On Nov 21, 2008, at 4:11 AM, Jan-Frode Myklebust wrote:
> For my usage, I need two modes of operation for syslog daemons.
>
> 1 - local syslog. Requires privileges to on local devices (/dev/
> log,
> /dev/klogd or similar), write to local log-files, and send to
> remote log server.
>
> 2 - central log server. Only listen on the needed network ports
> (514/udp/tcp), and write to local log files (possibly also send
> to other remote log servers).
>
> For #1 I think it's OK not being able to chroot, keep more privileges,
> etc., as the attacks against it will mostly be from local processes.
>
> #2 needs to be *very* openly available on the network ports, since all
> my servers needs to send logs to it. #2 will also be holding a lot
> more
> sensitive data than #1, so I think this server needs to be protected
> as
> much as possible. If chroot'ing, or dropping privileges prevents it
> from
> reading from local /proc og /dev, I think that wouldn't matter much.
> One
> could always run two instances on these few central servers, i.e. #1
> sending to #2.
Yes, your two modes as defined above are exactly how I run syslog, and
I think the distinction between the two use cases
local-syslog and central-log-server is very useful and important in
this discussion.
And I agree with your prioritization of security between the two
modes, the local-syslog does not need to open a network port
to listen for log messages, and so it is only at risk from other
processes on the same box.
The central-log-server does need to open and read a network port, and
needs to be open to lots of devices on the network, and thus it is at
the most risk.
That is the version that most needs privilege separation and chroot.
And I agree that the server that runs the central-log-server could
also run an instance of the local-syslog, the local-syslog would
handle /dev/log on that machine, and forward msgs to be centrally
logged onto the central-log-server running on the same machine.
From another sub-thread:
> On Nov 19, 2008, at 4:32 AM, Rainer Gerhards wrote:
> Yes, the traditional HUP behavior is simply incompatible with dropping
> privileges. But I assume that someone who configures rsyslogd in
> such a
> way knows what he does and thus changes config-reload scripts away
> from
> HUP to a real reload.
I am not sure about the details of the implementation, but named on
OpenBSD supports privilege separation, and it provides
some of your HUP functionality, although possibly in different ways:
Here is how named looks from ps:
root 23404 0.0 0.0 2148 880 ?? Is 2:19PM 0:00.00
named: [priv] (named)
named 21080 0.0 0.2 8744 9452 ?? I 2:19PM 0:00.24
named -4
Here is what the named man page says about HUP:
SIGNALS
In routine operation, signals should not be used to con-
trol the nameserver; rndc should be used instead.
SIGHUP Force a reload of the server.
SIGINT, SIGTERM
Shut down the server.
The result of sending any other signals to the server is
undefined.
And, as stated above, rndc is the preferred way of controlling named
(asking it to reload zone files, etc.)
The config file for rsyslogd could/should reside within the chroot, so
it should always be accessible.
On yet another sub-thread:
On Nov 19, 2008, at 4:46 AM, Rainer Gerhards wrote:
> I also agree to David Lang's argument that some
> degree of design change would be necessary to get the requested
> features
> done 100% correct.
It is generally difficult to add security ex post facto, and the more
code that is written prior to the implementation of those design
changes will tend to increase the difficultly/cost of that
implementation.
On Nov 18, 2008, at 2:29 PM, (private) HKS wrote:
> FWIW, while I believe this discussion is relevant and the security
> changes proposed are important, I don't see this as a high priority
> feature. The scripting language/syntax, greater performance, continued
> stability enhancements, and true RELP support are all far more
> important. As far as security goes, I would much rather see two-way
> host authentication than a chroot/unprivilieged framework implemented.
I don't know what the author's goals for rsyslog are, so it is
difficult to prioritize.
What *I* would like rsyslog to be is the clear choice to replace
syslog on all the machines in my network, on all the OSes I care about
(OpenBSD, Solaris, FreeBSD, etc),
basically "total world domination of the syslog space" :-)
I would ask Ranier and others here to reflect on the need/importance
of security vis-a-vis their ultimate goals for rsyslog, and if
security is going to be important (I think it is crucial, but you need
to come to that conclusion yourself), and the cost of implementing
security design changes is going to increase over time, to consider
making those design changes sooner rather than later.
In closing, I am learning a lot and enjoying the thoughtful and
patient responses to my original email on this topic, kudos to the
rsyslog community, it is a welcome change from some other mailing
lists :-)
Best regards,
Don
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
> For my usage, I need two modes of operation for syslog daemons.
