Wednesday, June 25, 2008

PyFlag Installation on Fedora 8

So I finally decided to be brave and install PyFlag.

First you have to get the source code (more info on wiki or compile tutorial):


# yum install darcs
$ darcs get http://www.pyflag.net/pyflag



After this, you will have a folder called pyflag. If you look at the install instructions from the PyFlag site, you can see that there are several packages that must be installed before installing PyFlag. Most of these can be found in yum repos, but under different names (items in parenthesis are the debian package names):

python-dateutil
clamav
clamav-server (clamav-daemon)
mysql
mysql-devel
mysql-server
file-devel (libmagic-dev)
pexpect (python-pexpect)
python-imaging
python-mysqldb (manual install)


# yum install python-dateutil clamav clamav-server mysql mysql-devel mysql-server file-devel pexpect python-imaging



After installing all of these packages, you must initialize mysql:


# /sbin/chkconfig mysqld on
# /sbin/service mysqld start
# mysqladmin -u root password 'new-passwd'



You must use quotes around the new-passwd you choose, and don't forget what it is!

You must also setup clamav-server so it will work. Make sure you know where everything is installed, because things get funky with clamav and Fedora:


# rpm -q --filesbypkg [packagename]



Where [packagename] is replaced by the package(s) you installed. I went ahead and installed all of clamav packages just to be safe. Two files of interest are the daemon file itself and the configuration file. My locations are:


/usr/sbin/clamd
/usr/share/doc/clamav-server-0.92.1/clamd.conf



This is annoying, because when you run the clamd daemon, it says it can't find the clamd.conf file in the appropriate place: /etc/clamd.conf So you can add a symbolic link to the real location:


ln -s /usr/share/doc/clamav-server-0.92.1/clamd.conf /etc/clamd.conf



You'll have to figure out how to set up your own clamd.conf file.

Ok, at this point you are able to install PyFlag:


$ cd pyflag
$ sh autogen.sh
$ ./configure
$ make
$ su -
# make install



Make sure that you have no errors when running configure, make and make install. Now, before running PyFlag, you must set up the configuration file to point to the mysql.sock file. Fedora places the mysql.sock file in a different location than the default (/var/run/mysqld/mysqld.sock). So open up the configuration file using your favorite editor:


$ vi ~/.pyflagrc



Change the line that says:


dbunixsocket=/var/run/mysqld/mysqld.sock

to


dbunixsocket=/var/lib/mysql/mysql.sock


Notice that ``run'' is changed to ``lib'' and the `d' is absent from the end of mysql. You are now set.

Also make sure that PyFlag points to the clamav socket (for example):


clamav_socket=/var/run/clamd.d/clamd.sock



If everything goes well, you can then set up PyFlag:


$ pyflag



Follow the instructions on the website for setting up pyflag by going to http://127.0.0.1:8000.

There was only one other thing I changed. Since I already have a service listening on port 8000, I changed the port in the configuration file:


httpserver_port=7000



I'll have a post later after I've played around with this for a while...

8 comments:

Anonymous said...

to install python-mysqldb you have to install mysql-devel package first, otherwise you won't be able to install python-myslqdb

piXi

JL said...

Thanks. You are probably right. I had installed it earlier and so I didn't catch that! -JL

jay said...

Hi JL,

Just a quick question. I'm running pyflag in a windows environment. I gave the path to the DD image I've created like G:\myimage.dd and then it asks for a VFS mount point. What should I put here. Thanks in advance!

JL said...

@jay

You can put whatever you want. It allows you to use more than one image (as well as different types of images: disk images, memory images, network traces) at a time. Then you will see the tree on the left with each image in relation to what you have written for the VFS mount point.

For future help you can find the PyFlag crew on #pyflag on freenode.net (IRC)

Tutorial on memory forensics which is useful - though it's not specifically about disk images, some things are the same... (for some reason I didn't find one on disk images).

Hope this helps...

JL said...

After going back to the sourceforge site I found this tutorial if you are interested: http://pyflag.sourceforge.net/Documentation/tutorials/forensics.html

jay said...

Thanks JL for the info, I will check this out and let you know if it works

Emmanuel said...

I edited the pyflagrc conf file and changed the dbunixsocket line. i could not find the clamav_socket in the file.

I am trying the installation on Fedora 10

Emmanuel

JL said...

@Emmanuel,

I'm sorry that I haven't responded before now! I've been crazy busy! I haven't had a chance to test pyflag on Fedora 10 yet to figure out what the issue might be. Just one thought: have you tried to configure pyflag from the web interface? When it starts up, just go to configuration and you should be able to put in whatever values you need. This is from the latest darcs code though.

Let me know if you are still having trouble and I will try to get it installed under F10.

I have emailed you as well just in case...