1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE doc SYSTEM "/usr/local/xslt/doc.dtd">
3 <doc style="main.css" xmlns:xlink="http://www.w3.org/1999/xlink">
8 <subtitle>GNU COMPUTER MONITORING</subtitle>
9 <subtitle>A system for interactive system monitoring.</subtitle>
10 <subtitle>Development manifest</subtitle>
12 <author>Brenno J.S.A.A.F. de Winter, De Winter Information Solutions</author>
13 <author>Arjen Baart, Andromeda Technology & Automation</author>
14 <date>Januari 10, 2004</date>
16 <infoitem label="Version">0.25</infoitem>
24 <heading>About this document.</heading>
27 <LaTeX command='\setlength{\parindent}{0cm}'/>
28 <LaTeX command='\setlength{\parskip}{0.4cm}'/>
29 This document describes the technical specifications for the Gnucomo project.
30 It will describe the functionality achieved, design specifications and choices made.
31 The document will be the manifest for the developers to work in the same direction
32 and not run into unneeded disappointments.
36 <heading>History of the document.</heading>
38 <table cpos='lp{3cm}lp{5cm}'>
40 <col>Version</col><col>Author</col><col>Date</col><col>Remarks</col>
43 <col>0.l</col><col>Brenno de Winter</col><col>Jul 11, 2002</col>
49 <col>0.11</col><col>Arjen Baart</col><col>Jul 12, 2002</col>
51 Additional guidelines and dataflow diagram.
55 <col>0.12</col><col>Brenno de Winter</col><col>Jul 15, 2002</col>
61 <col>0.13</col><col>Arjen Baart</col><col>Jul 16, 2002</col>
63 Entity-relationship model added.
67 <col>0.14</col><col>Brenno de Winter</col><col>Jul 17, 2002</col>
69 Based on feedback. Small changes to the datamodel and finishing touches
70 in lay-out of the tables. Added some examples.
74 <col>0.15</col><col>Brenno de Winter, Arjen Baart</col><col>Jul 21, 2002</col>
76 Additional feedback processed, indexes added, ERD added and SQL-script created.
80 <col>0.16</col><col>Brenno de Winter</col><col>Aug 7, 2002</col>
82 Communication handling added.
86 <col>0.17</col><col>Brenno de Winter</col><col>Aug 11, 2002</col>
88 <para>* Description of the client-side for communications.</para>
89 <para>* Several updates to the database descriptions, drawings added.</para>
90 <para>* More work on the installation chapter.</para>
91 <para>* Created an extra field to the unprocessed_log table and added
92 a between the table service and unprocessed_log.</para>
96 <col>0.18</col><col>Brenno de Winter, Peter Roozemaal</col><col>Aug 15, 2002</col>
98 <para>* Review done by Peter Roozemaal: adjusted intro and several clarifications made</para>
99 <para>* Arjen Baart: Adjustments to database drawings</para>
100 <para>* New installation recommendations</para>
104 <col>0.19</col><col>Arjen Baart</col><col>Aug 27, 2002</col>
110 <col>0.20</col><col>Arjen Baart</col><col>Oct 20, 2002</col>
112 Minor layout improvements
116 <col>0.21</col><col>Arjen Baart</col><col>Nov 07, 2002</col>
118 Installation instructions added.
119 Combined chapters 4 through 7 into one chapter (4).
123 <col>0.22</col><col>Arjen Baart</col><col>Nov 15, 2002</col>
125 Added parameters of monitored objects.
129 <col>0.23</col><col>Brenno de Winter</col><col>Dec 6, 2002</col>
131 Added new elements to the database
135 <col>0.24</col><col>Brenno de Winter</col><col>Dec 12, 2002</col>
137 Updates to the database to reflect the most recent changes.
141 <col>0.25</col><col>Arjen Baart</col><col>Jan 10, 2004</col>
143 Added a list of related projects and introduced the concept of
153 <heading>Aim of the project.</heading>
156 The number of log-files in a system and the tools in general do not make
157 monitoring a system simple. Quite often there is so much information that
158 attention for logfiles seems to fade away. For that reason monitoring routers
159 and clients is often not an option. Instead of timely detection of problems,
160 logs more often are used to find out what went wrong. When a system is
161 under attack early signals can often easily be detected<footnote>Just as in
162 real life there a signals that things are not going in the right direction.
163 For the attacks on September 11th 2001 there were many signals available
164 that could to have led to early detection: warnings of several intelligence
165 agencies, warnings within the FBI, flight schools that report strange
166 customers that want to steer a plane and don't seem to care about take
167 off and landing, people opening accounts under fake names.</footnote>
168 and preventive measures could have been taken if the time was only available.
172 The Gnucomo project is meant to make pro-active monitoring of computers
173 and devices easier. It will contain a set of applications that will
174 retrieve all types of monitoring information from devices and place
175 it into a database. Devices can be server computers, desktop computers,
176 PBX'es or other systems. By running checks the manual process of
177 watching log files can be reduced. Also an intelligent script can
178 see things that a human being will easy overlook. Gnucomo won't
179 relieve an administrator of all manual work on log-files, but will
180 increase the changes on actual monitoring.
183 With all this data being available at one central location the gnucomo-server
184 acts as some kind of black box for computer systems. If something does
185 happen the evidence will be available at a remote location available
186 for exploration<footnote>This analogy is based on a remarkable anecdote:
187 One a trip to US I spoke to a 747-captain of Air France. While talking
188 over several subjects we touched security. When we went some deeper I
189 touched the subject gnucomo and he told me that Air France was doing
190 the very same with real black boxes. By sending all the data to Paris
191 errors can be detected earlier and be resolved. In any less fortunate
192 case the cause of the crash might be detected sooner (or fuller).
193 For me this was a signal there is a point in working gnucomo because
194 the analogy is valid.</footnote>. Forensics will be made easier.
195 Also the collected data is available from multiple locations make
196 it easier to found more about an attack. The change that you overlook
197 things will be reduced.
200 Based on the entered data all sorts of analysis will be performed to discover
201 abnormalities a normal maintenance tool or IDS wouldn't be looking at.
202 An example could be a website in Dutch that suddenly obtains a lot of
203 attention from Greek visitors (based on the location of their
204 IP<footnote>That IP could also warn for other things like: excessive
205 data traffic from wireless connections at times that you wouldn't be
206 expecting traffic at all, absence of traffic when you would be expecting
207 some traffic at least or even what article is liked in which part of the world,
208 what regions poses the highest threat to the security of the system (based
209 on the location of the IP address).</footnote>). These abnormalities will
210 be presented as user-friendly as possible to increase awareness of the
211 state of the system. By doing that the system can also be used for more
212 complex analysis. One than can look at long-term trends like hacking
213 attempts that take place, new exploits that are tried all of a sudden
214 or signs of distributed attacks or a certain pattern of attempts<footnote>A portscan
215 that last three days is hard to detect with a real-time IDS,
216 while gnucomo would discover this anyhow. With correct intelligence
217 one portscan from multiple IP-addresses can be related.</footnote>.
220 Also extra data will be gathered where ever possible to save time to
221 the administrator. If IP address attract attention of gnucomo the next
222 logical step would be to use tools like dig, whois and visiting arin-related
223 websites. This data will automatically be collected in an early stage and
224 stored in the database.
227 The results will be gathered in a warning system.
228 Those warnings will be presented to the administrative person
229 who is responsible for that particular machine or network.
230 Having multiple systems in the system can add to the intelligence that
231 can be gathered. The interface will be web-based and aimed at user-friendliness.
234 Since multiple systems can enter data into the Gnucomo database more
235 intelligent hardware and security detection can be done.
236 When things do go wrong Gnucomo contains as much information as
237 possible to figure out what happened and assist in the forensics.
238 Since research on the signals afterwards is broader more attention
239 will be given as much data as possible and do less filtering.
242 With the data in the database also policies can be checked automatically
243 retro-actively so that the security leaves some room to stretch some rules.
244 This may sound not logic, because one of the main functions of security is
245 to enforce rules. But some rules are made with the different meanings.
246 For instance: a rule may be that private browsing isn't allowed.
247 The background of such a rule might be to try and reduce the amount
248 of data traffic (too many people downloading mp3's, or people not
249 getting to work anymore). By monitoring that specific fact
250 (bandwidth spent on non-business related Internet use)
251 it's possible to be relaxed on that rule and enable many good-willing
252 users reading his/hers daily newspaper.
255 The scope of the project is clearly limited to monitoring and not to
256 offer automated maintenance or web-based maintenance.
257 There are other projects currently being able to provide that
258 functionality. We will focus on intelligence and user-friendliness
259 of representation of facts presented. A warning should trigger
260 an administrator to get up and do something using the tools he or she values the most.
263 Also we are not aiming to replace great tools like SNORT as a real-time IDS.
264 These tools can do thing, that in the beginning won't be a part of gnucomo
265 out of performance reasons. Also there is no need to duplicate what they
266 already did. If that energy is placed in intelligent we're very complimentary.
267 Gnucomo can however be a reality check on an existing NIDS (Network Intrusion
268 Detection System). For instance if warnings keep coming it may be time to
269 rethink the rules that have been set.
273 This evolves to the following list of functions gnucomo can provide:
276 <item> Intrusion detection </item>
277 <item> Detecting hacker attempts </item>
278 <item> Early detection of system failures </item>
279 <item> Exhaustion of system resources </item>
280 <item> Capacity planning for future expansion </item>
281 <item> Spotting bottlenecks in a system. </item>
282 <item> Verifying system integrity </item>
283 <item> Assistance with troubleshooting </item>
284 <item> Perform post-mortem forensics </item>
285 <item> Incident response system. </item>
290 <heading>Decisions for the overall system.</heading>
293 In order to get the project running we have to make some decisions before
294 we can start. Of course are the decisions always open for review,
295 but initially our main aim is to get a system running. This doesn't
296 mean that we allow a lesser architecture, but more that we create an
297 environment that will lead to results.
300 The following decisions apply to the system in general:
304 The major part of the system will be used for security features.
305 The solution itself has to be secure.
308 In general we strive to be as platform and application independent as possible.
309 However to achieve software to get ready and to assure progress some selections
310 will have to be made excluding options for applications<footnote>An example is
311 in the database. By using stored procedures and triggers MySQL cannot be used.
312 However the data integrity at that point is more important than the ability to
313 use MySQL.</footnote>. Where possible we will enable ports to other applications
317 The computers collecting the data will only be Linux machines,
318 with future support for other Unices. However it is not aim our
319 to port this part of the project to other platforms just now.
322 The database system will make heavy use of stored procedures and
323 triggers and thus lock out some less feature-full database.
326 Although we're not married to a database system initially this will be
327 PostgreSQL only so that we can build for results. The code however
328 shouldn't be build to deliberately lock outer systems.
329 Other database that might be interesting to add: DB2, Oracle
330 (if the rainfall of security advisories seems to be over) and Informix.
333 The interface for the user will be a web-interface written in PHP
334 with PostgreSQL-database access. Despite the fact that initially
335 this will be the preferred way to communicate with our system,
336 other interfaces are welcome and should be supported.
339 The technologies used for the daemons on the central site and remote
340 site are open for discussion. A decision is made when it is clear what
341 exactly will be needed to code.
344 The original logfiles on systems will not be harmed in any way,
345 but will be saved the way they presented to gnucomo.
348 In the database processed data as well as raw data will be stored.
351 Our main aim is to ease the life of the administrator when dealing with
352 the symptoms of a machine so that he doesn't miss important notifications.
353 The project will be made around detection. We won't focus on making a
354 maintenance applications but solely on monitoring, because other applications
355 like webmin or linuxconf do already deliver such functionality.
356 We are complementary to those applications. This doesn't mean that
357 the system cannot send SMS'es, e-mails or make alarms sound.
360 Any output of the logbook will be stored and sent within a certain
361 interval which can be set. By doing that the mechanism will not flood
362 the total mechanism and overload machines.
365 When applications for gnucomo we will try and do the non-server part
366 as platform independent as possible. This in order to prevent writing
367 a same application multiple times. For instance one for Unices, one
368 for Macintosh and one for Microsoft.
371 To ensure the quality of software and to prevent any unwanted functionality
372 rolling into the project all code will be reviewed by one of the lead members
373 before it is accepted. Since this project is aimed at throughput speed no
374 formal procedures will be enforced, but we promise not to let software in
375 that hasn't been checked.
382 <heading>Overall system Architecture</heading>
385 The overall systems aims to make maintenance data better accessible and by
386 doing that lowering the barrier to be on alert for intrusions,
387 system failure and other misery that can happen to computer systems.
388 Also more systems can be monitored and even focus can be placed on desktop computers,
389 something that nowadays rarely happens. Since the solution is only aimed at
390 monitoring (with some responses possible) other people can watch their system(s)
391 without being Administrator<footnote>This can be interesting for people using
392 this service and not doing their own maintenance (smaller companies).
393 If technical action needs to be taken a warning can be send to an administrator.
394 This saves costs and time.</footnote>.
397 The main system will know to sides:
401 <item> Central Application - server </item>
402 <item> Monitored System - client </item>
406 The project has been setup as a two sided system in order to be able to
407 guard many computers at the same time.
408 However it may be obvious that both sides of the application can very
409 well be installed on a single system.
412 To monitor a system, Gnucomo uses two kinds of input: <emph>event</emph> and
413 <emph>parameters</emph>. Events occur on a system while it is running and reflect
414 the transient behaviour of the system.
415 Parameters reflect the current state of the system.
416 The most obvious way to gather events from a monitored system is to read
417 the system log files.
418 Examples of events are IP packets that are rejected by the firewall or clients
419 that access the http daemon.
420 Parameters are obtained for example by reading configuration files or kernel
422 Examples of parameters are the size and free space of a filesystem or
423 the users that are listed in the password file.
424 Both kinds of input are obtained actively or passively, i.e. by installing probe
425 agents in the system which regularly aquire the system's parameters or passively
426 by sending the output of programs to the Gnucomo server.
429 When signals<footnote>A signal can be the outcome of process that finished,
430 logbook entries, warnings from intrusion detection systems,
431 etc. </footnote> arrive they will be stored in a file.
