Bug #6428
closed
Syslog accept reports from non-accepted nodes
Added by François ARMAND about 9 years ago. Updated almost 5 years ago.
Description
We don't refuse reports from non-accepted node. That may cause disponibility problem (DoD, filling of the base leading to slow query or filling of the harddrive, etc) and since 3.0, it may display erroneous "changes" for rules.
Updated by François ARMAND about 9 years ago
Most likelly we need to use: http://www.rsyslog.com/doc/rsconf1_allowedsender.html and have system rules for relays and root server that configure them correctly.
Updated by Vincent MEMBRÉ about 9 years ago
- Target version changed from 2.10.12 to 2.10.13
Updated by Benoît PECCATTE about 9 years ago
I tried with 8000 entries in rsyslog: there is no difference when starting rsyslog nor when sending a log line.
So this should not impact performances.
Updated by Benoît PECCATTE about 9 years ago
- Status changed from 8 to Discussion
- Assignee set to Nicolas CHARLES
We are missing the list of IP to be authorized somewhere in a a rudder variable.
But do not have them yet since there is a problem getting those IP:
- If there is a NAT
- If there is more than one IP on the agent
Alternatives are:
- using hostname and reverse DNS : big performance hit and probably not available in rsyslog
- trying to collect real source ip from agents : we would need to find the information and to manage configuration transition
- using only the allowed network : easy but does not solve the case of removed agent
NCH, do you have an idea ?
Updated by Benoît PECCATTE about 9 years ago
- If there is more than one IP on the agent
-> allow all IPs of each node
- If there is a NAT
-> in this case the used should have already disabled "Use reverse DNS"
-> use only ALLOWED_NETWORKS and not each IP individually
Updated by Vincent MEMBRÉ about 9 years ago
- Target version changed from 2.10.13 to 2.10.14
Updated by Benoît PECCATTE almost 9 years ago
- Parent task changed from #6363 to #6589
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 2.10.14 to 2.10.15
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 2.10.15 to 2.10.14
Updated by Vincent MEMBRÉ almost 9 years ago
- Status changed from Discussion to Pending technical review
Updated by Vincent MEMBRÉ almost 9 years ago
- Status changed from Pending technical review to Pending release
Updated by Vincent MEMBRÉ almost 9 years ago
- Status changed from Pending release to Released
Edit: We thought this bug was fixed in 3.0.5 but clearly this is not working, more explanantion in a following update
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 2.10.14 to 3.0.5
Updated by Vincent MEMBRÉ almost 9 years ago
- Status changed from Released to New
- Assignee changed from Nicolas CHARLES to Benoît PECCATTE
- Target version changed from 3.0.5 to 3.0.6
Updated by Vincent MEMBRÉ almost 9 years ago
- Related to Bug #6481: Create a rudder variable containing all IP of agents added
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.0.6 to 3.0.7
Updated by Vincent MEMBRÉ almost 9 years ago
- Target version changed from 3.0.7 to 3.0.8
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.8 to 3.0.9
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.9 to 3.0.10
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.10 to 3.0.11
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.11 to 3.0.12
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.12 to 3.0.13
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.0.13 to 3.0.14
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.0.14 to 3.0.15
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.0.15 to 3.0.16
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.0.16 to 3.0.17
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.0.17 to 302
Updated by Alexis Mousset almost 8 years ago
- Target version changed from 302 to 3.1.12
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.12 to 3.1.13
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.13 to 3.1.14
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.14 to 3.1.15
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.15 to 3.1.16
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.16 to 3.1.17
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.17 to 3.1.18
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.18 to 3.1.19
Updated by Jonathan CLARKE about 7 years ago
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- User visibility set to Operational - other Techniques | Technique editor | Rudder settings
- Priority set to 50
I assume this would be simple enough to do based solely on allowed networks?
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.19 to 3.1.20
Updated by Jonathan CLARKE almost 7 years ago
- Assignee deleted (
Benoît PECCATTE)
Updated by Benoît PECCATTE almost 7 years ago
As demonstrated by the previous attempt in #6761, doing this makes rsyslog segfault.
So let's do the simple version with allowed network.
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 3.1.20 to 3.1.21
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 3.1.21 to 3.1.22
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 3.1.22 to 3.1.23
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 3.1.23 to 3.1.24
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 3.1.24 to 3.1.25
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 3.1.25 to 387
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 387 to 4.1.10
Updated by Benoît PECCATTE about 6 years ago
- Effort required set to Large
- Priority changed from 63 to 38
There is no simple version based on allowed network, since the problem is rsyslog itself.
"Some versions of rsyslog segfaults when receiving logs from disallowed senders. It happens only on TCP."
As long as we support those versions, we are stuck.
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 4.1.10 to 4.1.11
Updated by Vincent MEMBRÉ about 6 years ago
- Target version changed from 4.1.11 to 4.1.12
Updated by Vincent MEMBRÉ almost 6 years ago
- Target version changed from 4.1.12 to 4.1.13
- Priority changed from 38 to 39
Updated by Vincent MEMBRÉ almost 6 years ago
- Target version changed from 4.1.13 to 4.1.14
Updated by Benoît PECCATTE over 5 years ago
- Target version changed from 4.1.14 to 4.1.15
- Priority changed from 39 to 40
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 4.1.15 to 4.1.16
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 4.1.16 to 4.1.17
- Priority changed from 40 to 41
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 4.1.17 to 4.1.18
- Priority changed from 41 to 0
Updated by Vincent MEMBRÉ over 5 years ago
- Target version changed from 4.1.18 to 4.1.19
Updated by Alexis Mousset about 5 years ago
- Target version changed from 4.1.19 to 4.1.20
Updated by François ARMAND about 5 years ago
- Target version changed from 4.1.20 to 4.1.21
Updated by Vincent MEMBRÉ about 5 years ago
- Target version changed from 4.1.21 to 4.1.22
Updated by Alexis Mousset almost 5 years ago
- Status changed from New to Rejected
ACLs won't be added to our syslog config as we are implementing #14008.
Updated by Alexis Mousset almost 5 years ago
It could be implemented through firewalling if necessary.