Project

General

Profile

Actions

Bug #6428

closed

Syslog accept reports from non-accepted nodes

Added by François ARMAND about 6 years ago. Updated almost 2 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
System integration
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Large
Priority:
0

Description

We don't refuse reports from non-accepted node. That may cause disponibility problem (DoD, filling of the base leading to slow query or filling of the harddrive, etc) and since 3.0, it may display erroneous "changes" for rules.


Related issues

Related to Rudder - Bug #6481: Create a rudder variable containing all IP of agentsReleasedFrançois ARMAND2015-04-09Actions
Actions #1

Updated by François ARMAND about 6 years ago

Most likelly we need to use: http://www.rsyslog.com/doc/rsconf1_allowedsender.html and have system rules for relays and root server that configure them correctly.

Actions #2

Updated by François ARMAND about 6 years ago

  • Parent task set to #6363
Actions #3

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 2.10.12 to 2.10.13
Actions #4

Updated by Benoît PECCATTE about 6 years ago

I tried with 8000 entries in rsyslog: there is no difference when starting rsyslog nor when sending a log line.
So this should not impact performances.

Actions #5

Updated by Benoît PECCATTE about 6 years ago

  • Status changed from 8 to Discussion
  • Assignee set to Nicolas CHARLES

We are missing the list of IP to be authorized somewhere in a a rudder variable.

But do not have them yet since there is a problem getting those IP:
- If there is a NAT
- If there is more than one IP on the agent

Alternatives are:
- using hostname and reverse DNS : big performance hit and probably not available in rsyslog
- trying to collect real source ip from agents : we would need to find the information and to manage configuration transition
- using only the allowed network : easy but does not solve the case of removed agent

NCH, do you have an idea ?

Actions #6

Updated by Benoît PECCATTE about 6 years ago

- If there is more than one IP on the agent
-> allow all IPs of each node

- If there is a NAT
-> in this case the used should have already disabled "Use reverse DNS"
-> use only ALLOWED_NETWORKS and not each IP individually

Actions #7

Updated by Vincent MEMBRÉ about 6 years ago

  • Target version changed from 2.10.13 to 2.10.14
Actions #8

Updated by Benoît PECCATTE almost 6 years ago

  • Parent task changed from #6363 to #6589
Actions #9

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 2.10.14 to 2.10.15
Actions #10

Updated by Vincent MEMBRÉ almost 6 years ago

  • Parent task deleted (#6589)
Actions #11

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 2.10.15 to 2.10.14
Actions #12

Updated by Vincent MEMBRÉ almost 6 years ago

  • Status changed from Discussion to Pending technical review
Actions #13

Updated by Vincent MEMBRÉ almost 6 years ago

  • Status changed from Pending technical review to Pending release
Actions #14

Updated by Vincent MEMBRÉ almost 6 years ago

  • Status changed from Pending release to Released

Edit: We thought this bug was fixed in 3.0.5 but clearly this is not working, more explanantion in a following update

Actions #15

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 2.10.14 to 3.0.5
Actions #16

Updated by Vincent MEMBRÉ almost 6 years ago

  • Status changed from Released to New
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Target version changed from 3.0.5 to 3.0.6

The fix provided in #6507, was not functionning and reverted by #6761.

We still keep the added variable in #6498 in 3.0.6 even if it is not really used

Actions #17

Updated by Vincent MEMBRÉ almost 6 years ago

  • Related to Bug #6481: Create a rudder variable containing all IP of agents added
Actions #18

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 3.0.6 to 3.0.7
Actions #19

Updated by Vincent MEMBRÉ almost 6 years ago

  • Target version changed from 3.0.7 to 3.0.8
Actions #20

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 3.0.8 to 3.0.9
Actions #21

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 3.0.9 to 3.0.10
Actions #22

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 3.0.10 to 3.0.11
Actions #23

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 3.0.11 to 3.0.12
Actions #24

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 3.0.12 to 3.0.13
Actions #25

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 3.0.13 to 3.0.14
Actions #26

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 3.0.14 to 3.0.15
Actions #27

Updated by Vincent MEMBRÉ about 5 years ago

  • Target version changed from 3.0.15 to 3.0.16
Actions #28

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 3.0.16 to 3.0.17
Actions #29

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 3.0.17 to 302
Actions #30

Updated by Alexis MOUSSET almost 5 years ago

  • Target version changed from 302 to 3.1.12
Actions #31

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.12 to 3.1.13
Actions #32

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.13 to 3.1.14
Actions #33

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.14 to 3.1.15
Actions #34

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.15 to 3.1.16
Actions #35

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.16 to 3.1.17
Actions #36

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 3.1.17 to 3.1.18
Actions #37

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.1.18 to 3.1.19
Actions #38

Updated by Jonathan CLARKE about 4 years ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings
  • Priority set to 50

I assume this would be simple enough to do based solely on allowed networks?

Actions #39

Updated by Vincent MEMBRÉ about 4 years ago

  • Target version changed from 3.1.19 to 3.1.20
Actions #40

Updated by Jonathan CLARKE almost 4 years ago

  • Assignee deleted (Benoît PECCATTE)
Actions #41

Updated by Benoît PECCATTE almost 4 years ago

As demonstrated by the previous attempt in #6761, doing this makes rsyslog segfault.
So let's do the simple version with allowed network.

Actions #42

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 3.1.20 to 3.1.21
Actions #43

Updated by Vincent MEMBRÉ almost 4 years ago

  • Target version changed from 3.1.21 to 3.1.22
Actions #44

Updated by Benoît PECCATTE almost 4 years ago

  • Priority changed from 50 to 63
Actions #45

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.22 to 3.1.23
Actions #46

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.23 to 3.1.24
Actions #47

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.24 to 3.1.25
Actions #48

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.1.25 to 387
Actions #49

Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 387 to 4.1.10
Actions #50

Updated by Benoît PECCATTE about 3 years ago

  • Effort required set to Large
  • Priority changed from 63 to 38

There is no simple version based on allowed network, since the problem is rsyslog itself.
"Some versions of rsyslog segfaults when receiving logs from disallowed senders. It happens only on TCP."

As long as we support those versions, we are stuck.

Actions #51

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 4.1.10 to 4.1.11
Actions #52

Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 4.1.11 to 4.1.12
Actions #53

Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 4.1.12 to 4.1.13
  • Priority changed from 38 to 39
Actions #54

Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 4.1.13 to 4.1.14
Actions #55

Updated by Benoît PECCATTE over 2 years ago

  • Target version changed from 4.1.14 to 4.1.15
  • Priority changed from 39 to 40
Actions #56

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.1.15 to 4.1.16
Actions #57

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.1.16 to 4.1.17
  • Priority changed from 40 to 41
Actions #58

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.1.17 to 4.1.18
  • Priority changed from 41 to 0
Actions #59

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 4.1.18 to 4.1.19
Actions #60

Updated by Alexis MOUSSET about 2 years ago

  • Target version changed from 4.1.19 to 4.1.20
Actions #61

Updated by François ARMAND about 2 years ago

  • Target version changed from 4.1.20 to 4.1.21
Actions #62

Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 4.1.21 to 4.1.22
Actions #63

Updated by Alexis MOUSSET almost 2 years ago

  • Status changed from New to Rejected

ACLs won't be added to our syslog config as we are implementing #14008.

Actions #64

Updated by Alexis MOUSSET almost 2 years ago

It could be implemented through firewalling if necessary.

Actions

Also available in: Atom PDF