Mailing List Archive: [RFC] locking down rsyslog.service on Debian

[RFC] locking down rsyslog.service on Debian

Oct 10, 2023, 11:20 AM

Post #1 of 7 (194 views)

Hi,

Debian maintainer of rsyslog speaking.

I intend to lock down rsyslog.service in Debian in one of the next
uploads using the following systemd directives

PrivateTmp=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=

PrivateDevices=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=

ProtectHome=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=

ProtectSystem=full
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=

ProtectKernelTunables=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=

ProtectKernelModules=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=

ProtectClock=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=

SystemCallFilter=@system-service
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=

CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=

The full rsyslog.service looks like this, in case you want to test it:
```
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/

[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure

# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384

PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectClock=yes
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG

[Install]
WantedBy=multi-user.target
Alias=syslog.service
```

While the attempt is to secure the default configuration of rsyslog, I
do not want to restrict it so much that it becomes unusable.
If you think, that one of those directives could cause issues with
commonly used setups, please let me know, so I can adjust the
configuration.

Looking forward to your feedback.

Michael
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 10, 2023, 11:35 AM

Post #2 of 7 (194 views)

Permalink

what directories will rsyslog be able to access (both read and write) with this
config?

David Lang

On Tue, 10 Oct 2023, Michael Biebl via rsyslog wrote:

> Date: Tue, 10 Oct 2023 20:20:14 +0200
> From: Michael Biebl via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Michael Biebl <mbiebl@gmail.com>
> Subject: [rsyslog] [RFC] locking down rsyslog.service on Debian
>
> Hi,
>
> Debian maintainer of rsyslog speaking.
>
> I intend to lock down rsyslog.service in Debian in one of the next
> uploads using the following systemd directives
>
> PrivateTmp=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
>
> PrivateDevices=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
>
> ProtectHome=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
>
> ProtectSystem=full
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
>
> ProtectKernelTunables=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
>
> ProtectKernelModules=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
>
> ProtectClock=yes
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
>
> SystemCallFilter=@system-service
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
>
> CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
> CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
> CAP_SYSLOG
> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
>
> The full rsyslog.service looks like this, in case you want to test it:
> ```
> [Unit]
> Description=System Logging Service
> Requires=syslog.socket
> Documentation=man:rsyslogd(8)
> Documentation=man:rsyslog.conf(5)
> Documentation=https://www.rsyslog.com/doc/
>
> [Service]
> Type=notify
> ExecStart=/usr/sbin/rsyslogd -n -iNONE
> StandardOutput=null
> Restart=on-failure
>
> # Increase the default a bit in order to allow many simultaneous
> # files to be monitored, we might need a lot of fds.
> LimitNOFILE=16384
>
> PrivateTmp=yes
> PrivateDevices=yes
> ProtectHome=yes
> ProtectSystem=full
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectClock=yes
> SystemCallFilter=@system-service
> CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
> CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
> CAP_SYSLOG
>
> [Install]
> WantedBy=multi-user.target
> Alias=syslog.service
> ```
>
> While the attempt is to secure the default configuration of rsyslog, I
> do not want to restrict it so much that it becomes unusable.
> If you think, that one of those directives could cause issues with
> commonly used setups, please let me know, so I can adjust the
> configuration.
>
> Looking forward to your feedback.
>
> Michael
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 10, 2023, 11:44 AM

Post #3 of 7 (194 views)