432 When this file is delivered to a certain directory a daemon will detect
433 this and start the transfer of the file. The file will be transferred
434 to the central application or the client. This transfer will be triggered
435 immediately after a process has finished or with a certain time-interval
436 when it concerns a logbook. All output will be placed in a directory where
437 the daemon detects it and ensures the transport. For transport currently
438 only two mechanisms will be supported:
442 Encrypted file copy relying on the SSH protocol.
443 On Unix-based systems this will scp (secure copy).
446 E-Mail. The e-mail is encrypted and signed using gpg and then sent to the server.
447 Since the file format will identify the type-of-output the Subject-field of
448 the e-mail is not really needed.
453 <heading>Central Application: signal handler.</heading>
458 <picture src="architecture.png" eps="architecture"/>
461 Illustration 1 Basic overview of the processes on the server.
464 On one machine signals from the network will come in.
465 These signals can be logfiles, result files from applications,
466 remarks entered by the administrator or whatever.
467 Data delivery takes place into a certain directory.
468 A daemon detects that data has come in and will enter it into the database.
469 Once in the database stored procedures and triggers will recognize certain
470 behavior and generate alerts. The user responsible for the server will be
471 confronted with the alerts and can mark them, add comments to it or ignore them.
472 Also it will be possible to do intelligent analysis on not so logical relations
473 per computer or across computers<footnote>A good example could be a portscan
474 on a system that takes place during a week. Normal a simple portscan takes
475 place in a couple of minutes and will thus be easy to detect.
476 By taking a longer period such a scan is harder to detect. </footnote>. Such
477 scripts make detection possible, that is too time consuming to do during
478 processing of the data.
483 <heading>Data processing.</heading>
485 <para>The data processing has four tasks:</para>
488 Extracting data from e-mail and store it in the input-buffer.
489 This can be done by a daemon that checks the e-mail<footnote>It would be logical
490 to place an e-mail server like sendmail or postfix on the server.
491 In many cases the monitored computer will be featuring a SMTP daemon.
492 If a system is comprimised no evidence that comes through will be really
493 trustworthy. By sending it to another machine all evidence that is
494 available will have left the system the moment a hack takes place.</footnote>
495 with a certain interval extracts the e-mails and leave the content
496 in a file in the input buffer. This daemon has only rights to write
497 to the directory it has to write to. <emph>We may as well have the
498 email captured directly by a program with a
499 "gnucomo: |/usr/local/bin/gnucomo-input" - like alias.</emph>
502 Detect files in the input buffer decrypt the content and verify the signature.
503 Another daemon will see the log-files and starts checking if the origin is
504 correct (by verifying the signature) and decrypting the content.
505 The legible files will be processed by entering the data into the database.
508 The database will accept the data and perform a certain number of
509 checks as the data comes in. During the processing of the data
510 abnormalities will be detected and entered into a notification table.
511 The database system will also carry out more complex tasks on given
512 moments in time and enter them as well in the notification table.
515 The database system must be able to undertake action when high
516 alerts are being entered into the database.
517 This can be a couple of things to begin with:
518 send an e-mail or SMS. In a later stage other technologies may be added as well.
519 In this scheme we also make a possibility to escalate problems when no
520 action is taken in a certain amount of time.
525 <heading>System Parameters</heading>
528 Gnucomo maintains the operational parameters of a monitored system for a
530 The most important reason is to create notifications when somthing about a
531 parameter changes while the parameter is not supposed to change.
532 Such a change may be intended by the system administrator, e.g. when a
533 package is upgraded, or there may be something wrong.
534 In any case, you will want to know about a change in your system when it happens.
535 Furthermore, a change history of a parameter's values will come in
536 handy when you want to look back in time and figure out
537 what happened in the past.
538 Another usefull application of parameters concerns the maintenance of a
539 large number of similar systems.
540 When the parameters of each system are reported regularly to Gnucomo,
541 deviations from the 'standard' system configuration can be easily spotted.
544 Some properties of parameters are supposed to change regularly.
545 A changed value of such a property will of course not lead to any
547 On the other hand, the change history of these parameters may provide
548 interesting information about the monitored system.
549 This leads to the distiction between static and dynamic properties of parameters.
550 The difference between dynamic and static properties manifests itself mainly
551 in the change history of the parameter's property.
552 Dynamic properties typically have a change record once a day or even a couple
554 Change records for static properties are usually months apart.
555 If all properties of a parameter are dynamic, the parameter as a whole is regarded
556 as a dynamic parameter.
557 One of the properties of a dynamic parameter is that it does not need to exist
558 all the time, i.e. it does not have to be listed in every report.
561 The state of parameters is scanned or probed regularly on a client system
562 and reported to the Gnucomo server.
563 These reports can be created in a variety of ways.
564 For example, filesystems are reported with 'df', installled packages with 'rpm -qa',
565 users by reading /etc/passwd, etc.
566 Many other probing methods may be implemented.
567 Each report from a probe holds the current value of several parameters.
568 Gnucomo will check each property of these parameters against the stored knwon value.
569 If the property's value changed, the actual value in the database is updated
570 and a record is added to the change history of the parameter.
571 When a parameter is listed in the report but that parameter is not in the
572 database or the other way around: a parameter is in the database and is not
573 in the report, this constitutes a notable change in the system.
576 Whenever the state of the system's parameters changes, Gnucomo may create
577 a <emph>notification</emph>.
578 Notifications are created when one of the following changes happens:
581 A new parameter is detected. The new parameter is listed in the report
582 but is not in the database.
585 The value of a static property of a parameter has changed.
588 A value of a dynamic property of a parameter goes outside its designated range.
591 A non-dynamic parameter has disappeared. The parameter is in the database but
592 was not listed in the report.
595 Note that when a dynamic parameter seems to have disappeared, no notification
597 When a dynamic parameter is in the database but is not listed in the report,
598 all properties of that parameter will be set to the default minimum value
599 of the parameter's class.
600 This change in the parameter's properties, however, may lead to a notification.
601 As an example of a dynamic parameter, consider a process running on a system.
602 The properties of a process parameter are the number of processes running and the
603 amount of memory they consume, all of which are dynamic.
604 The default minimum number of processes for the process parameter class is 0 (zero).
605 When a process parameter is missing from a parameter report, no processes with that
607 This may be a problem for daemons but not for most user processes.
608 When a user process, for example <emph>vim</emph>, is missing from the processes report,
609 its number of processes property is set to 0.
610 For the <emph>vim</emph> process parameter this is well within range.
611 On the other hand, when a daemon like <emph>httpd</emph> is missing from the report,
612 its number of processes property will also be set to the class's minimum (0), but
613 the minimum value for that parameter will probably be something like 4.
614 Now, the number of processes property goes out of range, which will generate
621 <heading>Web interface</heading>
624 The web interface will used to interact with the user.
625 The interface should be intuitive and easy to understand.
626 More important warnings should directly draw attention.
627 The user must be able to perform settings so that warnings
628 can be rated differently than the original settings.
631 The interface will do the following things:
635 Show a list of warnings that are currently open.
638 It must be possible to sort the list on all the fields shown.
641 Deliver detailed information (logbook entries) upon request that have led to the warning.
644 Undertake certain actions like sending
645 <reference href="mailto:abuse@internet-provider.net">abuse@internet-provider.net</reference>
646 e-mails with information.
649 Monitor actions on outstanding issues.
656 <heading>Priority mechanism.</heading>
658 Each notification has a certain priority that requires a different handling
659 of the issue. How each priority will be dealt with is something that can
660 be set per server. The priority mechanism is a simple system of five
661 categories (can be more or less).
666 <heading>The dataflow diagram.</heading>
667 <para>The main dataflow will be as follows.</para>
669 <picture src="dataflow.png" eps="dataflow" scale="0.7"/>
675 <heading>Sending messages to the central gnucomo system.</heading>
678 One of the main tasks is getting all the messages to the database.
679 Ultimately gnucomo will support multiple ways of receiving the data.
680 Basically anything goes, but two mechanisms will be supported in the project
685 E-mail. Messages and elements from logfiles will be sent through e-mail.
688 File copy. Using technologies like scp or ftp (not preferred due to
689 the insecure nature) can place files directly in the receiving directory.
694 <heading>Ensuring data integrity.</heading>
695 <para><TO BE DESCRIBED></para>
699 <heading>Directories and filenames on the server.</heading>
702 Files will be dealt with as if gnucomo were a user (actually there will
703 be a user gnucomo). The files will be placed in the <code>/home/gnucomo/</code> directory.
704 Only <code>/home/gnucomo/incoming/dropbox/</code> can be used to save data in
705 from external systems. All other directories are only available for the user gnucomo.
706 The filename will represent the data that is received. The details are seperated with
707 underscores. When data is sent by e-mail the filename will be written in the first
708 line of the e-mail. A typical filename looks like this:
712 <strong>3_messages_20020807235208_1.asc</strong>
716 the logic behind this is following:
720 <emph>urgency_typeofmessage_timestamp_objectid.typeoffile.</emph>
723 <table cpos='lp{10cm}'>
726 <para>Part of filename</para>
729 <para>Explanation</para>
737 <para>This indicates the urgency of the file. The lower the number the higher
738 it will rank when an overview is given. Standard files are ranked value 3.
739 The ranking works as follows:</para>
740 <para>* 1 <strong>Urgent flash message.</strong> Something urgent needs to
741 be reported. This is only used for emergencies like serious alarms.</para>
742 <para>* 2 <strong>Rapid delivery.</strong> An important message has to get
743 through that is more important than normal delivery, but is not top
744 priority like an emergency.</para>
745 <para>* 3 <strong>Normal.</strong> This is used in most
746 case for normal messages.</para>
747 <para>* 4 <strong>Low priority.</strong> This is data would be useful
748 to place into the system as nice to have.</para>
753 <para>TypeOfMessage</para>
756 <para>This is an indicator what type of data is delivered to gnucomo.
757 There are several categories:</para>
758 <para>* <strong>cron.</strong> This data comes from the /var/log/cron-log (unix).</para>
759 <para>* <strong>httpaccess.</strong> This data comes from the normal http-log (Apache).</para>
760 <para>* <strong>httperror.</strong> This data comes from the http_error-log (Apache).</para>
761 <para>* <strong>maillog.</strong> This data comes from the /var/log/maillog (unix).</para>
762 <para>* <strong>messages.</strong> The data delivered here comes from
763 the /var/log/messages file (unix)</para>
764 <para>* <strong>text.</strong> This file contains a message in plaintext
765 generated by a gnucomo-client and can be anything.
766 It will be dealt with as plaintext.</para>
771 <para>Timestamp</para>
774 <para>The timestamp is made in war-log (YYYYMMDDHHMMSS) format.
775 The timestamp is generated on the client in GMT (to discover
776 discrepancies in timing).</para>
781 <para>Objectid</para>
784 <para>The objectid is the id that is used within the central
785 gnucomo system to recognize the client.
786 Based on this entry the database can link the data to the correct object.
787 Also gpg can obtain the correct e-mail address (by running a query
788 in the database) for verification of the signature of the crypted message.</para>
793 <para>TypeOfFile</para>
796 <para>Indicates the file type:</para>
797 <para>* <strong>asc.</strong> Plaintext ASCII</para>
798 <para>* <strong>gpg.</strong> gpg-crypted data.</para>
799 <para>* <strong>und.</strong> Undertermined data. When files
800 come in by e-mail it is not 100% sure if they are crypted
801 or not. These data has first to be analyzed before it is
802 moved to the correct queue. </para>
808 <heading>Directory for incoming data.</heading>
811 For incoming messages there will be separate directories
812 (<code>/home/gnucomo/incoming/</code>)for:
816 Dropbox. This directory is ready to receive data from all sorts of systems.
817 This directory is world writeable (<strong><emph>but not deleteable!</emph></strong>):
818 <code>/home/gnucomo/incoming/dropbox/</code>
821 Encrypted messages. In this directory messages will be placed that are still
822 gpg-crypted. In this directory the files await decryption and verification of
823 the signature. This directory is: <code>/home/gnucomo/incoming/crypted/</code>
826 Decrypted with errors. During the decryption exercise anything can go wrong.
827 Decrypting can fail or the signature may show errors. If this happens the
828 original message is moved to a different directory:
829 <code>/home/gnucomo/incoming/cryptfail/</code>
832 Inbox. After successful decryption the decrypted message is moved to the inbox.
833 Data that is not encrypted can be moved here from the dropbox after certain
834 verifications. The directory is: <code>/home/gnucomo/incoming/inbox/</code>
837 Processed. After processing the data the file is stored in the directory
838 processed for further reference for a certain amount of time.
839 The directory is: <code>/home/gnucomo/incoming/processed/</code>
842 Archive. After a certain period the files will be archived.
843 Since not every system will archive everything this directory may
844 also be a symbolic link to <code>/dev/null</code>.
845 The used directory is: <code>/home/gnucomo/archive/</code>
851 <heading>Directory for outgoing data.</heading>
854 For outgoing messages the directory <code>/home/gnucomo/outgoing</code> will
855 be used. This directory knows a couple of sub directories:
860 Dropbox. This directory is used by the central gnucomo system to
861 place outgoing messages in.
862 The used directory is: <code>/home/gnucomo/outgoing/dropbox/</code>
865 Outbox. After processing the message (including signing and encrypting
866 when applicable) the messages are placed in the outbox:
867 <code>/home/gnucomo/outgoing/outbox/</code>
870 Processed. After processing the data the file is stored in the
871 directory processed for further reference for a certain amount
872 of time. After sending a message a confirmation will be made that
873 is saved as an incoming message.
874 The directory is: <code>/home/gnucomo/outgoing/processed/</code>
877 Archive. After a certain period the files will be archived.
878 Since not every system will archive everything this directory
879 may also be a symbolic link to <code>/dev/null</code>.
880 The used directory is: <code>/home/gnucomo/archive/</code>
887 <heading>Overview. </heading>
889 <para>The total directory-structure looks like this:</para>
893 /home/gnucomo/archive
894 /home/gnucomo/incoming
895 /home/gnucomo/incoming/crypted
896 /home/gnucomo/incoming/cryptfail
897 /home/gnucomo/incoming/dropbox
898 /home/gnucomo/incoming/inbox
899 /home/gnucomo/incoming/processed
900 /home/gnucomo/outgoing
901 /home/gnucomo/outgoing/dropbox
902 /home/gnucomo/outgoing/outbox
903 /home/gnucomo/outgoing/processed
910 <heading>Directories on the client-side.</heading>
913 On the client-side the files that need to be transmitted will be placed in a
914 directory system as well. In the future this system may not be in use at all
915 devices (routers, certain MS Windows-machine, IP Telephones, etc.). For those
916 systems a different mechanism will become be described here.
