Context Navigation

HOWTO-client+server.html@ 578

Last change on this file since 578 was 553, checked in by katerina, 5 years ago
Fix for ticket #443 (Incompatibility with older gpg versions).
File size: 12.1 KB

Line
1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2	<html>
3	<head>
4	<title>HOWTO client+server</title>
5	<style type="text/css">
6	<!--
7
8	html { background: #eee; color: #000; }
9
10	body { background: #eee; color: #000; margin: 0; padding: 0;}
11
12	div.body {
13	background: #fff; color: #000;
14	margin: 0 1em 0 1em; padding: 1em;
15	font-family: serif;
16	font-size: 1em; line-height: 1.2em;
17	border-width: 0 1px 0 1px;
18	border-style: solid;
19	border-color: #aaa;
20	}
21
22	div.block {
23	background: #b6c5f2; color: #000;
24	margin: 1em; padding: 0 1em 0 1em;
25	border-width: 1px;
26	border-style: solid;
27	border-color: #2d4488;
28	}
29
30	div.warnblock {
31	background: #b6c5f2; color: #000;
32	margin: 1em; padding: 0 1em 0 1em;
33	border-width: 1px;
34	border-style: solid;
35	border-color: #FF9900;
36	}
37
38	table {
39	background: #F8F8F8; color: #000;
40	margin: 1em;
41	border-width: 0 0 0 1px;
42	border-style: solid;
43	border-color: #C0C0C0;
44	}
45
46	td {
47	border-width: 0 1px 1px 0;
48	border-style: solid;
49	border-color: #C0C0C0;
50	}
51
52	th {
53	background: #F8F8FF;
54	border-width: 1px 1px 2px 0;
55	border-style: solid;
56	border-color: #C0C0C0;
57	}
58
59
60	/* body text, headings, and rules */
61
62	p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
63
64	h1, h2, h3, h4, h5, h6 {
65	color: #206020; background: transparent;
66	font-family: Optima, Arial, Helvetica, sans-serif;
67	font-weight: normal;
68	}
69
70	h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
71	h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
72	h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
73	h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
74	h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
75	h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
76
77	hr {
78	color: transparent; background: transparent;
79	height: 0px; margin: 0.6em 0;
80	border-width: 1px ;
81	border-style: solid;
82	border-color: #999;
83	}
84
85	/* bulleted lists and definition lists */
86
87	ul { margin: 0 1em 0.6em 2em; padding: 0; }
88	li { margin: 0.4em 0 0 0; }
89
90	dl { margin: 0.6em 1em 0.6em 2em; }
91	dt { color: #285577; }
92
93	tt { color: #602020; }
94
95	/* links */
96
97	a.link {
98	color: #33c; background: transparent;
99	text-decoration: none;
100	}
101
102	a:hover {
103	color: #000; background: transparent;
104	}
105
106	body > a {
107	font-family: Optima, Arial, Helvetica, sans-serif;
108	font-size: 0.81em;
109	}
110
111	h1, h2, h3, h4, h5, h6 {
112	color: #2d5588; background: transparent;
113	font-family: Optima, Arial, Helvetica, sans-serif;
114	font-weight: normal;
115	}
116
117	-->
118	</style></head>
119
120	<body>
121	<div class="body">
122	<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
123	style="text-decoration: none;"
124	href="http://www.la-samhna.de/samhain/">samhain file integrity
125	scanner</a> \| <a style="text-decoration: none;"
126	href="http://www.la-samhna.de/samhain/s_documentation.html">online
127	documentation</a></p>
128	<br><center>
129	<h1>Setting up a client/server samhain system</h1>
130	</center>
131	<br>
132	<hr>
133	<p>
134	This document aims to explain how to set up a client/server
135	samhain system, where the client (samhain) runs on one machine to be
136	monitored, and sends reports via TCP/IP to a remote server (yule).
137	</p>
138	<p>
139	<b>Please note:</b> the server (yule) does not perform any filesystem and/or
140	kernel checks. If you want to perform such checks on the log server host,
141	you need to run a samhain client on this host as well.
142	</p>
143	<p>
144	Client and server are
145	<b>distict applications</b>, and must be
146	built separately. By default, installation names and paths (e.g.
147	the configuration file) are
148	different. Do not blame us if you abuse './configure' options to
149	cause name clashes, if you install both on the same host.
150	</p>
151
152	<h2>Introduction</h2>
153	<p>
154	Samhain can be compiled for remote logging to a central server via a
155	secure (AES-encrypted, signed, and authenticated) TCP/IP connection.
156	</p><p>
157	In addition, both the client configuration file and the file signature
158	database can be stored on the server. The client will then pull them from
159	the server upon startup.
160	</p><p>
161	This requires three basic steps:
162	</p>
163	<ol>
164	<li>
165	compile and install server and client,
166	</li>
167	<li>
168	establish trust between client and server, and
169	</li>
170	<li>
171	enable remote logging in the client's configuration file.
