Changeset 307

Timestamp:

Dec 3, 2010, 10:44:38 PM (14 years ago)

Author:

katerina

Message:

Fix for ticket #229 (malfunction on CentOS 4.8 / gcc4), documentation update.

Location:

trunk

Files:

• docs/Changelog (modified) (3 diffs)
• docs/HOWTO-client+server-troubleshooting.html (modified) (5 diffs)
• docs/HOWTO-samhain-on-windows.html (modified) (2 diffs)
• src/samhain.c (modified) (1 diff)
• src/sh_calls.c (modified) (2 diffs)
• src/sh_files.c (modified) (3 diffs)
• src/sh_forward.c (modified) (1 diff)
• src/sh_hash.c (modified) (1 diff)

trunk/docs/Changelog

@@ -1 +1 @@
 2.8.1:
+        * Document handling of missing files with secondary schedule
         * Fix incorrect handling of missing files when secondary schedule
           is used (reported by Sergey)
@@ -12 +13 @@
           reported by M. El Nahass (time.h missing in src/sh_login_track.c)
 
-2.8.0:
+2.8.0 (01-11-2010):
         * Support IPv6
         * Add registry checking
         * Use auditd records to find out who did it
 
-2.7.2c:
+2.7.2c (23-09-2010):
         * Fix uppercase hostname problem in client/server communication
 
 
-2.7.2b:
+2.7.2b (05-09-2010):
         * Fix compile errors on Solaris 10 (reported by A. Saheba)
 
-2.7.2a:
+2.7.2a (23-08-2010):
         * rewrote rijndaelKeySched() in a more conservative way to fix
           compile problem on SLES 11.
 
-2.7.2:
+2.7.2 (16-08-2010):
         * sh_utils.c: fixed an endianess issue that prevented cross-verification
           of email signatures (reported by A. Zangerl)
@@ -42 +43 @@
           Need to provide a dummy argp[].
 
-2.7.1:
+2.7.1 (07-06-2010):
         * samhain_kmem.c: fix compile problems
         * fix problems with config file parser: increase max. line length,

trunk/docs/HOWTO-client+server-troubleshooting.html

@@ -135 +135 @@
 <ul>
   <li>Almost all problems can only be diagnosed correctly by checking the 
-      <b>server</b> logs</li>
-  <li>If the server does not write logs, <b>fix this first</b>. For debugging, 
-      stop the server, then run it in the foreground with 
-      <tt>yule -p info --foreground</tt></li>
+      <b>server logs</b>.</li>
+  <li>
+    If the server does not write logs, <b>fix this first</b>. For debugging, 
+    stop the server, then run it in the foreground with 
+    <tt>yule -p info --foreground</tt>
+    <ul>
+      <li>
+        By default, the server logs to the file 
+        <tt>/var/log/yule/yule_log</tt>, and since the server drops 
+        root privileges on startup, the directory <tt>/var/log/yule</tt>
+        must be writable for the nonprivileged user the server runs 
+        as (the first existing out of: yule, daemon, nobody).
+      </li>
+      <li>
+        Logging to the logfile must be enabled in the
+        <tt>/etc/yulerc</tt> config file (e.g. LogSeverity=mark, or 
+        LogSeverity=info for enhanced verbosity).
+      </li>
+    </ul>
+  </li>
 </ul>
 </div>
@@ -257 +273 @@
      <p>
      <p>
-     This does not work for a number of people because (1) the
-     <tt>/etc/hosts</tt> file on the client machine has errors 
-     (yes, there are plenty machines with a completely 
-     messed up <tt>/etc/hosts</tt> file), (2) the
-     server cannot resolve the client address because the local DNS is
-     f***ed up, or (3) the client machine has multiple network interfaces, and
-     the interface used is not the one the client name resolves to.
-     </p>
-
-       <p>
+     This does not work for a number of people because
+     <ol>
+       <li>
+         the
+         <tt>/etc/hosts</tt> file on the client machine has errors 
+         (yes, there are plenty machines with a completely 
+         messed up <tt>/etc/hosts</tt> file),
+       </li>
+       <li>
+         the
+         server cannot resolve the client address because the local DNS is
+         misconfigured, or 
+       </li>
+       <li> 
+         the client machine has multiple network interfaces, and
+         the interface used is not the one the client name resolves to.
+       </li>
+     </ol>
+     </p>
+
+     <p>
        If the client uses the wrong interface on a multi-interface machine, 
        there is a config file option 
@@ -272 +299 @@
        that allows to choose the interface the client will use for
        outgoing connections.
-       </p>
-       <p>
+     </p>
+     <p>
        If you want to download the config file from the server, you
        should instead use the corresponding command line option
        <tt>--bind-address=</tt><i>IP address</i>
        to select the interface.
-       </p>
-
-     <p>
-     If you encounter problems, you may (1) fix your 
-     <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
-     (3) switch to the second method.
-     </p>
-     <p>
-     Errors in name resolving/cross-checking can be avoided by setting a 
-     very low severity (lower than the logging threshold), e.g.
-     </p>
-     <p>
-     <tt>SeverityLookup=</tt><i>debug</i>
-     </p>
-     <p>
-     in the <i>Misc</i> section of the server configuration,
-     if you prefer running <i>unsafe</i> at any speed 
-     instead of fixing the problem (you have been warned). Doing so will
-     allow an attacker to pose as the client.
+     </p>
+
+     <p>
+       If you encounter problems, you may (1) fix your 
+       <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
+       (3) switch to the second method.
+     </p>
+     <p>
+       Error messages related to name resolving/cross-checking can be 
+       suppressed by setting a 
+       very low severity (lower than the logging threshold), e.g.
+     </p>
+     <p>
+       <tt>SeverityLookup=</tt><i>debug</i>
+     </p>
+     <p>
+       in the <i>Misc</i> section of the server configuration,
+       if you prefer running <i>unsafe</i> at any speed 
+       instead of fixing the problem (you have been warned). Doing so will
+       allow an attacker to pose as the client.
      </p>
   </li>
@@ -325 +353 @@
 <p>
 The client does <i>not</i> tell the server the path to the requested
-file - it just requests a config or a database file. It's entirely the
+file - it just tells the <em>type</em> of the file, i.e. 
+either a configuration file or a database file. It is entirely the
 responsibility of the server to locate the correct file and send it.
 </p>
@@ -356 +385 @@
 To fix: put the file in the correct location, make sure the permissions
 are ok.
+<ul>
+  <li>
+    Note that <em>the server drops root privileges at startup</em> and
+    runs as an unprivileged user (the first existing out of: 
+    yule, daemon, nobody).
+  </li>
+  <li>
+    Also remember that to access a file, at least execute permission is required
+    <em>for every directory in the path</em>.
+  </li>
+</ul>
 </p>
 