917 Initially we focus on Linux systems that will enter data into the database.
920 The filename convention will be totally identical to the filename
921 convention on the server, since this the same mechanism.
924 To facilitate gnucomo client and server on one and the same machine
925 the gnucomo-client should have a different default user.
926 For this purpose the user <strong>gcm_client</strong> will be created.
930 <heading>Directory for incoming data.</heading>
932 For incoming messages there will be separate directories
933 (<code>/home/gnucomo/incoming/</code>)for:
937 Dropbox. This directory is ready to receive data from all sorts of systems.
938 This directory is world writeable (<emph><strong>but not deleteable!</strong></emph>):
939 <code>/home/gcm_client/incoming/dropbox/</code>
942 Encrypted messages. In this directory messages will be placed that
943 are still gpg-crypted. In this directory the files await decryption
944 and verification of the signature.
945 This directory is: <code>/home/gcm_client/incoming/crypted/</code>
948 Decrypted with errors. During the decryption exercise anything can go wrong.
949 Decrypting can fail or the signature may show errors.
950 If this happens the original message is moved to a different directory:
951 <code>/home/gcm_client/incoming/cryptfail/</code>
954 Inbox. After successful decryption the decrypted message is moved
955 to the inbox. Data that is not encrypted can be moved here from
956 the dropbox after certain verifications. The directory is:
957 <code>/home/gcm_client/incoming/inbox/</code>
960 Processed. After processing the data the file is stored
961 in the directory processed for further reference for a
962 certain amount of time. The directory is:
963 <code>/home/gcm_client/incoming/processed/</code>
970 <heading>Directory for outgoing data.</heading>
973 For outgoing messages the directory <code>/home/gcm_client/outgoing</code> will be used.
974 This directory knows a couple of sub directories:
978 Dropbox. This directory is used by the central gnucomo system to place
979 outgoing messages in.
980 The used directory is: <code>/home/gcm_client/outgoing/dropbox/</code>
983 Outbox. After processing the message (including signing and
984 encrypting when applicable) the messages are placed in the outbox:
985 <code>/home/gcm_client/outgoing/outbox/</code>
988 Processed. After processing the data the file is stored in the
989 directory processed for further reference for a certain amount
990 of time. After sending a message a confirmation will be made
991 that is saved as an incoming message.
992 The directory is: <code>/home/gcm_client/outgoing/processed/</code>
998 <heading>Overview. </heading>
999 <para>The total directory-structure looks like this:</para>
1003 /home/gcm_client/archive
1004 /home/gcm_client /incoming
1005 /home/gcm_client/incoming/crypted
1006 /home/gcm_client/incoming/cryptfail
1007 /home/gcm_client/incoming/dropbox
1008 /home/gcm_client/incoming/inbox
1009 /home/gcm_client/incoming/processed
1010 /home/gcm_client/outgoing
1011 /home/gcm_client/outgoing/dropbox
1012 /home/gcm_client/outgoing/outbox
1013 /home/gcm_client/outgoing/processed
1020 <heading>Getting data into the database.</heading>
1023 The files in the /home/gnucomo/incoming/inbox/ should be stored in the database.
1024 For this purpose there is a table <emph>unprocessed_log</emph>.
1025 The data of the filename as well as the content of the file need
1026 to be placed in one record.
1029 There are some fields that have to be addressed immediately:
1033 Servicecode: The servicecode will be obtained out of the filename the
1034 is the type_of_message-field in the filename.
1037 Objectid: This data is given in the filename it can be found
1038 in the <emph>objectid</emph>-part of the filename.
1041 Logdata: The data is saved as follows: filename (unaltered)
1042 <CR>textual data of the file.
1046 The daemon application that delivers the data is called <strong>gcm-input</strong>.
1047 It performs the following steps with no extra functionality:
1052 <para>Detect if a file is available.</para>
1055 <para>Write the data in the database.</para>
1060 To write the data in the database a database user gcm_input exists.
1061 This user has only the right to enter data into the database.
1062 There are no deletion, update or select-permissions.
1069 <heading><label name='database'/>The database.</heading>
1072 The database is the heart of the system.
1073 It will contain all event-data of multiple computers.
1074 The intelligence that can be performed on the database will be placed there.
1075 To do this as integratedly as possible stored procedures and triggers will be used.
1076 To begin with we have selected checks to be performed that will be
1077 expanded throughout time.
1080 Since the gnucomo database and files contain sensitive data
1081 security measures have to be in place. Several database users
1082 will exist that have limited rights to perform a certain task
1083 ensuring some protection against unauthorized access.
1084 However these mechanisms on it's own will work fine, bad maintenance may still
1085 screw-up good security. Good database maintenance is needed.
1086 For the gnucomo the protection of the valid authentic nature of
1087 the data in the database has our highest priority.
1090 A <emph>table-name</emph> in this chapter is written in cursive writing.
1094 <heading>Database conventions.</heading>
1097 The database will be built according the following conventions:
1101 All names for tables, indexes and fields will be written in lower
1102 case and will be singular. Spaces in names are not allowed.
1105 If a table contains field referring to other tables the mother-tables are
1106 mentioned in alphabetical order with an underscore between the table-names.
1107 So <emph>object</emph> and <emph>user</emph>
1108 will make a third table <emph>object_user</emph>
1111 A data access user (being the interface) is not allowed to write to
1112 the log-entries and the warnings. To change the state of a warning
1113 a stored procedure will do so by having a different entry in a table.
1114 This should make it possible to discover who did what at which moment in time.
1117 The name of two related fields that make the relationship between two
1118 tables will be the same to avoid confusion.
1124 <heading>Database design.</heading>
1127 In the design we anticipate to deliver an as best as possible database performance.
1128 That means that data that needs to be entered occasionally can be heavily indexed
1129 to increase performance. However data that is mainly stored will only be indexed
1130 marginally to have the best possible performance on data entry. If during one of
1131 the checks on data-entry a notification is made, the information related to that
1132 notification will be indexed very well to increase retrieval performance.
1133 What we will try to avoid is that the user interface will cause full table
1134 scan and affect the performance of the overall system dramatically.
1135 One of the techniques to increase performance on display is to work with views.
1136 So where it is feasible we will use them.
1140 The following model pictures the database as described in the remainder
1144 <picture src="erd.png" eps="erd" scale="0.7"/>
1148 In general the database must also be maintained well.
1149 So daily maintenance scripts should keep the performance good<footnote>PostgreSQL seems
1150 to have very good features to do proper maintenance and they have to be exploited to
1151 the full extend.</footnote>.
1156 <heading>Actual design.</heading>
1159 In this part of the chapter the tables will be explained and then described
1160 with all important elements. Per table a sub-chapter will be created.
1161 Each table will have a table design, indexes, relationships and the required data
1162 (for those tables where the data itself is relevant in the design or sample data
1163 (for those cases where no set data is needed). For the relationships beside a
1164 description the subset of the total schema has been incorporated in
1165 the document so that it is more clear what exactly is meant.
1166 Due to the complex nature of the design those drawings sometimes will seem funny.
1169 For the fieldtypes the types of PostgreSQL will be used.
1170 These values can be found in Chapter 3 of the PostgreSQL User Manual
1171 (<reference href="http://www.postgresql.org/">http://www.postgresql.org</reference>).
1174 For indexes primary keys are always <emph>unique</emph> and called
1175 primary key in the name. Since unique indexes within PostgreSQL only
1176 work on B-Tree indexes (which is default) we will use B-Tree for all indexes.
1177 In cases where an exception is made the used type of index will be indicated
1178 in the characteristics. A footnote will explain why a different type of
1179 index has been selected.
1183 <heading>action</heading>
1186 This table stores the actions that are recognized by the system.
1187 Whenever a situation in the database has been raised (through the table notification)
1188 one expects steps to be taken to resolve these issues.
1189 All these steps are stored in this table.
1190 Each step beginning with detection until a case is closed can be traced back through this table.
1191 This will support the <strong>accountability</strong> (who is responsible for which action)
1192 and <strong>non-repudiation</strong> (being able to trace what exactly happened to each notification).
1193 In the table action all recognized actions that can be taken are stored.
1194 Several of the taken actions will lead to change in <emph>statuscode</emph>.
1195 When this is the case either the server-side of the interfaces or the gcm_daemon will perform this task.
1196 This doesn't apply to all actions though.<footnote>A status NEW
1197 of a notification that cannot be dealt with automatically will
1198 <strong>not</strong> change before a user looked at it.</footnote>.
1199 Actions take place through background processes and the interface.
1200 Each action known by the system will be delivered by the software.
1201 This table mainly is used for retrieval so indexing will be done as much as possible.
1205 <heading>The fields.</heading>
1208 The table below describes the fields:
1212 <table cpos='lllp{6cm}'>
1214 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1220 <col> actionid </col> <col> Bigserial </col> <col> 8 </col>
1222 Autonumber bigint (eight bit). Unique identifyer to refer to when this action is taken.
1226 <col> actionname </col> <col> Text </col> <col> <para/> </col>
1228 Short descriptive name for the type of action.
1232 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
1234 New status that will be given to a notification when this action takes place.
1235 If the action occurs the status in the notification can change because of this.
1236 The statuscode will indicate what the new status has to be.
1237 If this field is left empty no change to the status will occur.
1241 <col> description </col> <col> Text </col> <col> <para/> </col>
1243 A longer description (without limit) on the action.
1252 <heading>The indexes.</heading>
1255 Indices for this table are:
1259 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1262 <col> act_pk </col> <col> actionID </col> <col> Primary key </col>
1265 <col> act_actionname </col> <col> actionname </col> <col> Unique </col>
1268 <col> act_statuscode </col> <col> statuscode </col> <col> <para/> </col>
1275 <heading>The relationships.</heading>
1278 Relationships with other tables:
1280 <table cpos='llp{7cm}'>
1282 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
1285 <col> actionid </col> <col> action_notification_user </col>
1287 Each action that takes placed will be stored. The Actionid will bring
1288 classification to the individual records (that reflect what it means if the action-occurred).
1289 This relationship has to be enforced.
1293 <para>In the model this looks like this:</para>
1295 <picture src="erd-action.png" eps="erd-action"/>
1300 <heading>Default data in table.</heading>
1303 The data in this table is standard for the system and part of the design.
1304 The user cannot change this or add value to it.
1307 <table cpos='p{1cm}p{2cm}p{1.5cm}p{6cm}'>
1309 <col>Actionid</col><col>Actionname</col><col>Statuscode</col>
1315 <col>1</col><col>Entry in the system</col><col>NEW</col>
1317 This indicates that a notification is entered into the system. The status is a <strong>NEW</strong>.
1321 <col>2</col><col>Displayed to user</col><col>OPN</col>
1323 The notification has been displayed to the user.
1324 It is not guaranteed that the user has read the notification,
1325 but he/she should be aware of it.
1326 The status will now be changed to <strong>OPEN</strong> if the current
1327 status is <strong>NEW</strong>.
1331 <col>3</col><col>Remarks added</col><col>PEN</col>
1333 Remarks have been added to the notification. The status has now been
1334 changed to <strong>PENDING</strong>.
1338 <col>4</col><col>Priority changed manually</col><col>PEN</col>
1340 The priority of the notification has been changed by the user.
1341 The new status is now <strong>PENDING</strong>.
1345 <col>5</col><col>Priority changed automatically</col><col>PEN</col>
1347 The priority of the notification has been changed by the system.
1348 If the status is not <strong>OPEN</strong> or <strong>NEW</strong> the new
1349 status is become <strong>PENDING</strong>.
1353 <col>6</col><col>Action taken</col><col>PEN</col>
1355 A action has been taken. The status is now <strong>PENDING</strong>.
1359 <col>7</col><col>Assignment to user</col><col>PEN</col>
1361 A notification has been explicitly assigned to another user.
1362 The status is now <strong>PENDING</strong>.
1366 <col>8</col><col>More information or research needed.</col><col>INV</col>
1368 The notification is relevant and will be handled, however more information
1369 or research will be needed. The status is <strong>UNDER INVESTIGATION</strong>.
1373 <col>9</col><col>Make output reference.</col><col>REF</col>
1375 Automated output from an object has been sent to gnucomo.
1376 The input has been identified as a valid reference for future.
1377 Status is now <strong>REFERENCE</strong><footnote>A reference is used to
1378 find differences in output. This feature must reduce the number of wrongful alerts.
1379 Only if a change has taken place a notification is generated.
1380 First time reports will always generate a notification.
1381 By signing this off the system will be silent again.</footnote>.
1385 <col>10</col><col>Job output no longer reference.</col><col>CLS</col>
1387 By making a newer job output reference this output has been obsoleted.
1388 Since once it was a reference the notification can be closed.
1389 The new status for the notification is now <strong>CLOSED</strong>.
1393 <col>11</col><col>Action taken please verify.</col><col>VRF</col>
1395 An action has been taken and things should have been resolved.
1396 Before the notification can be closed a verification has to be done.
1397 New status is now <strong>VERIFY</strong>.
1401 <col>12</col><col>Action not accepted.</col><col>PEN</col>
1403 A check has been done and the results were not good.
1404 New verification is needed.
1405 New status is now <strong>PENDING</strong>.
1409 <col>13</col><col>Action verified</col><col>CLS</col>
1411 The verification for the action has been done and the action is approved.
1412 The new status is now <strong>CLOSED</strong>.
1416 <col>14</col><col>E-mail sent</col>
1417 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1419 An e-mail has been sent.
1423 <col>15</col><col> SMS sent </col>
1424 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1426 A SMS has been sent.
1430 <col>16</col><col>Fax sent</col>
1431 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1433 A fax has been sent.
