A significant advantage of samhain is the option to store baseline databases and configuration files on the central log server ( yule ), from where they can be downloaded by clients upons startup. In order to use this option, clients must be configured to retrieve these files from the server rather than from the local filesystem.
![[Tip]](stylesheet-images/tip.png) | Tip |
|---|---|
Obviously, retrieving the configuration file from the log server requires that the IP address of the log server is compiled in, using the option ./configure --with-logserver=HOST . |
Downloaded files are written to a temporary file that is created in the home directory of the effective user (usually root. The filename is chosen at random, the file is opened for writing after checking that it does not exist already, and immediately thereafter unlinked. Thus the name of the file will be deleted from the filesystem, but the file itself will remain in existence until the file descriptor referring it is closed (see man unlink ), or the process exits (on exit, all open file descriptors belonging to the process are closed).
If the compiled-in path to the configuration file begins with the special value ``REQ_FROM_SERVER'', the client will request to download the configuration file from yule (i.e. from the server).
If ``REQ_FROM_SERVER'' is followed by a path, the client will use the path following ``REQ_FROM_SERVER'' as a fallback if ( and only if) it is initializing the database. This is a convenience feature to allow initializing the database(s) before the client is registered with the server.
Example:
./configure
--with-config-file=REQ_FROM_SERVER/etc/conf.samhain In
this case, the client will request to download the
configuration file from the server. If the connection to
the server fails, it will exit on error if run in 'check'
mode, but fallback to
/etc/conf.samhain as
its configuration file, if run in 'init' mode.
![[Note]](stylesheet-images/note.png) | Note |
|---|---|
For obvious security reasons, the client cannot
specify the path to the configuration file on the server
side. The server will lookup the configuration file using
only the hostname of the client and the compiled-in path
for the 'localstatedir' (see below). The default for
'localstatedir' is
|
The server will search for the configuration file to send in the following order of priority (paths are explained in Section 6 ). CLIENTNAME is the hostname of the client's host, as listed in the server's config file in the Clients section:
localstatedir/lib/yule/rc.CLIENTNAMElocalstatedir/lib/yule/rc
If the compiled-in path to the database file begins with the special value ``REQ_FROM_SERVER'', the client will request to download the database file from yule (i.e. from the server).
![[Warning]](stylesheet-images/warning.png) | CAVEAT |
|---|---|
``REQ_FROM_SERVER'' must be followed by a path that will be used for writing the database file when initializing. Upon initialization, the database is always written to a local file, and must be copied with scp to the server (the client cannot upload the database file to the server, as this would open a security hole). |
Example:
--with-data-file=REQ_FROM_SERVER/var/lib/samhain/data.samhain In
this case, the client will request to download the database
file from the server if
checking, and will create a local
database file
/var/lib/samhain/data.samhain if
initializing. You have to use
scp to copy the file
signature database to the server then.
| Note |
|---|---|
For obvious security reasons, the client cannot
specify the path to the database file on the server side.
The server will lookup the databse file using only the
hostname of the client and the compiled-in path for the
'localstatedir' (see below). The default for
'localstatedir' is
|
The server will search for the database file to send in the following order of priority (see Section 6 ). CLIENTNAME is the hostname of the client's host, as listed in the server's config file in the Clients section:
localstatedir/lib/yule/file.CLIENTNAMElocalstatedir/lib/yule/file