trunk/docs/HOWTO-samhain-on-windows.html

@@ -278 +278 @@
 the Cygwin filesystem view, i.e. <tt>/cygdrive/c/...</tt>, otherwise
 samhain may not work from a pure DOS shell, and may not run as a Windows 
-service.
+service [Rainer Wichmann].
 </p>
 </div>
@@ -399 +399 @@
 </li>
 </ul>
+<div class="block">
+<p>
+It seems that start/stop/restart the service does not work if samhain 
+is configured to run as a daemon, because the Windows service manager
+cannot track the forked daemon process.
+</p>
+<p>Therefore, if you run Samhain as a Windows service, it might be better
+to configure it as a 'normal' process which does not fork a daemon:
+<ul>
+  <li>
+    Set 'Daemon = no' in the samhainrc configuration file.
+  </li>
+  <li>
+    Edit the key HKEY_LOCAL_MACHINE-&gt;SYSTEM-&gt;CurrentControlSet-&gt;Services-&gt;Samhain->Parameters to add a string value named 'AppParameters', with
+    the value '--forever'.
+  </li>
+</ul>
+[Rainer Wichmann].
+</p>
+</div>
 <p>
 Also see <a href="http://support.microsoft.com/kb/q137890/">http://support.microsoft.com/kb/q137890/</a> for information regarding the creation of a 

trunk/src/samhain.c

@@ -2024 +2024 @@
           if (flag_check_2 == 1 || FileSchedTwo == NULL)
             {
-              fprintf(stderr, "FIXME check unvisited\n");
               TPT((0, FIL__, __LINE__, _("msg=<Check for missing files.>\n")))
               sh_hash_unvisited (ShDFLevel[SH_ERR_T_FILE]);

trunk/src/sh_calls.c

@@ -226 +226 @@
   } while (val_retry < 0 && errno == EINTR);
 
-  *addrlen = (int) my_addrlen;
   error = errno;
   if (val_retry < 0) {
@@ -237 +236 @@
   sh_ipvx_save(serv_addr, ss.ss_family, (struct sockaddr *) &ss);
 
+  *addrlen = (int) my_addrlen;
   SL_RETURN(val_retry, _("retry_accept"));
 }

trunk/src/sh_files.c

@@ -377 +377 @@
                   if (S_FALSE == sh_ignore_chk_del(ptr->name))
                     {
-                      fprintf(stderr, "FIXME 1 %s, %d\n", ptr->name, ptr->is_reported);
                       if (0 != hashreport_missing(ptr->name, 
                                                   (ptr->class == SH_LEVEL_ALLIGNORE) ? 
@@ -436 +435 @@
                       if (S_FALSE == sh_ignore_chk_del(ptr->name))
                         {
-                          fprintf(stderr, "FIXME 2 %s, %d\n", ptr->name, ptr->is_reported);
                           if (0 != hashreport_missing(ptr->name, 
                                                       (ptr->class == SH_LEVEL_ALLIGNORE) ? 
@@ -1292 +1290 @@
               if (S_FALSE == sh_ignore_chk_del(ptr->name))
                 {
-                  fprintf(stderr, "FIXME 2 %s, %d\n", ptr->name, ptr->is_reported);
                   if (0 != hashreport_missing(ptr->name, 
                                               (ptr->class == SH_LEVEL_ALLIGNORE) ? 

trunk/src/sh_forward.c

@@ -5028 +5028 @@
 #endif
 
-  int                sock = -1;
+  /* Use volatile to circumvent a gcc4 problem on RH/CentOS 4.8 (?) */
+  volatile int       sock = -1;
   sh_conn_t        * cx;
   fd_set             readset;

trunk/src/sh_hash.c

@@ -688 +688 @@
           
           goto end;
-          SL_RET0(_("sh_hash_remove"));
 #else
           SET_SH_FFLAG_REPORTED(p->fflags);