1437 <col>17</col><col>Log-entries shown</col><col>XXXX</col>
1439 The log entries have been shown. No changes to the status made.
1443 <col>18</col><col>Notification closed</col><col>CLS</col>
1445 Notification has been closed.
1449 <col>19</col><col>Notification reopened</col><col>OPN</col>
1451 Notification has been re-opened
1460 <heading>Action_user.</heading>
1463 This table stores each actual action taken.
1464 Where the action basically stores the type of actions that can be taken,
1465 this table says 'at this point in time for this notification this action was taken'.
1466 Using this table it is traceable who did what at which moment in time.
1467 The table is very important for later use if
1468 something goes wrong, but is also relevant for the interface.
1469 All steps of a in the process of a notification can be traced using this table.
1470 There will be a lot of entries here, but retrieval is more crucial for
1471 performance than data entry. So indexing on logic fields is very relevant.
1472 Processing might be slower, but that's worth the price.
1476 <heading>The fields.</heading>
1479 The table below describes the fields:
1482 <table cpos='lllp{6cm}'>
1484 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1490 <col> actionstepid </col> <col> Bigserial </col> <col> 8 </col>
1492 Autonumber bigint (eight bit). A unique identifyer to indicate each step in the process.
1496 <col> actionid </col> <col> Bigint </col> <col> 8 </col>
1498 Reference to the action that is being registered here. This field refers to the actual action taken.
1502 <col> username </col> <col> Text </col> <col> <para/> </col>
1504 The username of the user that is involved in the action. This field refers to the table <strong>usr</strong>
1508 <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
1510 Reference to the notification. This will link the action to the notification.
1514 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
1516 The time when the action has been entered into the system.
1517 This is the time without the timezone<footnote>The timestamp without
1518 time has been selected, since this is the system time.
1519 To have the system functioning without any physical borders one
1520 of the settings on the system is time in GMT (UTC).
1521 This ensures also the added value of the system log.</footnote>.
1522 This will be automatically added when the record is added into the database.
1526 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
1528 The status of the Notification AFTER this action has been taken.
1532 <col> remarks </col> <col> Text </col> <col> <para/> </col>
1534 Remarks entered by the user if it concerns a manual action
1535 or the text of automatically generated warnings.
1543 <heading>The indexes.</heading>
1546 The table is indexed on the following fields:
1551 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1554 <col> anu_pk (action_user_actionstepid_key) </col> <col> actionstepid </col>
1555 <col> Primary key </col>
1558 <col> anu_actionid </col> <col> actionid </col> <col> <para/> </col>
1561 <col> anu_username </col> <col> username </col> <col> <para/> </col>
1564 <col> anu_notificationid </col> <col> notificationid </col> <col> <para/> </col>
1567 <col> anu_timestamp </col> <col> timestamp </col> <col> <para/> </col>
1570 <col> anu_statuscode </col> <col> statuscode </col> <col> <para/> </col>
1576 <heading>The relationships.</heading>
1579 Relationships with other tables:
1581 <table cpos='llp{7cm}'>
1583 <col> Fieldname </col> <col> Remote Table </col>
1584 <col> Remarks </col>
1587 <col> actionid </col> <col> action </col>
1589 Indicates the action that has been taken. The relationship has to be enforced.
1593 <col> notificationid </col> <col> notification </col>
1595 Each action that takes place is registered in this table.
1596 By using the notification the relevant notification. The relationship has to be enforced.
1600 <col> username </col> <col> user </col>
1602 Each step in the process has to be related to the user.
1603 If the system itself generates an action the user will be
1604 <strong>gnucomo</strong><footnote>This implies that the system
1605 automatically has an username gnucomo.</footnote>.
1611 In the model this looks like this:
1614 <picture src="erd-anu.png" eps="erd-anu"/>
1620 <heading>Sample data.</heading>
1623 Since no data is delivered automatically a couple of sample records are shown here.
1626 <table cpos='p{1cm}p{1cm}p{1cm}lllp{4cm}'>
1628 <col> Actionstepid </col> <col> Actionid </col> <col> Notificationid </col>
1629 <col> Username </col> <col> Timestamp </col> <col> Status </col>
1630 <col> Remarks </col>
1633 <col> 1 </col> <col> 1 </col> <col> 1 </col> <col> Gnucomo </col>
1634 <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
1636 Gnucomo detected a portscan
1640 <col> 2 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
1641 <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
1647 <col> 3 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
1648 <col> 2002-07-14 16:14:09 </col> <col> OPN </col>
1650 <para>Automatic e-mail to user:
1651 <reference href="mailto:brenno@dewinter.com">brenno@dewinter.com</reference>:</para>
1652 <para>Gnucomo detected a portscan on system
1653 <reference href="http://gnucomo.dewinter.com/">gnucomo.dewinter.com</reference></para>
1657 <col> 4 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
1658 <col> 2002-07-14 16:18:09 </col> <col> OPN </col>
1660 Notification shown through webinterface.
1664 <col> 5 </col> <col> 17 </col> <col> 1 </col> <col> Brenno </col>
1665 <col> 2002-07-14 16:18:12 </col> <col> PEN </col>
1671 <col> 6 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
1672 <col> 2002-07-14 16:20:37 </col> <col> PEN </col>
1678 <col> 7 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1679 <col> 2002-07-1416:21:58 </col> <col> PEN </col>
1681 After reviewing the logs I see a portscan. On very specific ports. More analysis needed.
1685 <col> 8 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1686 <col> 2002-07-14 16:24:59 </col> <col> PEN </col>
1688 Services tables learns me that all services are aimed at Windows-based services.
1689 Attempts for platform specific expoits.
1693 <col> 9 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
1694 <col> 2002-07-14 16:25:03 </col> <col> PEN </col>
1700 <col> 10 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
1701 <col> 2002-07-14 16:30:09 </col> <col> PEN </col>
1703 Notification shown through webinterface.
1707 <col> 11 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1708 <col> 2002-07-14 16:31:48 </col> <col> PEN </col>
1710 Portscan has finished and no other action seems to take place now.
1714 <col> 12 </col> <col> 18 </col> <col> 1 </col> <col> Brenno </col>
1715 <col> 2002-07-14 16:43:03 </col> <col> CLS </col>
1725 <heading>history</heading>
1727 The history table records all changes to properties of parameters.
1731 <heading>The fields</heading>
1733 The fields of the <emph>history</emph> table are listed below:
1735 <table cpos='lllp{6cm}'>
1737 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1738 <col> Remarks </col>
1741 <col>paramid</col><col>bigint</col><col>8</col>
1742 <col>The parameter to which this history belongs. Refers to the parameter table</col>
1745 <col>modified</col><col>timestamp</col><col> </col>
1746 <col>Time at which the property value or parameter changed</col>
1749 <col>change_nature</col><col>enum</col><col> </col>
1750 <col>Parameter created to destroyed; property value changed</col>
1753 <col>changed_property</col><col>text</col><col> </col>
1754 <col>Name of the parameter's property that changed.</col>
1757 <col>new_value</col><col>text</col><col> </col>
1758 <col>The new actual value of the property at the time of modification</col>
1761 <col>remark</col><col>text</col><col> </col>
1762 <col>A short explanation of why the property changed</col>
1767 Each time something about a parameter changes, this is recorded in the
1768 change history of the paraneter.
1769 When such a change happens, one of three things may occur to a parameter,
1770 as stated in the 'change_nature' field:
1773 <item>A new parameter is created.</item>
1774 <item>The value of one of the properties was altered.</item>
1775 <item>The parameter is removed.</item>
1778 When a parameter is created or destroyed, the fields 'changed_property' and
1779 'new_value' are irrelevant.
1786 <heading>log & log_adv. </heading>
1789 To store the log-data there are two tables in use that have a one-on-one relationship.
1790 The logic behind this is the difference between raw-always needed data and the somewhat
1791 processed data to support basic retrieval.
1792 The last category isn't always used and when it's used it is redundant.
1793 Also the raw log is very important to the integrity of the system.
1794 For these reasons the processed data has been physically separated in a
1795 second table called <emph>log_adv</emph>.
1796 If needed a view will be available that combines the two tables.
1797 Despite the load indexing on <emph>log_adv</emph> will be done thoroughly.
1802 <heading>log.</heading>
1805 <heading>The fields of log.</heading>
1808 The fields in log are focussed around the raw data arriving from log-files and output
1809 from processes that deliver status information.
1810 The log table is the one and only place used to automatically deliver data to the gnucomo-system.
1811 This makes the facts very traceable and ensures that there is one point where the data isn't
1812 yet fragmented (usefull if new insights are usefull). The log table also provides the
1813 integrity of the data as it was delivered. The data will be needed to provide
1814 a link to other tables in the system that handle processed derrivates of the
1815 original data (added intelligence).
1818 <table cpos='lllp{6cm}'>
1820 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1826 <col> logid </col> <col> Bigserial </col> <col> 8 </col>
1828 Autonumber bigint (eight bit)
1832 <col> objectid </col> <col> Bigint </col> <col> 8 </col>
1834 Reference to the object that submitted this log entry
1838 <col> original_filename </col> <col> Text </col> <col> <para/> </col>
1840 This field refers to the filename that contained this entry.
1841 The original entries as received by the gnucomo-server (flat files).
1842 The files are sent in batches, which makes it very hard to find where the
1843 original logline is. This will enable to see the files to detect
1844 bugs in gnucomo if any occur.
1845 It may well be that in a later stage this functionality becomes obsolete.
1849 <col> servicecode </col> <col> Text </col> <col> <para/> </col>
1851 This field explains what service was recognized (for instance 'kernel, 'httpd' or 'smtp')
1852 this make later processing easier.
1856 <col> type_of_logid </col> <col> Bigint </col> <col> 8 </col>
1858 Reference to the table type_of_log that contains information on what
1859 type of log/report we have here (how gnucomo recognized it).
1863 <col> object_timestamp </col> <col> Timestamp </col> <col> 8 </col>
1865 Timestamp of the moment the data was written into the log-file itself.
1866 This is the time on the remote system.
1870 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
1872 The time when the action has been entered into the system.
1873 This is the time without the timezone<footnote>The timestamp without time
1874 has been selected, since this is the system time.
1875 To have the system functioning without any physical borders one of
1876 the settings on the system is time in GMT (UTC).
1877 This ensures also the added value of the system log.</footnote>.
1878 This will be generated upon entry into the database.
1882 <col> rawdata </col> <col> TEXT </col> <col> <para/> </col>
1884 The raw log data as it was handed to gnucomo.
1888 <col>processed</col><col>BOOLEAN </col> <col> <para/> </col>
1889 <col>This record is a flag (true or false).
1890 If a record that has been entered into the log-table has been processed
1891 (mostly into several log_adv-tables) this flag is set to true.
1892 The flag indicates that gcm_daemon processed the record.
1893 This doesn't nescessarily mean that they have been used.
1894 By default the setting is false.
1895 So the flag helps in the detection of new arrivals in the log-table.</col>
1898 <col>recognized</col><col>BOOLEAN</col> <col><para/> </col>
1899 <col>This record is a flag (true or false).
1900 If the processing by gcm_daemon of this particular record has been done the flag
1901 will only be set to true when gcm_daemon could process the record.
1902 If there was no support for this particular entry the status remains false.
1903 The main aim of this functionality is relevant when a new version of the daemon is present.
1904 Unrecognized records will then be transferred to unprocessed again and a
1905 new attempt will be made to process these records.</col>
1911 <heading>The indexes.</heading>
1914 The indices of the table:
1919 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1922 <col> log_pk (log_logid_key) </col> <col> logid </col> <col> Primary key </col>
1925 <col> log_objectid </col> <col> objectid </col> <col> <para/> </col>
1928 <col> log_original_filename </col> <col> original_filename </col> <col> <para/> </col>
1931 <col> log_servicecode </col> <col> servicecode </col> <col> <para/> </col>
1934 <col> log_type_of_logid </col> <col> type_of_logid </col> <col> <para/> </col>
1937 <col> log_object_timestamp </col> <col> object_timestamp </col> <col> <para/> </col>
1940 <col> log_timestamp </col> <col> timestamp </col> <col> <para/> </col>
1946 <heading>The relationships.</heading>
1949 Relationships with other tables:
1952 <table cpos='llp{6cm}'>
1954 <col> Fieldname </col> <col> Remote Table </col>
1960 <col> objectid </col> <col> object </col>
1962 This make the link from what object the logline came
1966 <col> type_of_logid </col> <col> type_of_log </col>
1968 Each logbook has a certain type of reporting.
1969 This explains what type of log was received (and thus which rules for detection was applied).
1973 <col> systemuser </col> <col> user </col>
1975 Links a registered user of an object to this log
1976 entry<footnote>Upon entry of an object most of the times the
1977 passwd-file (UNIX-systems) or the userlist will serve as the entrypoint of users.
1978 Non existing users will be added and will have to be verified by an
1979 administrator before this entry become definite.</footnote>.
1984 <para>In the model this looks like this:</para>
1987 <picture src="erd-log.png" eps="erd-log"/>
1993 <heading>Log_adv</heading>
1995 As soon as new data is detected in the log-table processing takes place.
1996 If the data is recognized by the gcm_daemon one or more log_adv records
1997 will be written where data is separated. Due to the high diversity multiple
1998 types of the log_adv table will be created.
1999 All of them will be an inheritance of the log_adv-table.
2003 <heading>The fields of log_adv.</heading>
2006 The fields of the table <emph>log_adv</emph> are shown below:
2009 <table cpos='lllp{6cm}'>
2011 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2017 <col>log_advid</col><col>Bigint autonumber</col><col>8</col>
2018 <col>Since some records can generate several log_adv records a unique identifyer is needed.
