1. EAGLE Security Guide
  2. SEAS Forwarder Script

B SEAS Forwarder Script

SEAS Forwarder is a python script that installs as an SSH daemon subsystem, similar to how sftp-server installs as an sftp subsystem. The forwarder allows the EAGLE SEAS client to connect via SSH to the SEAS server running this script.

The EAGLE SEAS client connects to the SSH SEAS subsystem. The SSH daemon, upon seeing the SEAS subsystem request, starts an instance of the SEAS Forwarder script. Then, the forwarder establishs a TCP/IP connection to the local SEAS server.

After the connections are established, SEAS Forwarder acts as a conduit for all IP traffic passed between the EAGLE SEAS client and the SEAS server. The traffic that is passed through SEAS Forwarder is unaltered.

Requirements

Following are the requirements for installing SEAS Forwarder:
  • Python 2.5.6 and above (Python 3.x not supported)
  • SSH Daemon

Configuration

The following table lists the field configuration:

Table B-1 SEAS Forwarder Configuration

Field Description Value
logEnable Enables or disables all logging support (syslogd and trace logging). Trace logging must still be enabled separately. If trace logging is enabled and logEnable is set to 0, all logging including trace logging will be disabled.

Valid values: 0 or 1

0 disable all logging

1 (default) enable logging
logLevel If enabled, set the verbosity of the log output

Valid values: INFO, DEBUG, or TRACE

INFO (default) The minimum output level. Logs the start and end of the seas forwarder instance.

DEBUG Provides additional details. Includes INFO output.

TRACE Very verbose output. Logs all traffic sent between SEAS server and EAGLE SEAS client. Includes INFO and DEBUG output.
syslogdAddress Specifies the location of the syslogd log socket

Default value: /dev/log

traceLogFileDir Destination directory for "logLevel = TRACE" output

Default value: /tmp/
traceLogFileName Name for "logLevel = TRACE" output file

Default value: seas_forwarder.log
traceLogFileSize Maximum size of "logLevel = TRACE" output file in MBs.

Valid values: 1 or higher

Default value: 2
traceBackupCount Maximum number of "logLevel = TRACE" backup files.

Valid values: 0 or higher

Default value: 5
traceLogEnable Enable or disable trace logging for all instances of the SEAS Forwarder process if logEnable is set to 1.

Valid values: 0 or 1

0 (default) disable trace logging

1 enable trace logging
hostName The name of the SEAS server host

Default value: localhost
hostPort Port number the SEAS server is listening on

Default value: 4000
serverTimeout The amount of time the connection between the SEAS Forwarder and the SEAS server can remain idle before disconnecting.

Default value: 300 seconds

Installation

Note:

The SEAS Forwarder zip file contains the following files:
  • seas_forwarder.py
  • seas_forwarder.cfg
  • README.txt

Perform the following steps to install SEAS Forwarder:

  1. Create the seas_forwarder directory.

    The directory may be placed anywhere you choose.

  2. Install all the three files into the <install path>/seas_forwarder/ path.
  3. Open seas_forwarder.cfg.Verify or update the following settings for logging.
    Verify the following field descriptions:
    • logEnable
    • logLevel
    • syslogdAddress
    • traceLogFileDir
    • traceLogFileName
    • traceLogFileSize
    • traceBackupCount
    • traceLogEnable
  4. Open seas_forwarder.cfg. Verify or update the following settings for SEAS Server.
    Verify the following field descriptions:
    • hostName
    • hostPort
    • serverTimeout
  5. Save the changes to the seas_forwarder.cfg file.
  6. Add the SEAS subsystem to the SSH daemon:
    1. Edit the SSH daemon configuration file: /etc/ssh/sshd_config.
    2. Add the following line: Subsystem seas /<install path>/seas_forwarder/seas_forwarder.py.
    3. Save and close the file.
  7. Restart the SSH daemon to allow the sshd_config file changes to take effect using the following command

    > service sshd restart

    The service restart does not affect the existing SSH sessions.

Logging

There are three supported log levels: INFO, DEBUG, and TRACE. Log output for INFO and DEBUG are written to the syslog daemon (syslogd). This allows multiple instances of SEAS Forwarder to log simultaneously to one log file location. On most systems, the output file for syslogd is in /var/log/messages.

The TRACE log level is the most verbose. It logs all data sent between the SEAS server and the EAGLE SEAS client. This log output is not sent to syslogd to prevent the SEAS Forwarder from overrunning the syslogd log file. Instead, a new log file is created based on the setting of traceLogFileDir, traceLogFileName, traceLogFileSize, and traceBackupCount.

When TRACE is enabled, INFO and DEBUG log output is written to the trace log file and to syslogd.

Based on the default values, up to six log files will be created at 2MB in size. This takes the form of:
  • seas_forwarder.log.<process id> (newest log)
  • seas_forwarder.log.<process id>.1
  • ....
  • seas_forwarder.log.<process id>.5 (oldest log)

The default settings allow the trace log to consume no more than 12MB of disk space per instance of the SEAS Forwarder process.

When trace logging is enabled, each instance of the SEAS Forwarder process has its own log file. By default, as mentioned above, each instance is limited to using 12MB of disk space. It is up to the system administrator to delete these log files. It is only recommended to enable trace logging when debugging issues with SEAS Forwarder since this could produce several log files.