Index: trunk/docs/Changelog
===================================================================
--- trunk/docs/Changelog (revision 306)
+++ trunk/docs/Changelog (revision 307)
@@ -1,3 +1,4 @@
2.8.1:
+ * Document handling of missing files with secondary schedule
* Fix incorrect handling of missing files when secondary schedule
is used (reported by Sergey)
@@ -12,21 +13,21 @@
reported by M. El Nahass (time.h missing in src/sh_login_track.c)
-2.8.0:
+2.8.0 (01-11-2010):
* Support IPv6
* Add registry checking
* Use auditd records to find out who did it
-2.7.2c:
+2.7.2c (23-09-2010):
* Fix uppercase hostname problem in client/server communication
-2.7.2b:
+2.7.2b (05-09-2010):
* Fix compile errors on Solaris 10 (reported by A. Saheba)
-2.7.2a:
+2.7.2a (23-08-2010):
* rewrote rijndaelKeySched() in a more conservative way to fix
compile problem on SLES 11.
-2.7.2:
+2.7.2 (16-08-2010):
* sh_utils.c: fixed an endianess issue that prevented cross-verification
of email signatures (reported by A. Zangerl)
@@ -42,5 +43,5 @@
Need to provide a dummy argp[].
-2.7.1:
+2.7.1 (07-06-2010):
* samhain_kmem.c: fix compile problems
* fix problems with config file parser: increase max. line length,
Index: trunk/docs/HOWTO-client+server-troubleshooting.html
===================================================================
--- trunk/docs/HOWTO-client+server-troubleshooting.html (revision 306)
+++ trunk/docs/HOWTO-client+server-troubleshooting.html (revision 307)
@@ -135,8 +135,24 @@
- Almost all problems can only be diagnosed correctly by checking the
- server logs
- - If the server does not write logs, fix this first. For debugging,
- stop the server, then run it in the foreground with
- yule -p info --foreground
+ server logs.
+ -
+ If the server does not write logs, fix this first. For debugging,
+ stop the server, then run it in the foreground with
+ yule -p info --foreground
+
+ -
+ By default, the server logs to the file
+ /var/log/yule/yule_log, and since the server drops
+ root privileges on startup, the directory /var/log/yule
+ must be writable for the nonprivileged user the server runs
+ as (the first existing out of: yule, daemon, nobody).
+
+ -
+ Logging to the logfile must be enabled in the
+ /etc/yulerc config file (e.g. LogSeverity=mark, or
+ LogSeverity=info for enhanced verbosity).
+
+
+
@@ -257,14 +273,25 @@
- This does not work for a number of people because (1) the
- /etc/hosts file on the client machine has errors
- (yes, there are plenty machines with a completely
- messed up /etc/hosts file), (2) the
- server cannot resolve the client address because the local DNS is
- f***ed up, or (3) the client machine has multiple network interfaces, and
- the interface used is not the one the client name resolves to.
-
-
-
+ This does not work for a number of people because
+
+ -
+ the
+ /etc/hosts file on the client machine has errors
+ (yes, there are plenty machines with a completely
+ messed up /etc/hosts file),
+
+ -
+ the
+ server cannot resolve the client address because the local DNS is
+ misconfigured, or
+
+ -
+ the client machine has multiple network interfaces, and
+ the interface used is not the one the client name resolves to.
+
+
+
+
+
If the client uses the wrong interface on a multi-interface machine,
there is a config file option
@@ -272,29 +299,30 @@
that allows to choose the interface the client will use for
outgoing connections.
-
-
+
+
If you want to download the config file from the server, you
should instead use the corresponding command line option
--bind-address=IP address
to select the interface.
-
-
-
- If you encounter problems, you may (1) fix your
- /etc/hosts file(s), (2) fix your local DNS, or
- (3) switch to the second method.
-
-
- Errors in name resolving/cross-checking can be avoided by setting a
- very low severity (lower than the logging threshold), e.g.
-
-
- SeverityLookup=debug
-
-
- in the Misc section of the server configuration,
- if you prefer running unsafe at any speed
- instead of fixing the problem (you have been warned). Doing so will
- allow an attacker to pose as the client.
+
+
+
+ If you encounter problems, you may (1) fix your
+ /etc/hosts file(s), (2) fix your local DNS, or
+ (3) switch to the second method.
+
+
+ Error messages related to name resolving/cross-checking can be
+ suppressed by setting a
+ very low severity (lower than the logging threshold), e.g.
+
+
+ SeverityLookup=debug
+
+
+ in the Misc section of the server configuration,
+ if you prefer running unsafe at any speed
+ instead of fixing the problem (you have been warned). Doing so will
+ allow an attacker to pose as the client.