2019 This record provides that.
2023 <col> logid </col> <col> Bigint </col> <col> 8 </col>
2025 Bigint (eight bit) 1-to-1 relationship with log
2033 <heading>The indexes.</heading>
2036 The table is indexed on the following fields:
2041 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2044 <col> loa_logid </col> <col> logid </col> <col> Primary key </col>
2047 <col> loa_source_ip </col> <col> source_ip </col> <col> <para/> </col>
2050 <col> loa_destination_ip </col> <col> destination_ip </col> <col> <para/> </col>
2053 <col> loa_mac_address </col> <col> mac_address </col> <col> <para/> </col>
2056 <col> loa_packetlength </col> <col> packetlength </col> <col> <para/> </col>
2059 <col> loa_protocol </col> <col> protocol </col> <col> <para/> </col>
2062 <col> loa_source_port </col> <col> source_port </col> <col> <para/> </col>
2065 <col> loa_destination_port </col> <col> destination_port </col> <col> <para/> </col>
2068 <col> loa_messageid </col> <col> messageid </col> <col> <para/> </col>
2071 <col> loa_system_username </col> <col> system_username </col> <col> <para/> </col>
2074 <col> networkdevice </col> <col> networkdevice </col> <col> <para/> </col>
2080 <heading>The relationships.</heading>
2083 There is only one relation with this table.
2086 <table cpos='llp{6cm}'>
2088 <col> Fieldname </col> <col> Remote Table </col>
2094 <col> Logid </col> <col> Log </col>
2096 This will make a link to the table <emph>log</emph>. The relationship is a one-on-one relationship.
2103 <heading>Sample data combined from log and log_adv.</heading>
2106 The sample data derrived here has been gathered in logs.
2107 Since the tablestructure is very long the representation is somewhat different:
2110 <table cpos='lp{8cm}'>
2112 <col> Fieldname </col> <col> Value. </col>
2115 <col> Logid </col> <col> 1 </col>
2118 <col> Objectid </col> <col> 1 </col>
2121 <col> Original_filename </col> <col> 7f0100.messages.20020714231801 </col>
2124 <col> Rawdata </col>
2126 Jul 14 18:16:42 webber kernel: IN=eth0 OUT= MAC=00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 SRC=193.79.237.146 DST=212.204.216.11 LEN=40 TOS=0x00 PREC=0x00 TTL=245 id=19308 DF PROTO=TCP SPT=36375 DPT=113 WINDOW=8760 RES=0x00 RST URGP=0
2130 <col> Type_of_logid </col> <col> 1 </col>
2133 <col> Timestamp </col> <col> 2002-07-14 23:29:01 </col>
2136 <col> Object_timestamp </col> <col> 2002-07-14 18:16:42 </col>
2139 <col> Source_ip </col> <col> 193.79.237.146 </col>
2142 <col> Destination_ip </col> <col> 212.204.216.11 </col>
2145 <col> Mac_address </col> <col> 00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 </col>
2148 <col> Packetlength </col> <col> 40 </col>
2151 <col> Protocol </col> <col> TCP </col>
2154 <col> Source_port </col> <col> 36375 </col>
2157 <col> Destination_port </col> <col> 113 </col>
2160 <col> Messageid </col> <col> <para/> </col>
2163 <col> Systemuser </col> <col> <para/> </col>
2166 <col> Networkdevice </col> <col> eth0 </col>
2173 <heading>log_notification. </heading>
2176 In the log_notification the logbook entries that have caused an alert to occur are saved.
2177 When this table is used something has been detected.
2178 As this is clearly an intermediate table we anticipate to design checks where
2179 multiple entries in a log-file can lead to one notification.
2180 For forensics indexing will be focussed on retrieval speed.
2184 <heading>The fields.</heading>
2187 The fields are listed below:
2190 <table cpos='lllp{6cm}'>
2192 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2198 <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
2200 Reference to the notification
2204 <col> logid </col> <col> Bigint </col> <col> 8 </col>
2206 Reference to the logbook
2213 <heading>The indexes.</heading>
2216 The table is indexed on the following fields:
2220 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2223 <col> lon_pk </col> <col>notificationid </col> <col>Primary key </col>
2226 <col> <para/> </col> <col>logid </col> <col>Primary key (second field) </col>
2229 <col>lon_notificationid </col> <col> notificationid </col> <col> <para/> </col>
2232 <col> lon_logid </col> <col>logid </col> <col> <para/> </col>
2238 <heading>The relationships.</heading>
2241 Relationships with other tables:
2244 <table cpos='llp{8cm}'>
2246 <col> Fieldname </col> <col> Remote Table </col>
2252 <col> Logid </col> <col> Log </col>
2254 Indicates the log-entry that was on of the triggers that led to the notification.
2258 <col> NotificationID </col> <col> Notification </col>
2260 Indicates the notification where the entry in the log was a trigger.
2265 <para>In the model this look like this:</para>
2267 <picture src="erd-lognotif.png" eps="erd-lognotif"/>
2272 <heading>Sample data.</heading>
2279 <col> LogID </col> <col> NotificationID </col>
2282 <col> 4 </col> <col> 1 </col>
2285 <col> 5 </col> <col> 1 </col>
2288 <col> 8 </col> <col> 1 </col>
2291 <col> 9 </col> <col> 1 </col>
2294 <col> 5 </col> <col> 2 </col>
2297 <col> 6 </col> <col> 2 </col>
2300 <col> 11 </col> <col> 2 </col>
2307 <heading>notification. </heading>
2310 The main task of gnucomo is detection issues.
2311 As soon as something has been detected based on the queries run a notification will be created.
2312 This notification will be the warning towards the system that something has been detected.
2313 Issues are entered based on immediate detection, periodical detection or manually.
2314 In an ideal case no notification will occur, but as time goes by issues will occur.
2315 When systems function properly more retrieval than data entry will take place.
2316 Also data retrieval will be done in all sorts of ways. One can think of immediate display,
2317 but also updates due to actions and ultimately reporting.
2318 Indexing must be huge to facilitate all these queries.
2320 There will be one single point-of-contact with the gnucomo-system.
2321 This point-of-contact will be the XML/SOAP interface.
2322 By doing that we can set user-rights (as has been impleted in this table)
2323 without communicating that to the user.
2324 Also the gnucomo-XML/SOAP-interface will verify if the attempted action is allowed.
2328 <heading>The fields.</heading>
2331 The fields of the <emph>notification</emph> table are:
2334 <table cpos='lllp{6cm}'>
2336 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2342 <col> notificationid </col> <col> Bigint Autonumber </col> <col> 8 </col>
2348 <col> objectid </col> <col> Bigint </col> <col> 8 </col>
2350 Reference to the <emph>object</emph>
2354 <col> type_of_issue_id </col> <col> Bigint </col> <col> 8 </col>
2356 Reference to the <emph>type_of_issue</emph> indicating what
2357 type of notification we have here and what basic rules apply.
2358 Notifications are always created on an issue that can be raised.
2362 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2364 Timestamp used to indicate the moment when this notification was created.
2368 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
2370 The status the actual status a notification has.
2371 This can be new, open, pending, waiting for verification, rejected, closed, needs investigation
2375 <col> priority </col> <col> Int </col> <col> 4 </col>
2377 The priority that is given to this issue<footnote>Basically there will be
2378 five priority levels. The rule is that the lower the number gets the more
2379 urgent the issue is. At the moment the priority level is set by the system
2380 pre-defined actions will take place.</footnote>.
2384 <col> escalation_count_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2386 Each notification has a basic priority-level but if certain time-constraints
2387 are not met it is possible to do an automatic escalation.
2388 By doing that new rules may apply and more priority can be given.
2389 This field has the timestamp since the last escalation took
2390 place<footnote>The system offers
2391 the possibility to automatically escalate issue if no action has been
2392 taken within a certain amount of time. Based on the status and the type
2393 of notification escalation can take place.</footnote>.
2397 <col> repeat_notification_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2399 Timestamp at which moment in time a repeat notification should occur<footnote>After
2400 this time has passed a notification is being resent.
2401 After a resent automatically a new time is set for another resent.
2402 If any actions takes place (except automated entries of course)
2403 the time is emptied so that an administrator will no longer be bothered by the system.</footnote>.
2407 <col> securitylevel_view </col> <col> Int </col> <col> 4 </col>
2409 The securitylevel that is needed to be allowed to view this entry. This field builds the opportunity to have certain specific issues only handled by certain persons. <footnote>This feature may be beneficial to make monitoring more discrete. For instance if a check is being done on who is looking on pornographic websites privacy issues play as well. By setting this value only certain users can undertake action. Something else would be a feature to have fraud protection. If this happens it goes beyond the work of a normal administrator and only certain officers are allowed to deal with these issues. One last example would also be privacy related. Suppose a system logs all the unix-commands given by a certain user. If something is found based on the actions of the users a protection mechanism is needed. Only special users are allowed to view this notification.</footnote>
2413 <col> securitylevel_add </col> <col> Int </col> <col> 4 </col>
2415 There is a fundamental difference between letting users see notification and actually work on notifications. This field indicates what security level needs to be present to edit this notification.
2419 <col> securitylevel_close </col> <col> Int </col> <col> 4 </col>
2421 The securitylevel needed to be able to close this notification. After working on an issue one ultimately hope to close the notification. This field indicates who is allowed to do so. If one attempts to close the issue, but is lacking sufficient rights the status will be changed to 'waiting for verification'. This will enable the superuser to quickly tick of the list of issues to be verified and still be in control.
2428 <heading>The indexes.</heading>
2435 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2438 <col> not_pk (notification_notificationid_key) </col> <col> notificationid </col>
2439 <col> Primary key </col>
2442 <col> not_objectid </col> <col> objectid </col> <col> <para/> </col>
2445 <col> not_type_of_notificationid </col> <col> type_of_notificationid </col>
2446 <col> <para/> </col>
2449 <col> not_timestamp </col> <col> timestamp </col> <col> <para/> </col>
2452 <col> not_statuscode </col> <col> statuscode </col> <col> <para/> </col>
2455 <col> not_priority </col> <col> priority </col> <col> <para/> </col>
2458 <col> not_escalation_count_timestamp </col> <col> escalation_count_timestamp </col>
2459 <col> <para/> </col>
2463 <para>not_repeat_notification_timestamp</para>
2464 <para>(not_repeat_notification_timesta)</para>
2466 <col> repeat_notification_timestamp </col> <col> <para/> </col>
2472 <heading>The relationships.</heading>
2475 Relationships with other tables:
2478 <table cpos='llp{8cm}'>
2480 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
2483 <col> Logid </col> <col> Log </col>
2485 Indicates the log-entry that was on of the triggers that led to the notification.
2489 <col> NotificationID </col> <col> Notification </col>
2491 Indicates the notification where the entry in the log was a trigger.
2496 <para>In the model this look like this:</para>
2498 <picture src="erd-notif.png" eps="erd-notif"/>
2503 <heading>Sample data.</heading>
2506 The following data is an example of a notification placed in the database.
2510 <col> Fieldname </col> <col> Data </col>
2513 <col> Notificationid </col> <col> 1 </col>
2516 <col> ObjectID </col> <col> 1 </col>
2519 <col> Type_of_notification_id </col> <col> 1 </col>
2522 <col> Timestamp </col> <col> 17-07-2002 16:07 </col>
2525 <col> Statuscode </col> <col> NEW </col>
2528 <col> Priority </col> <col> 3 </col>
2531 <col> Escalation_count_timestamp </col> <col> 17-07-2002 16:07 </col>
2534 <col> Repeat_notification_timestamp </col> <col> 17-07-2002 20:48PM </col>
2537 <col> Securitylevel_view </col> <col> 3 </col>
2540 <col> Securitylevel_add </col> <col> 3 </col>
2543 <col> Securitylevel_close </col> <col> 4 </col>
2550 <heading>object</heading>
2553 The <emph>object</emph> table contains general information on the objects being monitored. Mostly objects will be computers, but it may also be something else in the future like routers, switches, gateways, PDA's or other devices. The table object will more be used for retrieval, since adding objects will be an
2554 occasional process. Anything that for some reason can be indexed ought to be indexed.
2558 <heading>The fields.</heading>
2563 <table cpos='lllp{6cm}'>
2565 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2571 <col> objectid </col> <col> Bigint Autonumber </col> <col> 8 </col>
2573 Autonumbering code for the computer or device.
2577 <col> objectname </col> <col> Text </col> <col> <para/> </col>
2579 The hostname of the object as it can be recognized by the gcm_input-application.
2583 <col> objectcode </col> <col> Text </col> <col> <para/> </col>
2585 Unique identifier (if existent) on the system<footnote>In Linux this will
2586 typically be the <emph>hostid</emph>.</footnote>.
2590 <col> scp_enabled </col> <col> Boolean </col> <col> <para/> </col>
2592 Can communication occur through scp (T = Yes / F = No)
2596 <col> scp_inet </col> <col> Inet </col> <col> <para/> </col>
2598 IP Address of the object for scp-data transfer.
2602 <col> mail_enabled </col> <col> Boolean </col> <col> <para/> </col>
2604 Can communication occur through e-mail (T = Yes/F = No).
2608 <col> mail_from </col> <col> Text </col> <col> <para/> </col>
2610 The e-mail address where e-mail will come from.
2614 <col> sms_enabled </col> <col> Boolean </col> <col> <para/> </col>
2616 Can communication occur through SMS (T = Yes/F = No).
2620 <col> sms_number </col> <col> Text </col> <col> <para/> </col>
2622 The SMS-number to send a notification to.
2626 <col> fax_enabled </col> <col> Boolean </col> <col> <para/> </col>
2628 Can communication occur through Fax (T = Yes/F = No).
2632 <col> fax_number </col> <col> Text </col> <col> <para/> </col>
2634 The fax-number to send a notification to.
2648 Description of the object. What type of system is it, what specifics are there to know, etc.
2652 <col> object_owner </col> <col> Text </col> <col> <para/> </col>
2658 <col> physical_location </col> <col> Text </col> <col> <para/> </col>
2660 Physical address and when applicable entry-details needed to get to the object.
2664 <col> timezone </col> <col> Text </col> <col> <para/> </col>
2666 The timezone where this object is located<footnote>For objects that
2667 move around like PDA's and laptops the timezone can be the place where
2668 a person is stationed or better GMT.</footnote>.
2672 <col> remark </col> <col> Text </col> <col> <para/> </col>
2674 Additional remarks that shouldn't be in the previous TEXT fields.
2681 <heading>The indexes.</heading>
2684 The <emph>object</emph> table is indexed on the following fields:
2689 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2692 <col> obj_pk (object_objectid_key) </col> <col> objectid </col> <col> Primary key </col>
2695 <col> obj_objectname </col> <col> objectname </col> <col> Unique </col>
2698 <col> obj_objectcode </col> <col> objectcode </col> <col> Unique </col>
2701 <col> obj_mail_from </col> <col> mail_from </col> <col> <para/> </col>
2707 <heading>The relationships.</heading>
2710 The relationships with other tables are listed below:
2713 <table cpos='llp{8cm}'>
2715 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
2718 <col> ObjectID </col> <col> Log (adv) </col>
2719 <col> Reference to processed log-entries </col>
2722 <col> <para/> </col> <col> Notification </col>
2724 Reference to the table <emph>notification</emph> that contains the notifications
2725 that have been created.
