securityonion.db missing and squilld failed login

510 views
Skip to first unread message

mail...@gmail.com

unread,
Jul 23, 2018, 4:03:42 PM7/23/18
to security-onion

SO,

We have managed to get our DB screwed up. squild cannot access the db and securityonion.db does not exist.

History
We got our new SO hardware installed earlier this month and installed SO16. Before we ran sosetup, we tried the 'relocate' /var/lib/mysql per the instructions at:
https://github.com/Security-Onion-Solutions/security-onion/wiki/NewDisk

For reasons we don't / didn't understand, that failed. So we took out the symlink and ran sosetup (Master, with suricata, bro, netsiff storing logs locally).

That ran great for a couple weeks until last Friday when we ran soup in preparation for starting to use Elastic/Kibana. After the soup reboot, the symlink for mysql was back and as a result our DB was gone. We removed the symlink, remembered to update apparmor this time and replaced /var/lib/mysql from the original backup we saved according to the 'new disk/mysql instructions'.


Today's Problem
When we run sosetup now, there are some squil related errors.

Problem 1
Scanning the setup log, the last line stands out, but we don't know how to proceed. The mysql error log is empty. (Note that /opt/bro/etc/node.cfg does exist: -rw-r--r-- 1 root root 854 Jul 20 21:52 /opt/bro/etc/node.cfg). mysql is running:
redacted@redacted:~$ sudo netstat -anp|egrep 3306
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 63054/mysqld

" root@redcated:~# egrep -i "critical|disable|emerg|error|fail|fatal|missing|not found|panic|terminate|warn|wrong|segfaul|invalid" /redecated/sosetup.log20b|egrep -vi "file exists|stopping"
IOError: [Errno 2] No such file or directory: '/opt/bro/etc/node.cfg'
IOError: [Errno 2] No such file or directory: '/opt/bro/etc/node.cfg'
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
eno1 not found in selected interfaces. Disabling.
eno2 not found in selected interfaces. Disabling.
eno3 not found in selected interfaces. Disabling.
eno4 not found in selected interfaces. Disabling.
Configuring for Snort Subscriber (Talos) and Emerging Threats NoGPL rulesets
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
Site default-ssl already disabled
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'K01ossec-hids-server' missing LSB tags and overrides
insserv: warning: script 'ossec-hids-server' missing LSB tags and overrides
Error: error occurred while trying to send mail: send-mail: /usr/sbin/sendmail not found
ERROR 1049 (42000): Unknown database 'securityonion_db'
ERROR 1049 (42000): Unknown database 'securityonion_db'"

We tried setting DAYSTOKEEP and DAYSTOREPAIR to 1 and running sguil-db-purge. Then we tried setting them to zero. The sguild logs don't have any entries dated after the soup reboot.

We've tried running sosetup from sudo and directly from root. We've tried running sosetup from the GUI and the command line with -f.

Problem 2
There is no squild.log. And sguild fails to login into the db

redacted@redacted:~$ locate squild.log
redacted@redacted:~$ sudo mysql -u root -p mysql
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
redacted@redacted:~$ sudo mysql -u root mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

redacted@redacted:~$ sudo sguild
2018-07-23 18:18:42 pid(34625) Loading access list: /etc/sguild/sguild.access
2018-07-23 18:18:42 pid(34625) Sensor access list set to ALLOW ANY.
2018-07-23 18:18:42 pid(34625) Client access list set to ALLOW ANY.
2018-07-23 18:18:42 pid(34625) Email Configuration:
2018-07-23 18:18:42 pid(34625) Config file: /etc/sguild/sguild.email
2018-07-23 18:18:42 pid(34625) Enabled: No
2018-07-23 18:18:42 pid(34625) Connecting to localhost on 3306 as sguil
2018-07-23 18:18:42 pid(34625) ERROR: Unable to connect to localhost on 3306: Make sure mysql is running.
2018-07-23 18:18:42 mysqlconnect/db server: Access denied for user 'sguil'@'localhost' (using password: YES)
SGUILD: Exiting...


So we added a sguil user per https://github.com/bammv/sguil/blob/master/doc/INSTALL
sudo mysql --defaults-file=/etc/mysql/debian.cnf -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.7.22-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT User FROM mysql.user;
+------------------+
| User |
+------------------+
| debian-sys-maint |
| mysql.session |
| mysql.sys |
| root |
+------------------+
4 rows in set (0.02 sec)

mysql> GRANT ALL PRIVILEGES ON sguildb.* TO sguil@localhost IDENTIFIED BY 'sguilpasswd';
Query OK, 0 rows affected, 1 warning (0.01 sec)

We cleaned off /nsm per https://groups.google.com/forum/#!searchin/security-onion/securityonion.db|sort:date/security-onion/peu8KyfWW-0/oXxcyl-qAQAJ


And we set the mysql root password to null per https://groups.google.com/forum/#!searchin/security-onion/mysql$20root$20password$20sosetup|sort:date/security-onion/5VbAfbm-fMM/3EMfpZi2CjIJ

What should we try next???? Can we avoid a re-install?

Thanks in advance,
n0mad

Wes Lambert

unread,
Jul 24, 2018, 6:47:39 PM7/24/18
to securit...@googlegroups.com
At this point, I would probably bit the bullet an reinstall from scratch.  It would probably save you time and a bigger headache :)

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--
Reply all
Reply to author
Forward
0 new messages