Installed masked package Bastille; PSAD (Port Scan Attack Detector) comes with it. According to ebuild post install notice: ********************************************* einfo "Please be sure to edit /etc/psad/psad.conf to reflect your system's" einfo "configuration or it may not work correctly or start up. Specifically, check" einfo "the validity of the HOSTNAME setting and replace the EMAIL_ADDRESSES and" einfo "HOME_NET settings at the least." echo ewarn "If you're using metalog as your system logger, please be aware that PSAD does" ewarn "not officially support it, and it probably won't work. Syslog-ng and sysklogd" ewarn "do seem to work fine, though." ******************************************** You get this error when trying /etc/init.d/psad start : ******************************************* bash-2.05b# /etc/init.d/psad start * Starting psad... ** (/usr/sbin/psad): Could not find syslogd anywhere!!! Please edit the config section to include the path to syslogd. at /usr/sbin/psad line 1526 * Failed to start psad ******************************************** I use syslog-ng and it is listed in the /etc/psad/psad.conf file ### FILES ETC_SYSLOGNG_CONF /etc/syslog-ng/syslog-ng.conf; Reproducible: Always Steps to Reproduce: 1. Install Bastille 2. Run thru configuration 3. Finish configuration. (note, didn't tell either Bastille or PSAD to start at boot, then did it manually with /etc/init.d/filename myself. Don't think that would have made a difference though.) 4. While starting Bastille got notice that need to run /sbin/depscan.sh . Did so and Bastille starts (execpt for notice of several kernel options that I have in kernel and it wants modules: modprobe: ip_tables, ip_conntrack, ip_conntrack_ftp, ipt_LOG) Note: there is nothing in the ebuild about this, probably should be. 5. /etc/init.d/psad start get syslog error Actual Results: bash-2.05b# /etc/init.d/psad start * Starting psad... ** (/usr/sbin/psad): Could not find syslogd anywhere!!! Please edit the config section to include the path to syslogd. at /usr/sbin/psad line 1526 * Failed to start psad Went to /usr/sbin/psad line 1526 and there isn't any place there to edit to correct the logger issue. Expected Results: To work with syslog-ng as ebuild says. Did get it working though by editing /etc/psad/psad.conf syslogdCmd /sbin/syslogd; to syslogdCmd /usr/sbin/syslog-ng Then got: *************************** bash-2.05b# /etc/init.d/psad start * Starting psad... *************************** Also, ebuild says: replace the EMAIL_ADDRESSES You set this up in Bastille, why can't it get the email address from there. ? Might be a Bastille issue, just mentioning.
make that three! Three bastille users, mwa-ha-ha </count>
No, two. :) I took it off when I tested with nmap and the firewall I wrote was much better. Plus, portsentry seems to work better for me then PSAD. Checked later and bastille didn't change my umask when told it to in the config. Still this syslog-ng is a bug in psad.
It looks like you're using an old psad package, probably 1.2.4 (based on the metalog einfo you pasted). This is no longer in portage and the latest stable psad is 1.2.4-r1 (with metalog patch). As far as the syslog-ng stuff: this is actually routine behavior, and I will add further einfo's to the ebuild to notify the user of changes required to /etc/psad/psad.conf. Anybody using something other than sysklogd will need to make a change to syslogdCmd.
According the /var/log/portage it was 1.3.tar.bz2 that got emerged. So wasn't older package, it was the masked one. The stable one didn't come up, cause emerged bastille and it was masked, so it grabbed the newest psad. ********************* setup eutils perl-module unpack eutils perl-module >>> Unpacking source... >>> Unpacking psad-1.3.tar.bz2 to /var/tmp/portage/psad-1.3/work >>> Source unpacked. ,...... ******************
Ebuilds in portage have been updated to have the information I was talking about. Thanks, have a good day. Sorry it took so long.