2729 <col> <para/> </col> <col> Object_issue </col>
2731 Reference to the <emph>object_issue</emph> that indicates how notifications have to be handled .
2735 <col> <para/> </col> <col> Object_priority </col>
2737 Reference to the <emph>object_priority</emph> table that indicates how a
2738 certain level of priority has to be dealt with.
2742 <col> <para/> </col> <col> Object_system_user </col>
2744 Reference to a list of system user to discover abnormalities in user behaviour.
2748 <col> <para/> </col> <col> Object_user </col>
2749 <col> Reference to the <emph>object_user</emph> </col>
2752 <col> <para/> </col> <col> Unprocessed_log </col>
2754 Reference to the entries that have not been processed at all.
2759 <para>In the relationshipmodel this looks like this:</para>
2761 <picture src="erd-object.png" eps="erd-object"/>
2766 <heading>Sample data.</heading>
2768 There is no preset data and therefor it's an example has been created.
2769 The table has quite some fields so the example has the fieldname in the
2770 left column and the data in the right column.
2772 <table cpos='lp{6cm}'>
2774 <col> Fieldname </col>
2775 <col> Sample data </col>
2778 <col> Objectid </col>
2782 <col> Objectname </col>
2783 <col> webber.dewinter.com </col>
2786 <col> Objectcode </col>
2790 <col> Scp_enabled </col>
2794 <col> Scp_inet </col>
2795 <col> 192.168.221.212 </col>
2798 <col> Mail_enabled </col>
2802 <col> Mail_from </col>
2803 <col> <reference href="mailto:gnucomo@maintenance.dewinter.com">gnucomo@maintenance.dewinter.com</reference> </col>
2806 <col> Sms_enabled </col>
2810 <col> Sms_number </col>
2811 <col> 06-XXXXXXXX </col>
2814 <col> Fax_enabled </col>
2818 <col> Fax_number </col>
2819 <col> 0318-XXXXXX </col>
2822 <col> Object_description </col>
2823 <col> 19 inch 4 units, AMD-300 with two 27Gb disks (RAID-0), 256Mb memory </col>
2826 <col> Object_owner </col>
2828 <para>Brenno de Winter</para>
2829 <para>De Winter Information Solutions</para>
2830 <para>Your street here 32</para>
2831 <para>9999 XX YOUR CITY</para>
2832 <para>THE NETHERLANDS</para>
2833 <para>Phone: +31 XXX XXX XXX</para>
2837 <col> Physical_location </col>
2839 <para>Internet Provider XYZ</para>
2840 <para>Your street here 38</para>
2841 <para>9999 XX YOUR CITY</para>
2842 <para>THE NETHERLANDS</para>
2843 <para>Phone: +31 XXX XXX XXX</para>
2845 <para>Dataroom. System: Q7845</para>
2851 <para>A replacement system is available at the office location.
2852 The following persons have been authorized to enter the data room at the ISP:</para>
2853 <para>* Arjen Baart</para>
2854 <para>* Peter Busser</para>
2855 <para>* Brenno de Winter</para>
2864 <heading>object_issue. </heading>
2866 This table will store the policy on a certain issue like the priority being
2867 recognized and special actions to take. Since values in this table are bound to the object, responses to the same incident can lead to different alert levels based on the importance of the object.
2868 Since policies are utilized by the systems continuously all other process will rely on this index,
2869 while users will change the values occasionally.
2873 <heading>The fields.</heading>
2876 The fields of <emph>object_issue</emph>:
2879 <table cpos='lllp{6cm}'>
2882 <para>Fieldname</para>
2885 <para>Fieldtype</para>
2891 <para>Remarks</para>
2896 <para>objectid</para>
2905 <para>Reference to the object</para>
2910 <para>type_of_issueid</para>
2919 <para>Reference to the <emph>type_of_issue</emph> indicating
2920 how we will handle this type of issue for this particular object. If nothing is entered here, the default rules apply.</para>
2925 <para>default_priority</para>
2934 <para>The priority that will be set automatically when this type of
2935 issue is entered into the system.</para>
2940 <para>escalation</para>
2943 <para>Boolean</para>
2949 <para>Will the system perform automatic escalation (T = Yes / F = No)</para>
2954 <para>escalation_time</para>
2963 <para>The time after which a higher priority is awarded to the notification.</para>
2968 <para>max_priority</para>
2977 <para>The maximum priority given to this type of notification. This will prevent an endless escalation of the issue. No priority can be higher than 1.</para>
2982 <para>adjusted_setting</para>
2991 <para>Some checks can have a special settings (for instance alert
2992 after 5 failed login attempts instead of 3).</para>
2999 <heading>The indexes.</heading>
3002 These are the indices:
3007 <para>Indexname</para>
3013 <para>Characteristics</para>
3021 <para>objectid</para>
3024 <para>Primary key</para>
3032 <para>type_of_issue_id</para>
3035 <para>Primary key</para>
3040 <para>obi_objectid</para>
3043 <para>Objectid</para>
3051 <para>obi_type_of_issueid</para>
3054 <para>type_of_issue_id</para>
3064 <heading>The relationships.</heading>
3067 Relationships with other tables:
3070 <table cpos='llp{6cm}'>
3073 <para>Fieldname</para>
3076 <para>Remote Table</para>
3079 <para>Remarks</para>
3084 <para>ObjectID</para>
3090 <para>Reference to the <emph>object</emph> (which object does this apply to).</para>
3095 <para>Type_of_issueid</para>
3098 <para>Type_of_issue</para>
3101 <para>Reference to the type of issue.</para>
3106 <para>In the model this look like this:</para>
3108 <picture src="erd-objissue.png" eps="erd-objissue"/>
3113 <heading>Sample data.</heading>
3118 <table cpos='lllllll'>
3121 <para>Objectid</para>
3124 <para>Type_of_issue_id</para>
3127 <para>Default Priority</para>
3130 <para>Escalation</para>
3133 <para>Escalation_time</para>
3136 <para>Max_priority</para>
3139 <para>Adjusted_setting</para>
3156 <para>00:15:00</para>
3179 <para>00:30:00</para>
3225 <para>00:45:00</para>
3262 <heading>object_priority.</heading>
3265 By default a prioritycode has a certain meaning. But default behaviour can be used for most cases, but not all. For some objects a deviation would be usefull. For instance a very important webserver under an attack should maybe alarm more agressive than a printer-server that is used only marginally. This table stores per object how a certain level of priority is being dealt with. The main issue is the question: What policies do apply? If nothing is available default behaviour as defined in the table priority will apply. This table is mostly used for retrieval, so firm indexing is logic.
3269 <heading>The fields.</heading>
3272 The fields are listed below:
3274 <table cpos='lllp{6cm}'>
3277 <para>Fieldname</para>
3280 <para>Fieldtype</para>
3286 <para>Remarks</para>
3291 <para>objectid</para>
3300 <para>Reference to the object</para>
3305 <para>priorityid</para>
3314 <para>Priority.</para>
3319 <para>send_mail</para>
3322 <para>Boolean</para>
3328 <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
3333 <para>send_sms</para>
3336 <para>Boolean</para>
3342 <para>Send a sms message if this priority is set? Yes = T / No = F</para>
3347 <para>send_fax</para>
3350 <para>Boolean</para>
3356 <para>Send a fax if this priority is set? Yes = T / No = F</para>
3361 <para>repeat_notification</para>
3364 <para>Boolean</para>
3370 <para>Repeat this notification if no action occurs within a certain timeframe. Yes = T / No = F</para>
3375 <para>interval_for_repeat</para>
3384 <para>Time interval that is set to wait for a response.</para>
3391 <heading>The indexes.</heading>
3394 Indices of the <emph>object_priority</emph> table:
3400 <para>Indexname</para>
3406 <para>Characteristics</para>
3414 <para>objectid</para>
3417 <para>Primary key</para>
3425 <para>priorityid</para>
3428 <para>Primary key</para>
3433 <para>obi_objectid</para>
3436 <para>Objectid</para>
3444 <para>obi_type_of_issue_id</para>
3447 <para>type_of_issue_id</para>
3457 <heading>The relationships.</heading>
3460 Relationships with other tables:
3463 <table cpos='llp{6cm}'>
3466 <para>Fieldname</para>
3469 <para>Remote Table</para>
3472 <para>Remarks</para>
3477 <para>ObjectID</para>
3483 <para>Reference to the object (which object does this apply to).</para>
3488 <para>Priorityid</para>
3491 <para>Priority</para>
3494 <para>Reference to the priority.</para>
3500 In the model this look like this:
3503 <picture src="erd-objprior.png" eps="erd-objprior"/>
3509 <heading>object_service</heading>
3512 The object service table indicates which services should report itself to the Gnucomo-system.
3513 If input fails to show up a notification can be generated.
3517 <heading>The fields.</heading>
3520 The fields are listed below:
3523 <table cpos='lllp{6cm}'>
3526 <para>Fieldname</para>
3529 <para>Fieldtype</para>
3535 <para>Remarks</para>
3540 <para>objectid</para>
3549 <para>Reference to the object</para>
3554 <para>servicecode</para>
3563 <para>Reference to service.</para>
3568 <para>expected_interval</para>
3577 <para>The expected interval in minutes between two log entries.
3578 If this gives a time-out a notification is generated<footnote>To avoid many
3579 false positives it may be wise to give the system always 1 or 2 minutes extra time.
3580 If for some reason a connection is slow or a mail-daemon restarted
3581 the effect would generate tuns of notifications.</footnote>.
3582 The following values can be considered the most common:</para>
3583 <para>* 60 hourly entries</para>
3584 <para>* 120 two hourly entries</para>
3585 <para>* 240 four hourly entries</para>
3586 <para>* 480 eight hourly entries</para>
3587 <para>* 920 twelve hourly entries</para>
3588 <para>* 1840 daily entries</para>
3589 <para>* 12880 weekly entries</para>
3594 <para>last_entry</para>
3597 <para>Timestamp</para>
3603 <para>The timestamp of the last entry (for detecting exceeded interval).
3604 This field could be derived from the log-table as well, but the
3605 redundance gives a performance on detection that is useful, since a
3606 check should run every minute.</para>
3611 <para>default_priority</para>
3620 <para>Priority given if this service didn't occur.</para>
3625 <para>maximum_priority</para>
3634 <para>Maximum priority (in case of escalation)</para>
3639 <para>accepted</para>
3642 <para>Boolean</para>
3648 <para>If a service hasn't been set, the application user should
3649 indicate that this is valid (logs shouldn't just appear).
3650 New entries will be added automatically but still have to be verified.</para>
3657 <heading>The indexes.</heading>
3660 The table is indexed on the following fields:
3665 <para>Indexname</para>
3671 <para>Characteristics</para>
3679 <para>objectid</para>
3682 <para>Primary key</para>
3690 <para>servicecode</para>
3693 <para>Primary key</para>
3698 <para>obs_objectid</para>
3701 <para>objectid</para>
3709 <para>obs_servicecode</para>
3712 <para>servicecode</para>
3720 <para>obs_accepted</para>
3723 <para>accepted</para>
3733 <heading>The relationships.</heading>
3736 Relationships with other tables:
3739 <table cpos='llp{8cm}'>
3742 <para>Fieldname</para>
3745 <para>Remote Table</para>
3748 <para>Remarks</para>
3753 <para>objectID</para>
3759 <para>Reference to the object (which object does this apply to).</para>
3764 <para>servicecode</para>
3767 <para>Service</para>
3770 <para>Reference to the service table. </para>
3775 <para>In the model this look like this:</para>
3777 <picture src="erd-objservice.png" eps="erd-objservice"/>
3783 <heading>object_system_user</heading>
3786 Every object knows users either by the security of the object itself or through a central database (like LDAP for instance). Initially a new object can sent the userlist to gnucomo. Any username that isn't in the userlist is potentially dangerous. To avoid any mis-understandings this user is not a gnucomo-user, but a user on a remote system. So during the processing the read will be done more than the data entry (one account will most likely do multiple actions) and
3787 that makes heavy indexing logic.
3790 <heading>The fields.</heading>
3793 The fields of <emph>object_system_user</emph> are listed below:
3796 <table cpos='lllp{6cm}'>
3799 <para>Fieldname</para>
3802 <para>Fieldtype</para>
3808 <para>Remarks</para>
3813 <para>objectid</para>
3822 <para>Reference to the object</para>
3827 <para>system_username</para>
3836 <para>Username on the object/system.</para>
3841 <para>can_login</para>
3844 <para>Boolean</para>
3850 <para>Can this user login (T = Yes / F = No)?</para>
3855 <para>can_be_root</para>
3858 <para>Boolean</para>
3864 <para>Can this user become root (T = Yes / F = No)?</para>
3871 <heading>The indexes.</heading>
3874 The table is indexed on the following fields:
3879 <para>Indexname</para>
3885 <para>Characteristics</para>
3893 <para>objectid, system_username</para>
3896 <para>Primary key</para>
3904 <para>system_username</para>
3907 <para>Primary key</para>
3912 <para>osu_objectid</para>
3915 <para>objectid</para>
3923 <para>osu_system_username</para>
3926 <para>system_username</para>
3936 <heading>The relationships.</heading>
3939 Relationships with other tables:
3941 <table cpos='llp{8cm}'>
3944 <para>Fieldname</para>
3947 <para>Remote Table</para>
3950 <para>Remarks</para>
3955 <para>ObjectID</para>
3961 <para>Reference to the object (which object does this apply to).</para>
3966 <para>System_username</para>
3972 <para>Log entries can refer to the system username.</para>
3976 <para>In the model this look like this:</para>
3980 <picture src="erd-objsysusr.png" eps="erd-objsysusr"/>
3986 <heading>object_user</heading>
3989 This table will enable users to get access to the information belonging to an object.
3990 Also this table is mainly used for data retrieval and will rely on the indexes.
3993 <heading>The fields.</heading>
3996 The fields of <emph>object_user</emph> are listed below:
3999 <table cpos='lllp{6cm}'>
4002 <para>Fieldname</para>
4005 <para>Fieldtype</para>
4011 <para>Remarks</para>
4016 <para>Objectid</para>
4025 <para>Reference to the <emph>object</emph></para>
4030 <para>Username</para>
4039 <para>Username in gnucomo. A reference to <emph>user</emph>.</para>
4044 <para>Security_level</para>
4053 <para>The security-level granted to this user.</para>
4060 <heading>The indexes.</heading>
4062 The indices of the <emph>object_user</emph> table:
4067 <para>Indexname</para>
4073 <para>Characteristics</para>
4081 <para>objectid</para>
4084 <para>Primary key</para>
4092 <para>username</para>
4095 <para>Primary key</para>
4100 <para>ous_objectid</para>
4103 <para>objectid</para>
4111 <para>ous_username</para>
4114 <para>username</para>
4122 <para>ous_security_level</para>
4125 <para>ous_security_level</para>
4135 <heading>The relationships.</heading>
4138 Relationships with other tables:
4141 <table cpos='llp{8cm}'>
4144 <para>Fieldname</para>
4147 <para>Remote Table</para>
4150 <para>Remarks</para>
4155 <para>objectID</para>
4161 <para>Reference to the object (which object does this apply to).</para>
4166 <para>username</para>
4172 <para>Reference to the user.</para>
4177 <para>In the model this look like this:</para>
4178 <picture src="erd-objusr.png" eps="erd-objusr"/>
4184 <heading>parameter</heading>
4186 The parameter table stores the operational parameters of a monitored object.
4187 The parameters of an object describe the object's resources and configurations.
4188 For each object, a large set of parameters can be defined. They range from
4189 anything like file systems and installed packages to the system's users.
