Argus fails to start with ARGUS_INTERFACE=ind:all
>>
>> Hey Harry,
>> We don't use socket(PF_INET,SOCK_PACKET) in argus, so not sure where this
>> problem may be.
>> Now that I'm looking at the code, we use AF_INET for a socket call, which
>> most OS's don't mind, but
>> if centos is persnickety, try this patch:
>>
>> thoth:argus carter$ p4 diff ...
>> ==== //depot/argus/argus/argus/ArgusSource.c#86 -
>> /Users/carter/argus/argus/argus/ArgusSource.c ====
>> 3666c3666
>> <       if ((ArgusGetInterfaceFD = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
>> ---
>>>      if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
>>
>> To see if that doesn't help.  If not, we'll have to find out what call we're
>> in when the error is generated
>> to figure out if it's argus() or possibly,  libpcap().
>>
>> Carter
>>
>>
>> On May 23, 2011, at 10:19 AM, Harry Hoffman wrote:
>>
>>> Hi,
>>>
>>> I've downloaded the latest argus (3.0.5.3) and I'm trying to run with:
>>> ARGUS_INTERFACE=ind:all
>>>
>>> And I'm getting the following error messages:
>>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.195237 started
>>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.214626 started
>>> May 23 10:02:20 usher kernel: argus uses obsolete (PF_INET,SOCK_PACKET)
>>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.229757
>>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.237115
>>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.242792
>>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>>>
>>>
>>> If I run with ARGUS_INTERFACE=any then argus starts up right away (and
>> seems
>>> to use eth0).
>>>
>>> I've got the following live interfaces:
>>> Eth0 (ethernet)
>>> Eth1 (ethernet)
>>> Lo (loopback)
>>> Sit1 (ipv6-ipv4)
>>>
>>> I'm running centos-5.6 x86_64. I'm happy to provide any other information.
>>>
>>> Cheers,
>>> Harry
>>>
>>>
>>>
>>
>>
>>
> 

- -- 
Jesse Bowling
_______________________________________
Incident Response Manager          |~~|
Office of Information Security     |\/|
University of Georgia              |^^|
(706) 542-2127	                   |/\|
jesseb at uga dot edu  	           |~~|
- ----------------------------------------

No matter that we may mount on stilts, we still must walk on our own
legs. And on the highest throne in the world, we still sit only on our
own bottom. -Michel de Montaigne
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org/

iEYEARECAAYFAk3akJAACgkQ5E4CHL/YJ2oRXACfa9MGiyH/kRCnX6UQmwsjtAK7
Ks0AoJFm5Q+vKqaN6Wud8FYefp3+90vA
=KNpC
-----END PGP SIGNATURE-----

More information about the argus mailing list