Permalink

See the links for ProtectHome and ProtectSystem

Am Di., 10. Okt. 2023 um 20:35 Uhr schrieb David Lang <david@lang.hm>:
>
> what directories will rsyslog be able to access (both read and write) with this
> config?
>
> David Lang
>
> On Tue, 10 Oct 2023, Michael Biebl via rsyslog wrote:
>
> > Date: Tue, 10 Oct 2023 20:20:14 +0200
> > From: Michael Biebl via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Michael Biebl <mbiebl@gmail.com>
> > Subject: [rsyslog] [RFC] locking down rsyslog.service on Debian
> >
> > Hi,
> >
> > Debian maintainer of rsyslog speaking.
> >
> > I intend to lock down rsyslog.service in Debian in one of the next
> > uploads using the following systemd directives
> >
> > PrivateTmp=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
> >
> > PrivateDevices=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
> >
> > ProtectHome=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
> >
> > ProtectSystem=full
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
> >
> > ProtectKernelTunables=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
> >
> > ProtectKernelModules=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
> >
> > ProtectClock=yes
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
> >
> > SystemCallFilter=@system-service
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
> >
> > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
> > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
> > CAP_SYSLOG
> > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
> >
> > The full rsyslog.service looks like this, in case you want to test it:
> > ```
> > [Unit]
> > Description=System Logging Service
> > Requires=syslog.socket
> > Documentation=man:rsyslogd(8)
> > Documentation=man:rsyslog.conf(5)
> > Documentation=https://www.rsyslog.com/doc/
> >
> > [Service]
> > Type=notify
> > ExecStart=/usr/sbin/rsyslogd -n -iNONE
> > StandardOutput=null
> > Restart=on-failure
> >
> > # Increase the default a bit in order to allow many simultaneous
> > # files to be monitored, we might need a lot of fds.
> > LimitNOFILE=16384
> >
> > PrivateTmp=yes
> > PrivateDevices=yes
> > ProtectHome=yes
> > ProtectSystem=full
> > ProtectKernelTunables=yes
> > ProtectKernelModules=yes
> > ProtectClock=yes
> > SystemCallFilter=@system-service
> > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
> > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
> > CAP_SYSLOG
> >
> > [Install]
> > WantedBy=multi-user.target
> > Alias=syslog.service
> > ```
> >
> > While the attempt is to secure the default configuration of rsyslog, I
> > do not want to restrict it so much that it becomes unusable.
> > If you think, that one of those directives could cause issues with
> > commonly used setups, please let me know, so I can adjust the
> > configuration.
> >
> > Looking forward to your feedback.
> >
> > Michael
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 10, 2023, 12:49 PM

Post #4 of 7 (194 views)

Permalink

I see people putting things in /etc/rsyslog.d besides configs, so locking down
/etc may trip them up.

looking for workdir in the config will identify the directory that rsyslog needs
to be able to write to for state and similar.

It's also common for people to have rsyslog write to locations other than
/var/log, especially when the logs are going to be picked up by other thing
(splunk, etc), we already run into grief with this with AppArmor (ubuntu) and
SELinux (RedHat)

It doesn't look like this restricts reading from anything other than /home and
various system places, so that's probably not a problem (further lockdowns could
cause problems with rsyslog reading files to send)

I am not familiar with all the modules that rsyslog has, so there may be some
others (kafka, etc) that have additional requirements I'm not aware of.

but this seems like a fairly reasonable list.

can /etc/rsyslog.d be made a link to someplace that's safe for rsyslog to write
to without too much grief?

David Lang

On Tue, 10 Oct 2023, Michael Biebl wrote:

> See the links for ProtectHome and ProtectSystem
>
> Am Di., 10. Okt. 2023 um 20:35 Uhr schrieb David Lang <david@lang.hm>:
>>
>> what directories will rsyslog be able to access (both read and write) with this
>> config?
>>
>> David Lang
>>
>> On Tue, 10 Oct 2023, Michael Biebl via rsyslog wrote:
>>
>>> Date: Tue, 10 Oct 2023 20:20:14 +0200
>>> From: Michael Biebl via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Cc: Michael Biebl <mbiebl@gmail.com>
>>> Subject: [rsyslog] [RFC] locking down rsyslog.service on Debian
>>>
>>> Hi,
>>>
>>> Debian maintainer of rsyslog speaking.
>>>
>>> I intend to lock down rsyslog.service in Debian in one of the next
>>> uploads using the following systemd directives
>>>
>>> PrivateTmp=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
>>>
>>> PrivateDevices=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
>>>
>>> ProtectHome=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
>>>
>>> ProtectSystem=full
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
>>>
>>> ProtectKernelTunables=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
>>>
>>> ProtectKernelModules=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
>>>
>>> ProtectClock=yes
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
>>>
>>> SystemCallFilter=@system-service
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
>>>
>>> CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
>>> CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
>>> CAP_SYSLOG
>>> https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
>>>
>>> The full rsyslog.service looks like this, in case you want to test it:
>>> ```
>>> [Unit]
>>> Description=System Logging Service
>>> Requires=syslog.socket
>>> Documentation=man:rsyslogd(8)
>>> Documentation=man:rsyslog.conf(5)
>>> Documentation=https://www.rsyslog.com/doc/
>>>
>>> [Service]
>>> Type=notify
>>> ExecStart=/usr/sbin/rsyslogd -n -iNONE
>>> StandardOutput=null
>>> Restart=on-failure
>>>
>>> # Increase the default a bit in order to allow many simultaneous
>>> # files to be monitored, we might need a lot of fds.
>>> LimitNOFILE=16384
>>>
>>> PrivateTmp=yes
>>> PrivateDevices=yes
>>> ProtectHome=yes
>>> ProtectSystem=full
>>> ProtectKernelTunables=yes
>>> ProtectKernelModules=yes
>>> ProtectClock=yes
>>> SystemCallFilter=@system-service
>>> CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
>>> CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
>>> CAP_SYSLOG
>>>
>>> [Install]
>>> WantedBy=multi-user.target
>>> Alias=syslog.service
>>> ```
>>>
>>> While the attempt is to secure the default configuration of rsyslog, I
>>> do not want to restrict it so much that it becomes unusable.
>>> If you think, that one of those directives could cause issues with
>>> commonly used setups, please let me know, so I can adjust the
>>> configuration.
>>>
>>> Looking forward to your feedback.
>>>
>>> Michael
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 10, 2023, 1:01 PM