4193 <heading>The fields</heading>
4195 The fields of the <emph>parameter</emph> table are listed below:
4197 <table cpos='lllp{6cm}'>
4199 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4200 <col> Remarks </col>
4203 <col>paramid</col><col>bigserial</col><col>8</col>
4204 <col>Uniquely identifies the parameter. Used in property and history tables.</col>
4207 <col>objectid</col><col>bigint</col><col>8</col>
4208 <col>The object of which this is a parameter. Refers to the object table.</col>
4211 <col>name</col><col>text</col><col> </col>
4212 <col>Name of the parameter to identify the resource</col>
4215 <col>class</col><col>text</col><col> </col>
4216 <col>Similar parameters are in the same class. Refers to the
4217 <emph>parameter_class</emph> table.
4221 <col>description</col><col>text</col><col> </col>
4222 <col>A verbose description of the parameter</col>
4228 The combination of objectid, name and class must be unique.
4233 <heading>Sample data</heading>
4236 The table below lists a few examples of parameters
4238 <table cpos='lllll'>
4240 <col>paramid</col><col>objectid</col><col>name</col><col>class</col><col>description</col>
4243 <col>1</col><col>1</col><col>/</col><col>filesystem</col><col>The root filesystem</col>
4246 <col>2</col><col>1</col><col>/home</col><col>filesystem</col><col>Our users' homedirs</col>
4249 <col>3</col><col>1</col><col>glibc</col><col>package</col><col>The standard C library</col>
4252 <col>4</col><col>1</col><col>arjen</col><col>user</col><col>Arjen Baart</col>
4260 <heading>parameter_class</heading>
4262 Each parameter is defined to be of a certain <emph>class</emph>.
4263 The class defines which properties a parameter of that class may have.
4267 <heading>The fields</heading>
4269 The fields of the <emph>parameter_class</emph> table are listed below:
4271 <table cpos='lllp{6cm}'>
4273 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4274 <col> Remarks </col>
4277 <col>name</col><col>text</col><col> </col>
4278 <col>Name of the class</col>
4281 <col>property_name</col><col>text</col><col> </col>
4282 <col>Name of the property. Used in property table.</col>
4285 <col>description</col><col>text</col><col> </col>
4286 <col>A verbose description of the property</col>
4289 <col>property_type</col><col>text</col><col> </col>
4290 <col>Either 'STATIC' or 'DYNAMIC'</col>
4293 <col>min</col><col>float</col><col>4</col>
4294 <col>The default minimum value of the property.</col>
4297 <col>max</col><col>float</col><col>4</col>
4298 <col>The default maximum value of the property.</col>
4301 <col>notify</col><col>boolean</col><col>1</col>
4302 <col>If TRUE, create a notification when something about the property or
4303 the parameter changes.
4310 The combination of name and property_name must be unique.
4311 Note that the <emph>min</emph> and <emph>max</emph> fields are used
4312 only for properties of a numerical nature.
4317 <heading>Sample data</heading>
4320 The table below lists a few examples of parameter classes
4322 <table cpos='lllllll'>
4324 <col>name</col><col>property_name</col><col>description</col><col>property_type</col>
4325 <col>min</col><col>max</col><col>notify</col>
4328 <col>package</col><col>version</col><col>The installed version</col><col>STATIC</col>
4329 <col> </col><col> </col><col>true</col>
4337 <heading>parameter_notification</heading>
4339 The parameter_notification table defines the relationship between <emph>parameters</emph>
4340 and <emph>notifications</emph>.
4341 Whenever a parameter is changed, i.e. the parameter is created, one of its
4342 properties changed or a parameter is removed, this may result in a notification.
4343 This table provides the link between that notification and the change in
4344 parameter that the notification is about.
4345 Note that a single notification may be created for a number of changes in
4350 <heading>The fields</heading>
4352 The fields of the <emph>parameter_notification</emph> table are listed below:
4354 <table cpos='lllp{6cm}'>
4356 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4357 <col> Remarks </col>
4360 <col>notificationid</col><col>bigint</col><col>8</col>
4361 <col>The notification for the changed parameters. Refers to the notification table.</col>
4364 <col>paramid</col><col>bigserial</col><col>8</col>
4365 <col>The parameter for which the notification is made. Refers to the parameter table.</col>
4370 The combination of notificationid and paramid must be unique.
4377 <heading>priority</heading>
4380 The priority table contains information on the levels that are recognized by the system.
4381 Mainly data retrieval so depending on indexing.
4382 It needs to be said that most likely only a couple of states will exist<footnote>By default
4383 we will use five states, but many states can be given to enable all
4384 types of differentiation.</footnote>.
4388 <heading>The fields.</heading>
4391 The fields of the <emph>priority</emph> table are listed below:
4394 <table cpos='lllp{6cm}'>
4397 <para>Fieldname</para>
4400 <para>Fieldtype</para>
4406 <para>Remarks</para>
4411 <para>priority</para>
4420 <para>Priority</para>
4425 <para>send_mail</para>
4428 <para>Boolean</para>
4434 <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
4439 <para>send_sms</para>
4442 <para>Boolean</para>
4448 <para>Send a sms message if this priority is set? Yes = T / No = F</para>
4453 <para>send_fax</para>
4456 <para>Boolean</para>
4462 <para>Send a fax if this priority is set? Yes = T / No = F</para>
4467 <para>repeat_notification</para>
4470 <para>Boolean</para>
4476 <para>Repeat this notification if no action occurs since the notification. Yes = T / No = F</para>
4481 <para>interval_for_repeat</para>
4490 <para>Time interval that is set to wait for a response.</para>
4497 <heading>The indexes.</heading>
4500 The table is indexed on the following fields:
4506 <para>Indexname</para>
4512 <para>Characteristics</para>
4520 <para>priority</para>
4523 <para>Primary key</para>
4530 <heading>The relationships.</heading>
4533 Relationships with other tables:
4535 <table cpos='llp{8cm}'>
4538 <para>Fieldname</para>
4541 <para>Remote Table</para>
4544 <para>Remarks</para>
4549 <para>priority</para>
4552 <para>object_priority</para>
4555 <para>Reference to the object (which object does this apply to). </para>
4560 <para>In the model this look like this:</para>
4562 <picture src="erd-prior.png" eps="erd-prior"/>
4568 <heading>property</heading>
4570 The property table stores the actual values of the properties of
4571 operational parameters of a monitored object.
4575 <heading>The fields</heading>
4577 The fields of the <emph>property</emph> table are listed below:
4579 <table cpos='lllp{6cm}'>
4581 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4582 <col> Remarks </col>
4585 <col>paramid</col><col>bigint</col><col>8</col>
4586 <col>The parameter to which this property belongs. Refers to the parameter table</col>
4589 <col>name</col><col>text</col><col> </col>
4590 <col>Name of the property</col>
4593 <col>value</col><col>text</col><col> </col>
4594 <col>The current value of the property</col>
4597 <col>type</col><col>enum</col><col> </col>
4598 <col>Dynamic or Static</col>
4601 <col>minimum</col><col>float</col><col>8</col>
4602 <col>The minimum value of the property (for numerical properties only)</col>
4605 <col>maximum</col><col>float</col><col>8</col>
4606 <col>The maximum value of the property (for numerical properties only)</col>
4613 <heading>Sample data</heading>
4616 The table below lists a few examples of properties
4618 <table cpos='llllll'>
4620 <col>paramid</col><col>name</col><col>value</col>
4621 <col>type</col><col>minimum</col><col>maximum</col>
4624 <col>1</col><col>size</col><col>400000</col>
4625 <col>STATIC</col><col>100000</col><col>999999999</col>
4628 <col>1</col><col>used</col><col>200000</col>
4629 <col>DYNAMIC</col><col>50000</col><col>400000</col>
4632 <col>2</col><col>size</col><col>3000000</col>
4633 <col>STATIC</col><col>100000</col><col>999999999</col>
4636 <col>2</col><col>used</col><col>2000000</col>
4637 <col>DYNAMIC</col><col>50000</col><col>2700000</col>
4640 <col>3</col><col>version</col><col>2.2.5-39</col>
4641 <col>STATIC</col><col>0</col><col>0</col>
4648 <heading>service</heading>
4651 The table <emph>service</emph> indicates the service that can be handled by the system.
4652 Out of the servicelist the administrator can indicate what services to expect.
4655 <heading>The fields.</heading>
4658 The fields are listed below:
4660 <table cpos='lllp{6cm}'>
4663 <para>Fieldname</para>
4666 <para>Fieldtype</para>
4672 <para>Remarks</para>
4677 <para>servicecode</para>
4686 <para>The code that is written for the service</para>
4691 <para>servicename</para>
4700 <para>The expanded name for the service</para>
4705 <para>default_priority</para>
4714 <para>The advised priority if these log-entries don't
4715 come in<footnote>Advised priorities can be changed in the object_service
4716 table per object. </footnote>.</para>
4721 <para>max_priority</para>
4730 <para>The maximum priority advised for this
4731 service<footnote>Advised priorities can be changed in the
4732 object_service table per object.</footnote>.</para>
4739 <heading>The indexes.</heading>
4742 The table is indexed on the following fields:
4747 <para>Indexname</para>
4753 <para>Characteristics</para>
4761 <para>servicecode</para>
4764 <para>Primary key</para>
4769 <para>ser_servicename</para>
4772 <para>servicename</para>
4782 <heading>The relationships.</heading>
4784 Relationships with other tables:
4786 <table cpos='llp{8cm}'>
4789 <para>Fieldname</para>
4792 <para>Remote Table</para>
4795 <para>Remarks</para>
4800 <para>servicecode</para>
4806 <para>What log entries have been tied to this type of service.</para>
4814 <para>object_service</para>
4817 <para>Settings for this service per object.</para>
4825 <para>unprocessed_log</para>
4828 <para>What unprocessed log entries have been tied to this type of service.</para>
4833 <para>In the model this look like this:</para>
4835 <picture src="erd-service.png" eps="erd-service"/>
4841 <heading>status.</heading>
4844 The table <emph>status</emph> contains the possible states that a notification can have.
4845 As with the table <emph>priority</emph> these statuses are limited in number by
4846 default but can be expanded. Also here retrieval prevails above data entry and
4847 therefor indexing is important.
4851 <heading>The fields.</heading>
4854 The fields of the <emph>status</emph> table are listed below:
4857 <table cpos='lllp{6cm}'>
4860 <para>Fieldname</para>
4863 <para>Fieldtype</para>
4869 <para>Remarks</para>
4874 <para>statuscode</para>
4877 <para>Varchar</para>
4883 <para>The code for the status</para>
4888 <para>statusname</para>
4897 <para>What is the correct name for the status</para>
4902 <para>open_notification</para>
4905 <para>Boolean</para>
4911 <para>Is the notification still open when this status is set? Yes = T / No = F</para>
4916 <para>description</para>
4925 <para>Explanation of the code</para>
4932 <heading>The indexes.</heading>
4934 The table is indexed on the following fields:
4940 <para>Indexname</para>
4946 <para>Characteristics</para>
4954 <para>statuscode</para>
4957 <para>Primary key</para>
4962 <para>sta_statusname</para>
4965 <para>statusname</para>
4973 <para>sta_open_notification</para>
4976 <para>open_notification</para>
4986 <heading>The relationships.</heading>
4988 Relationships with other tables
4994 <para>Fieldname</para>
4997 <para>Remote Table</para>
5000 <para>Remarks</para>
5015 <para>In the model this look like this:</para>
5017 <picture src="erd-status.png" eps="erd-status"/>
5022 <heading>Default values.</heading>
5023 <para>The status values are default for the system and for that reason are predefined.</para>
5024 <table cpos='p{2cm}lp{1cm}p{6cm}'>
5027 <para>Statuscode</para>
5030 <para>Statusname</para>
5033 <para>Open Notification</para>
5044 <para>New entry</para>
5050 <para>Just detected nothing has been done yet.</para>
5064 <para>The notification has been displayed, but nothing has been done yet.</para>
5072 <para>Pending</para>
5078 <para>The notification is currently being worked on.</para>
5086 <para>Waiting for verification</para>
5092 <para>The notification has been worked on.
