[rsyslog] rsyslogd security questions/comments

Tue, 18 Nov 2008 12:57:10 -0800 

Hello,

I was reading the man page for rsyslogd today, and saw:

      SECURITY THREATS

      There  is the potential for the rsyslogd daemon to be used
      as a conduit for a denial of service attack.  A rogue pro-
      gram(mer) could very easily flood the rsyslogd daemon with
      syslog messages resulting in the log files  consuming  all
      the remaining space on the filesystem.  Activating logging
      over the inet domain sockets will of course expose a  sys-
      tem  to  risks  outside  of programs or individuals on the
      local machine.

      There are a number of methods of protecting a machine:

      1.     Implement kernel firewalling to limit  which  hosts
             or networks have access to the 514/UDP socket.

      2.     Logging  can be directed to an isolated or non-root
             filesystem which, if filled, will  not  impair  the
             machine.

      3.     The  ext2  filesystem can be used which can be con-
             figured to limit a certain percentage of a filesys-
             tem  to  usage  by  root only.  NOTE that this will
             require rsyslogd to be run as a  non-root  process.
             ALSO  NOTE  that  this will prevent usage of remote
             logging on the default port since rsyslogd will  be
             unable to bind to the 514/UDP socket.

I had the following questions:

Would it be possible (optionally) to have rsyslogd chroot to a  
particular directory on startup?

That seems the safest.  One could configure a disk partition for log  
messages, configure rsyslogd to log there,
and also chroot to a directory on that partition, so if the rsyslogd  
process itself is compromised,
it can't do other damage.

There must be a way to have a daemon run as a non-root user, and also  
to open ports < 1024.
This seems to be done all the time on *bsd machines:

# ps -aux
USER       PID %CPU %MEM   VSZ   RSS TT  STAT  STARTED       TIME  
COMMAND
root         1  0.0  0.0   428   356 ??  Is    Thu02PM    0:00.01 / 
sbin/init
_dhcp    22078  0.0  0.0   396   432 ??  Is    Thu03PM    0:00.01  
dhclient: bge0 (dhclient)
_syslogd 27943  0.0  0.0   452   812 ??  S     Thu03PM    0:00.19  
syslogd -a /var/empty/dev/log

I'm not sure how this is done, but it looks like chroot also supports  
changing the userid...

Just some thoughts,

Best regards,

Don







_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to