Table of Contents
- 1. General
- 2. Important installation notes
- 3. Registering a client
- 4. Enabling logging to the server
- 5. Enabling baseline database / configuration file download from the server
- 6. Rules for logging of client messages
- 7. Detecting 'dead' clients
- 8. The HTML server status page
- 9. Chroot
- 10. Restrict access with libwrap (tcp wrappers)
- 11. Sending commands to clients
- 12. Syslog logging
- 13. Server-to-server relay
- 14. Performance tuning
yule is the log server within the samhain file integrity monitoring system. yule is part of the distribution package. It is only required if you intend to use the client/server capability of the samhain system for centralized logging to yule.
Client and server are distict applications, and must be built seperately. By default, installation names and paths (e.g. the configuration file) are different. Do not blame us if you abuse './configure' options to cause name clashes, if you install both on the same host.
To compile yule, you must use ./configure --enable-network=server . To compile a samhain client, you must use ./configure --enable-network=client .
yule is a non-forking server. Instead of forking a new process for each incoming logging request, it multiplexes connections internally. Apart from samhain client reports (see below), yule (version 1.2.8+) can also collect syslog reports by listening on port 514/udp, if compiled with this option enabled (see also man syslogd .
Each potential client must be registered with yule to make a connection (see Section 1 and the example below). The client tells its host name to the server, and the server verifies it against the peer of the connecting socket. On the first connection made by a client, an authentication protocol is performed. This protocol provides mutual authentication of client and server, as well as a fresh session key.
By default, all messages are encrypted using Rijndael (selected as the Advanced Encryption Standard (AES) algorithm). The 192-bit key version of the algorithm is used. There is a compile-time option to switch off encryption, if your local lawmakers don't allow to use it (see Appendix).
yule keeps track of all clients and their session keys. As connections are dropped after successful completion of message delivery, there is no limit on the total number of clients. There is, however, a limit on the maximum number of simultaneous connections. This limit depends on the operating system, but may be of order 1000.
Session key expire after two hours. If its session key is expired, the client is forced to repeat the authentication protocol to set up a fresh session key.
Incoming messages are signed by the client. On receipt, yule will:
check the signature,
accept the message if the signature can be verified, otherwise discard it and issue an error message,
discard the clients signature,
log the message, and the client's hostname, to the console and the log file, and
add its own signature to the log file entry.