172	</li>
173	</ol>
174
175
176	<h2>Compiling</h2>
177
178	<h3>The server - yule</h3>
179
180	<p>
181	<b>Note: </b> the server can be started with root privileges (e.g. to use
182	a privileged port < 1024), but it will always
183	drop root privileges irrevocably
184	before accepting any connections, and run as a non-root user. This user
185	can be specified explicitely with the <i>configure</i>
186	option <tt>--enable-identity=USER</tt>. The default is
187	the first existing user
188	out of the list <i>yule, daemon, nobody</i>.
189	</p>
190
191	<pre>
192
193	bash$ ./configure --enable-network=server
194	bash$ make
195	bash$ make install
196
197	</pre>
198
199	<h3>The client - samhain</h3>
200
201
202	<ul>
203	<li>
204	<p>
205	If you just want remote logging:
206	</p><p>
207	<tt>   ./configure --enable-network=client
208	--with-logserver=server.example.com</tt>
209	</p>
210	</li>
211	<li>
212	<p>
213	If you want configuration and database files on the server:
214	</p><p>
215	<tt>   ./configure --enable-network=client
216	--with-logserver=server.example.com \<br />
217	--with-config-file=REQ_FROM_SERVER/etc/samhainrc \<br />
218	--with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file</tt>
219	</p>
220	</li>
221	</ul>
222	<p>
223	The path after the keyword <tt>REQ_FROM_SERVER</tt> has the following meaning:
224	<ul>
225	<li>for the configuration file:
226	<ul>
227	<li> if <i>initializing</i>, and the connection to the server
228	fails, samhain will fall back on the local file (if given);
229	</li>
230	<li> if in <i>check mode</i>, it is <i>ignored</i>. Samhain will
231	abort if the connection to the server fails.
232	</li>
233	</ul>
234	Thus, the local path allows you to initialize the database from a local
235	configuration file before the client is known to the server.
236	</li>
237	<li>for the database file:
238	<ul>
239	<li> if <i>initializing</i>, the database is written to the local file;
240	</li>
241	<li> if in <i>check mode</i>, the local path is <i>ignored</i>. Samhain will
242	abort if the connection to the server fails.
243	</li>
244	</ul>
245	Thus, <i>init</i> (or <i>update</i>) always requires a local file that
246	must be uploaded to the server thereafter. <b>Note</b> that if you
247	use the <b>Beltane</b> web-based frontend, database updates can be performed
248	on the server without ever running an <i>update</i> on the client.
249	</li>
250	</ul>
251
252	<h2>Establishing trust between client and server</h2>
253
254	<p>
255	By default, samhain uses the SRP (Secure Remote Password) protocol,
256	with a password that is <i>embedded in the client binary</i>, and a
257	corresponding verifier that is in the <i>server configuration file</i>.
258	</p>
259
260	<h3>Embedding the password in the client, and register it with the server</h3>
261
262	<p>
263	To embed the password in the binary, there is a dummy password compiled
264	in as placeholder, and a utility <i>samhain_setpwd</i> is provided that
265	</p>
266
267	<ol>
268	<li>
269	takes a password as input,
270	</li>
271	<li>
272	searches the original binary for the
273	correct place (i.e. the placeholder), and
274	</li>
275	<li>
276	writes a copy of the original binary, with the placeholder replaced
277	by the password. The original is left untouched. The copy cannot
278	be changed to another password anymore.
279	</li>
280	</ol>
281
282
283	<p>
284	For convenience, the server has functions to
285	</p>
286
287	<ul>
288	<li>
289	<p>
290	generate a random password in the correct format:
291	</p><p>
292	<tt>   sh$ yule -G</tt>
293	</p>
294	</li>
295	<li>
296	<p>
297	and generate a corresponding entry for the
298	server configuration file:
299	</p><p>
300	<tt>   sh$ yule -P PASSWORD</tt>.
301	<p>
302	</li>
303	<li>
304	The generated entry has a string <tt>'HOSTNAME'</tt> that you should
305	replace with the fully qualified name of the client. This entry must
306	then be placed in the <tt>[Clients]</tt> section of the yule configuration
307	file (e.g. <tt>/etc/yulerc</tt>).
308	</li>
309	<li>
310	Finally, you need to tell yule to reload the configuration (send SIGHUP,
311	or use <tt>/etc/init.d/yule reload</tt>).
312	</li>
313	</ul>
314
315
316	<h3>Example</h3>
317
318	<pre style="background-color:#DDDDDD; color:#000000">
319
320	rainer$ ./samhain_setpwd
321
322	Usage: samhain_setpwd <filename> <suffix> <new_password>
323
324	This program is a utility that will:
325	- search in the binary executable <filename> for samhain's
326	compiled-in default password,
327	- change it to <new_password>,
328	- and output the modified binary to <filename>.<suffix>
329
330	To allow for non-printable chars, <new_password> must be
331	a 16-digit hexadecimal number (only 0-9,A-F allowed in input),
332	thus corresponding to an 8-byte password.
