Hello,
I was reading the man page for rsyslogd today, and saw:
SECURITY THREATS
There is the potential for the rsyslogd daemon to be used
as a conduit for a denial of service attack. A rogue pro-
gram(mer) could very easily flood the rsyslogd daemon with
syslog messages resulting in the log files consuming all
the remaining space on the filesystem. Activating logging
over the inet domain sockets will of course expose a sys-
tem to risks outside of programs or individuals on the
local machine.
There are a number of methods of protecting a machine:
1. Implement kernel firewalling to limit which hosts
or networks have access to the 514/UDP socket.
2. Logging can be directed to an isolated or non-root
filesystem which, if filled, will not impair the
machine.
3. The ext2 filesystem can be used which can be con-
figured to limit a certain percentage of a filesys-
tem to usage by root only. NOTE that this will
require rsyslogd to be run as a non-root process.
ALSO NOTE that this will prevent usage of remote
logging on the default port since rsyslogd will be
unable to bind to the 514/UDP socket.
I had the following questions:
Would it be possible (optionally) to have rsyslogd chroot to a
particular directory on startup?
That seems the safest. One could configure a disk partition for log
messages, configure rsyslogd to log there,
and also chroot to a directory on that partition, so if the rsyslogd
process itself is compromised,
it can't do other damage.
There must be a way to have a daemon run as a non-root user, and also
to open ports < 1024.
This seems to be done all the time on *bsd machines:
# ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
COMMAND
root 1 0.0 0.0 428 356 ?? Is Thu02PM 0:00.01 /
sbin/init
_dhcp 22078 0.0 0.0 396 432 ?? Is Thu03PM 0:00.01
dhclient: bge0 (dhclient)
_syslogd 27943 0.0 0.0 452 812 ?? S Thu03PM 0:00.19
syslogd -a /var/empty/dev/log
I'm not sure how this is done, but it looks like chroot also supports
changing the userid...
Just some thoughts,
Best regards,
Don
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
I was reading the man page for rsyslogd today, and saw:
SECURITY THREATS
There is the potential for the rsyslogd daemon to be used
as a conduit for a denial of service attack. A rogue pro-
gram(mer) could very easily flood the rsyslogd daemon with
syslog messages resulting in the log files consuming all
the remaining space on the filesystem. Activating logging
over the inet domain sockets will of course expose a sys-
tem to risks outside of programs or individuals on the
local machine.
There are a number of methods of protecting a machine:
1. Implement kernel firewalling to limit which hosts
or networks have access to the 514/UDP socket.
2. Logging can be directed to an isolated or non-root
filesystem which, if filled, will not impair the
machine.
3. The ext2 filesystem can be used which can be con-
figured to limit a certain percentage of a filesys-
tem to usage by root only. NOTE that this will
require rsyslogd to be run as a non-root process.
ALSO NOTE that this will prevent usage of remote
logging on the default port since rsyslogd will be
unable to bind to the 514/UDP socket.
I had the following questions:
Would it be possible (optionally) to have rsyslogd chroot to a
particular directory on startup?
That seems the safest. One could configure a disk partition for log
messages, configure rsyslogd to log there,
and also chroot to a directory on that partition, so if the rsyslogd
process itself is compromised,
it can't do other damage.
There must be a way to have a daemon run as a non-root user, and also
to open ports < 1024.
This seems to be done all the time on *bsd machines:
# ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME
COMMAND
root 1 0.0 0.0 428 356 ?? Is Thu02PM 0:00.01 /
sbin/init
_dhcp 22078 0.0 0.0 396 432 ?? Is Thu03PM 0:00.01
dhclient: bge0 (dhclient)
_syslogd 27943 0.0 0.0 452 812 ?? S Thu03PM 0:00.19
syslogd -a /var/empty/dev/log
I'm not sure how this is done, but it looks like chroot also supports
changing the userid...
Just some thoughts,
Best regards,
Don
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com