I see people putting things in /etc/rsyslog.d besides configs, so locking down
/etc may trip them up.
looking for workdir in the config will identify the directory that rsyslog needs
to be able to write to for state and similar.
It's also common for people to have rsyslog write to locations other than
/var/log, especially when the logs are going to be picked up by other thing
(splunk, etc), we already run into grief with this with AppArmor (ubuntu) and
SELinux (RedHat)
It doesn't look like this restricts reading from anything other than /home and
various system places, so that's probably not a problem (further lockdowns could
cause problems with rsyslog reading files to send)
I am not familiar with all the modules that rsyslog has, so there may be some
others (kafka, etc) that have additional requirements I'm not aware of.
but this seems like a fairly reasonable list.
can /etc/rsyslog.d be made a link to someplace that's safe for rsyslog to write
to without too much grief?
David Lang
On Tue, 10 Oct 2023, Michael Biebl wrote:
See the links for ProtectHome and ProtectSystem
Am Di., 10. Okt. 2023 um 20:35 Uhr schrieb David Lang <da...@lang.hm>:
what directories will rsyslog be able to access (both read and write) with this
config?
David Lang
On Tue, 10 Oct 2023, Michael Biebl via rsyslog wrote:
Date: Tue, 10 Oct 2023 20:20:14 +0200
From: Michael Biebl via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Michael Biebl <mbi...@gmail.com>
Subject: [rsyslog] [RFC] locking down rsyslog.service on Debian
Hi,
Debian maintainer of rsyslog speaking.
I intend to lock down rsyslog.service in Debian in one of the next
uploads using the following systemd directives
PrivateTmp=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
PrivateDevices=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
ProtectHome=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
ProtectSystem=full
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=
ProtectKernelTunables=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
ProtectKernelModules=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
ProtectClock=yes
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
SystemCallFilter=@system-service
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=
The full rsyslog.service looks like this, in case you want to test it:
```
[Unit]
Description=System Logging Service
Requires=syslog.socket
Documentation=man:rsyslogd(8)
Documentation=man:rsyslog.conf(5)
Documentation=https://www.rsyslog.com/doc/
[Service]
Type=notify
ExecStart=/usr/sbin/rsyslogd -n -iNONE
StandardOutput=null
Restart=on-failure
# Increase the default a bit in order to allow many simultaneous
# files to be monitored, we might need a lot of fds.
LimitNOFILE=16384
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectClock=yes
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
CAP_SYSLOG
[Install]
WantedBy=multi-user.target
Alias=syslog.service
```
While the attempt is to secure the default configuration of rsyslog, I
do not want to restrict it so much that it becomes unusable.
If you think, that one of those directives could cause issues with
commonly used setups, please let me know, so I can adjust the
configuration.
Looking forward to your feedback.
Michael
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
