Fresh Sift build (focal) on qubes

[TheWanderer1983]

Hello all, I decided to try building sift from scratch on a fresh focal system. Not built on top Remnux. I followed the github guide for installing. Attached is the saltstack.log.

saltstack.log

[digitalsleuth]

Hi @TheWanderer1983 , after looking at all of the issues you've had, you seem to be getting the exact same error message each time, related to the 'systemd-run' error code 100. Can you provide the output of the following:

sudo apt-get update
sudo apt-get install -f
sudo apt search wireless-tools
ls -la /etc/apt/sources.list.d/
date

[TheWanderer1983]

Hello @digitalsleuth, Here are the requested outputs.

$ sudo apt-get update Hit:1 https://download.docker.com/linux/ubuntu focal InRelease
Hit:2 https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004 focal InRelease
Get:3 http://ppa.launchpad.net/gift/stable/ubuntu focal InRelease [18.0 kB]
Hit:4 http://archive.canonical.com/ubuntu focal InRelease
Hit:5 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:6 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu focal InRelease
Get:7 http://archive.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Hit:8 http://ppa.launchpad.net/sift/stable/ubuntu focal InRelease
Get:9 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2,000 kB] Get:11 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [927 kB] Fetched 3,172 kB in 28s (113 kB/s)
Reading package lists... Done

sudo apt-get install -f Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: libnorm1 libpgm-5.2-0 libzmq5 python3-colorama Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

sudo apt search wireless-tools Sorting... Done Full Text Search... Done broadcom-sta-dkms/focal-security,focal-updates 6.30.223.271-12ubuntu0.1 all dkms source for the Broadcom STA Wireless driver

broadcom-sta-source/focal-security,focal-updates 6.30.223.271-12ubuntu0.1 all Source for the Broadcom STA Wireless driver

iw/now 5.4-1 amd64 [installed,local] tool for configuring Linux wireless devices

ls -la /etc/apt/sources.list.d/ total 44 drwxr-xr-x 2 root root 4096 Aug 2 08:31 . drwxr-xr-x 7 root root 4096 Aug 2 08:29 .. -rw-r--r-- 1 root root 71 Aug 2 08:31 docker.list -rw-r--r-- 1 root root 71 Aug 2 08:31 docker.list.save -rw-r--r-- 1 root root 124 Aug 2 08:31 gift-ubuntu-stable-focal.list -rw-r--r-- 1 root root 124 Aug 2 08:31 gift-ubuntu-stable-focal.list.save -rw-r--r-- 1 root root 128 Aug 2 08:31 openjdk-r-ubuntu-ppa-focal.list -rw-r--r-- 1 root root 84 Aug 2 08:31 saltstack.list -rw-r--r-- 1 root root 84 Aug 2 08:31 saltstack.list.save -rw-r--r-- 1 root root 124 Aug 2 08:31 sift-ubuntu-stable-focal.list -rw-r--r-- 1 root root 124 Aug 2 08:31 sift-ubuntu-stable-focal.list.save

date Tue 02 Aug 2022 10:10:10 PM AEST

[digitalsleuth]

Can you run the following as well and paste the output?

cat /etc/apt/sources.list | grep -v "#"

[TheWanderer1983]

cat /etc/apt/sources.list | grep -v "#" deb http://archive.ubuntu.com/ubuntu focal universe deb http://archive.canonical.com/ubuntu focal partner deb http://archive.ubuntu.com/ubuntu focal-security multiverse deb http://archive.ubuntu.com/ubuntu focal-updates main universe multiverse restricted deb http://archive.ubuntu.com/ubuntu focal multiverse

[digitalsleuth]

Thanks @TheWanderer1983 , it looks like you have all the repos you need enabled, so I'm not quite sure why you are unable to install a few of the tools found in those repos. Can you tell me what steps you took to set up the OS?

[TheWanderer1983]

Sure, This is a Qubes System. So I cloned a Focal template. Specifically this one https://qubes.3isec.org/Templates_4.1/ Then I followed the Option 2A: SIFT Easy Installation on Native Ubuntu System as detailed here. https://www.sans.org/tools/sift-workstation/ The only variation is I didn't create that user account. I'm using the default account for this VM which has sudo.

[digitalsleuth]

Sounds good, I'll give that process a shot and see if I come across the same issue.

[TheWanderer1983]

Thanks for the help. Appreciated.