Post #5 of 7 (194 views)

Permalink

Am Di., 10. Okt. 2023 um 21:49 Uhr schrieb David Lang <david@lang.hm>:
>
> I see people putting things in /etc/rsyslog.d besides configs, so locking down
> /etc may trip them up.

ProtectSystem=full will make /etc read-only.

Do you have a use case in mind where rsyslog need to *write* to /etc ?

Or am I missing something, i.e. what exactly do you mean by "things"?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 10, 2023, 1:17 PM

Post #6 of 7 (194 views)

Permalink

On Tue, 10 Oct 2023, Michael Biebl wrote:

> Am Di., 10. Okt. 2023 um 21:49 Uhr schrieb David Lang <david@lang.hm>:
>>
>> I see people putting things in /etc/rsyslog.d besides configs, so locking down
>> /etc may trip them up.
>
> ProtectSystem=full will make /etc read-only.
>
> Do you have a use case in mind where rsyslog need to *write* to /etc ?
>
> Or am I missing something, i.e. what exactly do you mean by "things"?

I've seen people thinking that /etc/rsyslog.d is a good place to use as a
workdir (state of imfile progress, spool files, etc) rather than just a place to
have configs.

It's a bad idea, but they see the include of *.conf that the distros tend to use
and think that means that they can put other stuff there that's not *.conf and
it's a good idea.

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Re: [RFC] locking down rsyslog.service on Debian [ In reply to ]

rsyslog at lists

Oct 11, 2023, 4:19 AM

Post #7 of 7 (194 views)

Permalink

Am Di., 10. Okt. 2023 um 22:17 Uhr schrieb David Lang <david@lang.hm>:
>
> On Tue, 10 Oct 2023, Michael Biebl wrote:
>
> > Am Di., 10. Okt. 2023 um 21:49 Uhr schrieb David Lang <david@lang.hm>:
> >>
> >> I see people putting things in /etc/rsyslog.d besides configs, so locking down
> >> /etc may trip them up.
> >
> > ProtectSystem=full will make /etc read-only.
> >
> > Do you have a use case in mind where rsyslog need to *write* to /etc ?
> >
> > Or am I missing something, i.e. what exactly do you mean by "things"?
>
> I've seen people thinking that /etc/rsyslog.d is a good place to use as a
> workdir (state of imfile progress, spool files, etc) rather than just a place to
> have configs.
>
> It's a bad idea, but they see the include of *.conf that the distros tend to use
> and think that means that they can put other stuff there that's not *.conf and
> it's a good idea.

Thanks for the feedback!
The (default) rsyslog config uses
$WorkDirectory /var/spool/rsyslog

I will add a note to NEWS.Debian, that if users overwrite this, they
will need to adjust rsyslog.service accordingly (e.g. via drop-in
snippet).

Regards,
Michael
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.