333
334	Example: 'samhain_setpwd samhain new 4142434445464748'
335	takes the file 'samhain', sets the password to 'ABCDEFGH'
336	('A' = 41 hex, 'B' = 42 hex, ...) and outputs the result
337	to 'samhain.new'.
338
339	rainer$ yule -G
340	5B5CDF18CE8D66A3
341
342	rainer$ ./samhain_setpwd samhain new 5B5CDF18CE8D66A3
343	INFO old password found
344	INFO replaced: f7c312aaaa12c3f7 by: 5b5cdf18ce8d66a3
345	INFO finished
346
347	rainer$ scp ./samhain.new root@client.example.com:/usr/local/sbin/samhain
348	samhain 100% \|********************************\| 592 KB 00:00
349
350	rainer$ yule -P 5B5CDF18CE8D66A3
351	Client=HOSTNAME@8A542F99C3514499@744C3A3EE8323470D9DAD42E2485BD0B138F6B4116E964\
352	A9991A0B0D221E1AADE5800968804B99B494C39E7B9DD5710D18F1E6703D1DB6D6393295E05DF6A\
353	6AA8D10BB4A21D7D9DC4901D444500D4EA358C1B44A3E3D44ACEC645F938F790A11AB0D03586143\
354	977E2BCE3A2D689445AC89134B409E68F34B0DE8BD8242ADD7C0
355
356	rainer$ yule -P 5B5CDF18CE8D66A3 \| sed s%HOSTNAME%client.example.com% >> /etc/yulerc
357
358	rainer$ tail -2 /etc/yulerc
359	[Clients]
360	Client=client.example.com@8A542F99C3514499@744C3A3EE8323470D9DAD42E2485BD0B138F
361	6B4116E964A9991A0B0D221E1AADE5800968804B99B494C39E7B9DD5710D18F1E6703D1DB6D6393
362	295E05DF6A6AA8D10BB4A21D7D9DC4901D444500D4EA358C1B44A3E3D44ACEC645F938F790A11AB
363	0D03586143977E2BCE3A2D689445AC89134B409E68F34B0DE8BD8242ADD7C0
364
365	rainer$ /etc/init.d/yule reload
366
367	</pre>
368
369	<p>
370	<b>Note 1:</b> the verifier <tt>Client=client.example.com@.....</tt> must be
371	in the <b>[Clients]</b> section of the server configuration file. It is
372	convenient if this is the last section in the config file, because then
373	you can just concatenate the output of <tt>yule -P PASSWORD</tt> to the
374	configuration file. This allows for better automatisation with a simple
375	script.
376	</p>
377	<p>
378	<b>Note 2:</b> samhain comes with a <b>deploy system</b> that handles
379	the deployment of clients, including password embedding and server
380	configuration, in a semi-automatic way.
381	This deploy system is tested and used in a production system
382	of more than 50 machines, and described in detail in Chapt. 10 of the MANUAL.
383	</p>
384
385	<h2>Enabling remote logging</h2>
386	<p>
387	Samhain has multiple independent logging facilities (such as a local logfile,
388	syslog, e-mail, TCP/IP, etc.) that can be used
389	in parallel. You therefore have to specify in the client's configuration
390	file, <b>which logging facility</b> you want to use.
391	</p>
392	<p>
393	Selecting logging facilities is done by setting appropriate <b>thresholds</b>
394	in the <b>[Log]</b> section of the configuration file: each
395	message with a <b>priority</b> exceeding
396	the threshold will be logged via the respective facility. Setting
397	the threshold to <i>none</i> will disable a facility. For details,
398	refer to Chapt. 4 in the MANUAL.
399	</p>
400	<h3>Example</h3>
401	<p>
402	To enable remote logging to the server for all messages of
403	priority <i>error</i> or higher, use the following directive in the
404	client configuration file:
405	</p>
406	<pre style="background-color:#DDDDDD; color:#000000">
407
408	[Log]
409	ExportSeverity=err
410
411	</pre>
412
413
414	<h2>Databases and config files on the server</h2>
415
416	<p>
417	The client does <i>not</i> tell the server the path to the requested
418	file - it just requests a config or a database file. It's entirely the
419	responsibility of the server to locate the correct file and send it.
420	</p>
421	<p>
422	The server has a <i>data directory</i>, which by default would be
423	<tt>/var/lib/yule</tt>, but depends on your compile options.
424	</p>
425	<p>
426	Config files and baseline databases for clients must be located
427	in this directory, and they must be named as follows:
428	</p>
429	<p>
430	Configuration files: <tt>rc.</tt><i>client.mydomain.tld</i> or
431	simply <tt>rc</tt>
432	(this can be used as a catchall file).
433	</p>
434	<p>
435	Database files: <tt>file.</tt><i>client.mydomain.tld</i> or
436	simply <tt>file</tt>
437	(this can be used as a catchall file).
438	</p>
439	</div>
440	</body>
441	</html>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/docs/HOWTO-client+server.html@ 578

Download in other formats: