5. Enabling baseline database / configuration file download from the server

A significant advantage of samhain is the option to store baseline databases and configuration files on the central log server ( yule ), from where they can be downloaded by clients upons startup. In order to use this option, clients must be configured to retrieve these files from the server rather than from the local filesystem.

[Tip]Tip

Obviously, retrieving the configuration file from the log server requires that the IP address of the log server is compiled in, using the option ./configure --with-logserver=HOST .

Downloaded files are written to a temporary file that is created in the home directory of the effective user (usually root. The filename is chosen at random, the file is opened for writing after checking that it does not exist already, and immediately thereafter unlinked. Thus the name of the file will be deleted from the filesystem, but the file itself will remain in existence until the file descriptor referring it is closed (see man unlink ), or the process exits (on exit, all open file descriptors belonging to the process are closed).

5.1. Configuration file

If the compiled-in path to the configuration file begins with the special value ``REQ_FROM_SERVER'', the client will request to download the configuration file from yule (i.e. from the server).

If ``REQ_FROM_SERVER'' is followed by a path, the client will use the path following ``REQ_FROM_SERVER'' as a fallback if ( and only if) it is initializing the database. This is a convenience feature to allow initializing the database(s) before the client is registered with the server.

Example: ./configure --with-config-file=REQ_FROM_SERVER/etc/conf.samhain In this case, the client will request to download the configuration file from the server. If the connection to the server fails, it will exit on error if run in 'check' mode, but fallback to /etc/conf.samhain as its configuration file, if run in 'init' mode.

[Note]Note

For obvious security reasons, the client cannot specify the path to the configuration file on the server side. The server will lookup the configuration file using only the hostname of the client and the compiled-in path for the 'localstatedir' (see below). The default for 'localstatedir' is /var.

The server will search for the configuration file to send in the following order of priority (paths are explained in Section 6 ). CLIENTNAME is the hostname of the client's host, as listed in the server's config file in the Clients section:

  1. localstatedir/lib/yule/rc.CLIENTNAME

  2. localstatedir/lib/yule/rc

5.2. Database file

If the compiled-in path to the database file begins with the special value ``REQ_FROM_SERVER'', the client will request to download the database file from yule (i.e. from the server).

[Warning]CAVEAT

``REQ_FROM_SERVER'' must be followed by a path that will be used for writing the database file when initializing. Upon initialization, the database is always written to a local file, and must be copied with scp to the server (the client cannot upload the database file to the server, as this would open a security hole).

Example: --with-data-file=REQ_FROM_SERVER/var/lib/samhain/data.samhain In this case, the client will request to download the database file from the server if checking, and will create a local database file /var/lib/samhain/data.samhain if initializing. You have to use scp to copy the file signature database to the server then.

[Note]Note

For obvious security reasons, the client cannot specify the path to the database file on the server side. The server will lookup the databse file using only the hostname of the client and the compiled-in path for the 'localstatedir' (see below). The default for 'localstatedir' is /var.

The server will search for the database file to send in the following order of priority (see Section 6 ). CLIENTNAME is the hostname of the client's host, as listed in the server's config file in the Clients section:

  1. localstatedir/lib/yule/file.CLIENTNAME

  2. localstatedir/lib/yule/file