@@ -325,5 +353,6 @@
The client does not tell the server the path to the requested
-file - it just requests a config or a database file. It's entirely the
+file - it just tells the type of the file, i.e.
+either a configuration file or a database file. It is entirely the
responsibility of the server to locate the correct file and send it.
@@ -356,4 +385,15 @@
To fix: put the file in the correct location, make sure the permissions
are ok.
+
+ -
+ Note that the server drops root privileges at startup and
+ runs as an unprivileged user (the first existing out of:
+ yule, daemon, nobody).
+
+ -
+ Also remember that to access a file, at least execute permission is required
+ for every directory in the path.
+
+
Index: trunk/docs/HOWTO-samhain-on-windows.html
===================================================================
--- trunk/docs/HOWTO-samhain-on-windows.html (revision 306)
+++ trunk/docs/HOWTO-samhain-on-windows.html (revision 307)
@@ -278,5 +278,5 @@
the Cygwin filesystem view, i.e. /cygdrive/c/..., otherwise
samhain may not work from a pure DOS shell, and may not run as a Windows
-service.
+service [Rainer Wichmann].
@@ -399,4 +399,24 @@
+
+
+It seems that start/stop/restart the service does not work if samhain
+is configured to run as a daemon, because the Windows service manager
+cannot track the forked daemon process.
+
+
Therefore, if you run Samhain as a Windows service, it might be better
+to configure it as a 'normal' process which does not fork a daemon:
+
+ -
+ Set 'Daemon = no' in the samhainrc configuration file.
+
+ -
+ Edit the key HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain->Parameters to add a string value named 'AppParameters', with
+ the value '--forever'.
+
+
+[Rainer Wichmann].
+
+
Also see http://support.microsoft.com/kb/q137890/ for information regarding the creation of a
Index: trunk/src/samhain.c
===================================================================
--- trunk/src/samhain.c (revision 306)
+++ trunk/src/samhain.c (revision 307)
@@ -2024,5 +2024,4 @@
if (flag_check_2 == 1 || FileSchedTwo == NULL)
{
- fprintf(stderr, "FIXME check unvisited\n");
TPT((0, FIL__, __LINE__, _("msg=\n")))
sh_hash_unvisited (ShDFLevel[SH_ERR_T_FILE]);
Index: trunk/src/sh_calls.c
===================================================================
--- trunk/src/sh_calls.c (revision 306)
+++ trunk/src/sh_calls.c (revision 307)
@@ -226,5 +226,4 @@
} while (val_retry < 0 && errno == EINTR);
- *addrlen = (int) my_addrlen;
error = errno;
if (val_retry < 0) {
@@ -237,4 +236,5 @@
sh_ipvx_save(serv_addr, ss.ss_family, (struct sockaddr *) &ss);
+ *addrlen = (int) my_addrlen;
SL_RETURN(val_retry, _("retry_accept"));
}
Index: trunk/src/sh_files.c
===================================================================
--- trunk/src/sh_files.c (revision 306)
+++ trunk/src/sh_files.c (revision 307)
@@ -377,5 +377,4 @@
if (S_FALSE == sh_ignore_chk_del(ptr->name))
{
- fprintf(stderr, "FIXME 1 %s, %d\n", ptr->name, ptr->is_reported);
if (0 != hashreport_missing(ptr->name,
(ptr->class == SH_LEVEL_ALLIGNORE) ?
@@ -436,5 +435,4 @@
if (S_FALSE == sh_ignore_chk_del(ptr->name))
{
- fprintf(stderr, "FIXME 2 %s, %d\n", ptr->name, ptr->is_reported);
if (0 != hashreport_missing(ptr->name,
(ptr->class == SH_LEVEL_ALLIGNORE) ?
@@ -1292,5 +1290,4 @@
if (S_FALSE == sh_ignore_chk_del(ptr->name))
{
- fprintf(stderr, "FIXME 2 %s, %d\n", ptr->name, ptr->is_reported);
if (0 != hashreport_missing(ptr->name,
(ptr->class == SH_LEVEL_ALLIGNORE) ?
Index: trunk/src/sh_forward.c
===================================================================
--- trunk/src/sh_forward.c (revision 306)
+++ trunk/src/sh_forward.c (revision 307)
@@ -5028,5 +5028,6 @@
#endif
- int sock = -1;
+ /* Use volatile to circumvent a gcc4 problem on RH/CentOS 4.8 (?) */
+ volatile int sock = -1;
sh_conn_t * cx;
fd_set readset;
Index: trunk/src/sh_hash.c
===================================================================
--- trunk/src/sh_hash.c (revision 306)
+++ trunk/src/sh_hash.c (revision 307)
@@ -688,5 +688,4 @@
goto end;
- SL_RET0(_("sh_hash_remove"));
#else
SET_SH_FFLAG_REPORTED(p->fflags);