5093 After it has been verified the notification can be closed.</para>
5107 <para>The notification has been closed</para>
5115 <para>Rejected</para>
5121 <para>This was a false positive and has been rejected.</para>
5129 <para>Investigate</para>
5135 <para>The notification is under investigation and awaiting additional details.</para>
5143 <heading>type_of_issue.</heading>
5146 This table will contain a list of all available issues that can be detected.
5147 All issues have a suggested priority setting.
5148 This is typically data retrieval and good indexing is needed.</para>
5151 <heading>The fields.</heading>
5154 Fields of <emph>type_of_issue</emph> are:
5157 <table cpos='lllp{6cm}'>
5160 <para>Fieldname</para>
5163 <para>Fieldtype</para>
5169 <para>Remarks</para>
5174 <para>type_of_issueid</para>
5177 <para>Bigserial</para>
5183 <para>The sequential code for the issue.</para>
5197 <para>Name for the issue</para>
5202 <para>suggested_priority</para>
5211 <para>The advised priority setting.</para>
5216 <para>description</para>
5225 <para>Description of the method and how this can be set.</para>
5233 <para>Boolean</para>
5239 <para>Is this check currently being used in the system.</para>
5243 <col><para>automated_check</para></col><col><para>Boolean</para></col><col><para>1</para></col>
5244 <col><para>Is this an automated check that can be executed by gcm_daemon</para></col>
5247 <col><para>alter_level</para></col><col><para>Integer</para></col><col><para>4</para></col>
5248 <col><para>This field indicates what the default priority-level for a notification will be if this issue is raised.</para></col>
5251 <col><para>last_run</para></col><col><para>Timestamp</para></col><col><para/></col>
5252 <col><para>The time that the last processing took place.</para></col>
5255 <col><para>recheck_interval</para></col><col><para>Timestamp</para></col><col><para/></col>
5256 <col><para>The interval that is needed before rerunning this check.</para></col>
5263 <heading>The indexes.</heading>
5265 The table is indexed on the following fields:
5271 <para>Indexname</para>
5277 <para>Characteristics</para>
5283 <para>(type_of_issue_type_of_issue_key)</para>
5286 <para>type_of_issueid</para>
5289 <para>Primary key</para>
5294 <para>toi_name</para>
5305 <para>toi_active</para>
5318 <heading>The relationships.</heading>
5322 <para>Fieldname</para>
5325 <para>Remote Table</para>
5328 <para>Remarks</para>
5333 <para>type_of_issueid</para>
5336 <para>object_issue</para>
5344 <para>In the model this look like this:</para>
5346 <picture src="erd-toi.png" eps="erd-toi"/>
5351 <heading>Default values.</heading>
5354 All checks are entered as code into the system.
5355 This table only works for the application only.
5356 The user can set specifics in the application only.
5358 <table cpos='lllll'>
5361 <para>Type_of_issueid</para>
5367 <para>Suggested_priority</para>
5370 <para>Description</para>
5381 <para>Manual entry</para>
5387 <para>A manual entry of a notification.</para>
5398 <heading>unprocessed_log</heading>
5401 The <emph>user</emph> table contains the users that can login the monitoring application.
5402 It will also store if the users maintains the system.
5403 Mainly used for retrieval so properly indexed.
5407 <heading>The fields.</heading>
5410 The fields are listed below:
5413 <table cpos='lllp{6cm}'>
5416 <para>Fieldname</para>
5419 <para>Fieldtype</para>
5425 <para>Remarks</para>
5430 <para>unprocessedid</para>
5433 <para>Bigserial</para>
5439 <para>Autonumber entry</para>
5444 <para>objectid</para>
5453 <para>Reference to the object</para>
5458 <para>servicecode</para>
5467 <para>The service that entered this data.</para>
5472 <para>logdata</para>
5481 <para>The data that comes from the file.</para>
5488 <heading>The indexes.</heading>
5490 The indices of the table:
5496 <para>Indexname</para>
5502 <para>Characteristics</para>
5508 <para>(unprocessed_l_unprocessedid_key)</para>
5511 <para>unprocessedid</para>
5514 <para>Primary key</para>
5521 <heading>The relationships.</heading>
5523 Relationships with other tables:
5526 <table cpos='llp{8cm}'>
5529 <para>Fieldname</para>
5532 <para>Remote Table</para>
5535 <para>Remarks</para>
5540 <para>objectid</para>
5546 <para>Reference to the object that is reporting the data</para>
5551 <para>servicecode</para>
5554 <para>service</para>
5557 <para>Reference to the servicecode that is mentioned in the filename.</para>
5561 <para>In the model this look like this:</para>
5563 <picture src="erd-unplog.png" eps="erd-unplog"/>
5568 <heading>Sample values.</heading>
5574 <heading>user_gnucomo</heading>
5577 The <emph>user</emph> table contains the users that can login the monitoring application.
5578 It will also store if the users maintains the system.
5579 Mainly used for retrieval so properly indexed.
5583 <heading>The fields.</heading>
5586 The fields are listed in the table below:
5589 <table cpos='lllp{6cm}'>
5592 <para>Fieldname</para>
5595 <para>Fieldtype</para>
5601 <para>Remarks</para>
5606 <para>username</para>
5615 <para>Name the user is known by</para>
5620 <para>password</para>
5629 <para>Password</para>
5634 <para>active_sessionid</para>
5643 <para>Sessionnumber currently used by user.
5644 If this is set to 0 a user is not present on the system.
5645 Only one session can be open at a time.</para>
5650 <para>account_active</para>
5653 <para>Boolean</para>
5659 <para>Is the account currently active?</para>
5664 <para>security_level</para>
5673 <para>Given securitylevel to this user</para>
5680 <heading>The indexes</heading>
5682 The table is indexed on the following fields:
5687 <para>Indexname</para>
5693 <para>Characteristics</para>
5701 <para>username</para>
5704 <para>Primary key</para>
5709 <para>usr_active_sessionid</para>
5712 <para>active_sessionid</para>
5722 <heading>The relationships.</heading>
5724 Relationships with other tables
5729 <para>Fieldname</para>
5732 <para>Remote Table</para>
5735 <para>Remarks</para>
5740 <para>ObjectID</para>
5746 <para>Link to the object</para>
5750 <para>In the model this look like this:</para>
5752 <picture src="erd-usr.png" eps="erd-usr"/>
5761 <heading>Warnings that can be detected.</heading>
5765 <heading>User Interface.</heading>
5767 <para>To be determined in the near future.</para>
5771 <heading>The installation process.</heading>
5774 Since the system must make maintenance and security easier to use,
5775 the burden of installation should as easy as possible.
5776 Where possible the installation script should take away as much work as possible.
5777 Where settings need to be done, this should be done through an interface.
5778 However at no point we take the user's right to understand and work with system.
5779 Configuration-files should be easy to understand and the choice must be there to do installation manually.
5780 For the time being, we will use the manual installation procedure outlined below:
5784 Since there is no binary package available for Gnucomo yet, you will need
5785 to compile and install Gnucomo from the source code.
5786 Before making the Gnucomo binaries, make sure you have the following
5789 <item>postgresql, postgresql-server, postgresql-develop</item>
5791 <item>libxml2, libxml2-develop</item>
5794 Make sure your PostgreSQL database server is up and running.
5795 If you also want to use the web interface, you will need Apache with PHP.
5796 The PHP module needs Postgresql and DOM-XML support.
5797 With all required packages installed, you should be able to go into
5798 the <emph>src</emph> directory and type <code>make</code> to create
5799 a binary <code>gcm_input</code>.
5803 To use gnucomo, you need to create a database and a configuration file.
5804 To make the database in your PostgreSQL server, log in as a DBA (DataBase
5805 Administrator, usually the user 'postgres') and create the database and a
5806 user who can use the database.
5816 If you also want to be able to use the test scripts, you will need to
5817 create the <code>gnucomo_test</code> database as well.
5818 The configuration file for Gnucomo is a rather simple XML file that
5819 states at least what database Gnucomo uses and the userid with which
5820 Gnucomo will log in to the database server.
5821 These parameters should be the same as the database and user you just
5822 created in your role of DBA.
5823 There is an example configuration file, <code>gnucomo.conf</code> in the
5824 <emph>src</emph> directory.
5825 You should copy this config file to one of the following places:
5827 <item><code>/etc/gnucomo.conf</code></item>
5828 <item><code>/usr/local/etc/gnucomo.conf</code></item>
5830 With the database and the configuration file in place, you should
5831 be able to run <code>gcm_input</code> to read log files and store
5832 log entries in the database.
5835 <heading>Supported platforms.</heading>
5837 <para>The following two Linux distributions have been selected to be actively supported:</para>
5840 <para>Debian GNU/Linux (.deb packages)</para>
5843 <para>RedHat Linux (.rpm packages)</para>
5847 We will try and facilitate as many operating systems client-side and
5848 as many unices server-side, but efforts on testing out of the projects
5849 will be very minimalistic to ensure that the project keeps delivering
5850 new version and new features.
5855 <heading>Installation on the server.</heading>
5857 <para>The following steps will be part of a script, that can automatically perform these steps:</para>
5861 <para>Create the user <emph>gnucomo</emph>.</para>
5864 <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph>.(server-side).</para>
5870 <heading>Installation on a UNIX-client.</heading>
5872 <para>The following steps will be part of a script, that can automatically perform these steps:</para>
5875 <para>Create the user <emph>gcm_client</emph>.</para>
5878 <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph> (client-side).</para>
5881 <para>Creation of the database user gcm_input. This user has only the right to enter data into the database. There are no deletion, update or select-permissions.</para>
5889 <heading>Dependency on other free software.</heading>
5891 <para>The following list is a set of applications that will be used on to make our application work:</para>
5892 <table cpos='lp{8cm}l'>
5895 <para>Application</para>
5898 <para>Needed for</para>
5901 <para>Client/Server</para>
5909 <para>The encryption of the information being transferred between the two systems.</para>
5918 <para>GNU/Linux</para>
5921 <para>The basic operating system. Allthough the system might work very well on all types on versions of Linux, FreeBSD, OpenBSD or any unices the main focus for distribution is given to: Debian GNU/Linux and RedHat Linux (the downloadable iso-version). </para>
5932 <para>The application enabling the sending of messages.</para>
5941 <para>openssh</para>
5944 <para>If e-mail is not used this application will deliver the file-copy</para>
5953 <para>PostgreSQL</para>
5956 <para>The database where all the signals from client will be stored.</para>
5964 <heading>Related projects</heading>
5967 There are a number of projects that can help <strong>Gnucomo</strong> or perform
5972 <reference href='http://crm114.sourceforge.net/'>CRM114</reference> - The Controllable
5976 <reference href='http://ezix.sourceforge.net/software/lshw.html'>Hardware Lister (LSHW)
5980 <reference href='http://www.brains2bytes.com/alist/'>AList
5981 </reference>Collect information about systems
5984 <reference href='http://logrep.sourceforge.net/'>LogRep
5985 </reference> Logfile Extraction and Reporting
5988 <reference href='http://prelude-ids.org/'>Prelude Hybrid INtrusion detection system.
5992 <reference href='http://www.nagios.org/'>Nagios
5993 </reference> Host and service monitoring.
6001 <heading>Settings on the server machine.</heading>
6004 <heading>Required.</heading>
6006 <para>The following settings are required to ensure that the functionality is as much as expected.</para>
6009 <heading>Timezone in GMT (UTC).</heading>
6011 <para>Since all international traffic registers all entries in UTC (Universal Time Coordinate) this system will do so as well. Therefore the clock has to be adjusted to that as well as the system settings.</para>
6012 <para>These settings can found on a RedHat computer in the <code>/etc/sysconfig/clock-file</code>. On Debian this stored in the file <code>/etc/timezone</code>.</para>
6017 <heading>Suggested.</heading>
6020 <heading>Use NTP.</heading>
6022 <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>
6029 <heading>Settings on the client machine.</heading>
6032 <heading>Required.</heading>
6036 <heading>Suggested.</heading>
6039 <heading>Use NTP.</heading>
6041 <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>
6048 <heading>Appendices.</heading>
6051 <heading>Appendix A. GNU Public License Version 2, June 1991.</heading>
6053 <para>Copyright (C) 1989, 1991 Free Software Foundation, Inc.</para>
6054 <para>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
6055 <para>Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.</para>
6058 <heading>Preamble</heading>
6059 <para>The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. </para>
6060 <para>When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.</para>
6061 <para>To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.</para>
6062 <para>For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.</para>
6063 <para>We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. </para>
6064 <para>Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.</para>
6065 <para>Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.</para>
6066 <para>The precise terms and conditions for copying, distribution and modification follow.</para>
6067 <para>GNU GENERAL PUBLIC LICENSE</para>
6071 <heading>TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</heading>
6075 <para>This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".</para>
6076 <para>Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. </para>
6079 <para>You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.</para>
6080 <para>You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.</para>
6083 <para>You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:</para>
6084 <para>a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.</para>
6085 <para>b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.</para>
6086 <para>c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)</para>
6087 <para>These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.</para>
6088 <para>Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.</para>
6089 <para>In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.</para>
6092 <para>You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:</para>
6093 <para>a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, </para>
6094 <para>b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,</para>
6095 <para>c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)</para>
6096 <para>The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.</para>
6097 <para>If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.</para>
6100 <para>You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.</para>
6103 <para>You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.</para>
6106 <para>Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.</para>
6107 <para>You are not responsible for enforcing compliance by third parties to this License.</para>
6110 <para>If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.</para>
6111 <para>If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.</para>
6112 <para>It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.</para>
6113 <para>This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.</para>
6116 <para>If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.</para>
6119 <para>The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.</para>
6120 <para>Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.</para>
6123 <para>If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.</para>
6128 <heading>NO WARRANTY</heading>
6131 <para>BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVidE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</para>
6134 <para>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</para>
6137 <para>END OF TERMS AND CONDITIONS</para>
6140 <heading>How to Apply These Terms to Your New Programs</heading>
6141 <para>If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. </para>
6142 <para>To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.</para>
6143 <para><one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.</para>
6144 <para>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.</para>
6145 <para>You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
6146 <para>Also add information on how to contact you by electronic and paper mail.</para>
6147 <para>If the program is interactive, make it output a short notice like this when it starts in an interactive mode:</para>
6148 <para>Gnomovision version 69, Copyright (C) year name of author</para>
6149 <para>Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.</para>
6150 <para>This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.</para>
6152 <para>The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.</para>
6153 <para>You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:</para>
6154 <para>Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. </para>
6155 <para><signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice</para>
6156 <para>This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.</para>
projects / gnucomo.git / blob