>
> 1 - local syslog. Requires privileges to on local devices (/dev/
> log,
> /dev/klogd or similar), write to local log-files, and send to
> remote log server.
>
> 2 - central log server. Only listen on the needed network ports
> (514/udp/tcp), and write to local log files (possibly also send
> to other remote log servers).
>
> For #1 I think it's OK not being able to chroot, keep more privileges,
> etc., as the attacks against it will mostly be from local processes.
>
> #2 needs to be *very* openly available on the network ports, since all
> my servers needs to send logs to it. #2 will also be holding a lot
> more
> sensitive data than #1, so I think this server needs to be protected
> as
> much as possible. If chroot'ing, or dropping privileges prevents it
> from
> reading from local /proc og /dev, I think that wouldn't matter much.
> One
> could always run two instances on these few central servers, i.e. #1
> sending to #2.
Yes, your two modes as defined above are exactly how I run syslog, and
I think the distinction between the two use cases
local-syslog and central-log-server is very useful and important in
this discussion.
And I agree with your prioritization of security between the two
modes, the local-syslog does not need to open a network port
to listen for log messages, and so it is only at risk from other
processes on the same box.
The central-log-server does need to open and read a network port, and
needs to be open to lots of devices on the network, and thus it is at
the most risk.
That is the version that most needs privilege separation and chroot.
And I agree that the server that runs the central-log-server could
also run an instance of the local-syslog, the local-syslog would
handle /dev/log on that machine, and forward msgs to be centrally
logged onto the central-log-server running on the same machine.
From another sub-thread:
> On Nov 19, 2008, at 4:32 AM, Rainer Gerhards wrote:
> Yes, the traditional HUP behavior is simply incompatible with dropping
> privileges. But I assume that someone who configures rsyslogd in
> such a
> way knows what he does and thus changes config-reload scripts away
> from
> HUP to a real reload.
I am not sure about the details of the implementation, but named on
OpenBSD supports privilege separation, and it provides
some of your HUP functionality, although possibly in different ways:
Here is how named looks from ps:
root 23404 0.0 0.0 2148 880 ?? Is 2:19PM 0:00.00
named: [priv] (named)
named 21080 0.0 0.2 8744 9452 ?? I 2:19PM 0:00.24
named -4
Here is what the named man page says about HUP:
SIGNALS
In routine operation, signals should not be used to con-
trol the nameserver; rndc should be used instead.
SIGHUP Force a reload of the server.
SIGINT, SIGTERM
Shut down the server.
The result of sending any other signals to the server is
undefined.
And, as stated above, rndc is the preferred way of controlling named
(asking it to reload zone files, etc.)
The config file for rsyslogd could/should reside within the chroot, so
it should always be accessible.
On yet another sub-thread:
On Nov 19, 2008, at 4:46 AM, Rainer Gerhards wrote:
> I also agree to David Lang's argument that some
> degree of design change would be necessary to get the requested
> features
> done 100% correct.
It is generally difficult to add security ex post facto, and the more
code that is written prior to the implementation of those design
changes will tend to increase the difficultly/cost of that
implementation.
On Nov 18, 2008, at 2:29 PM, (private) HKS wrote:
> FWIW, while I believe this discussion is relevant and the security
> changes proposed are important, I don't see this as a high priority
> feature. The scripting language/syntax, greater performance, continued
> stability enhancements, and true RELP support are all far more
> important. As far as security goes, I would much rather see two-way
> host authentication than a chroot/unprivilieged framework implemented.
I don't know what the author's goals for rsyslog are, so it is
difficult to prioritize.
What *I* would like rsyslog to be is the clear choice to replace
syslog on all the machines in my network, on all the OSes I care about
(OpenBSD, Solaris, FreeBSD, etc),
basically "total world domination of the syslog space" :-)
I would ask Ranier and others here to reflect on the need/importance
of security vis-a-vis their ultimate goals for rsyslog, and if
security is going to be important (I think it is crucial, but you need
to come to that conclusion yourself), and the cost of implementing
security design changes is going to increase over time, to consider
making those design changes sooner rather than later.
In closing, I am learning a lot and enjoying the thoughtful and
patient responses to my original email on this topic, kudos to the
rsyslog community, it is a welcome change from some other mailing
lists :-)
Best regards,
Don
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com