[rudder-users] Rudder Node-Server communication
Marko Winkler
marko.wnklr at gmail.com
Thu Oct 18 22:47:02 UTC 2018
Hi Francois,
thank you for the fast response and helping to clarify the situation.
The roadmap about the tls implementation sounds good.
However, maybe its possible to add or make a note about the secure
configuration of the syslog transmission to the well written
documentation of rudder (?), so that everyone can setup a more secure
environment. :)
Once again, many thanks and kind regards,
Marko
Am 17.10.2018 um 10:20 schrieb Francois Armand:
> Hello Marko,
>
> You are right that we use syslog. For reference, the network flows are
> diplayed here:
> https://docs.rudder.io/reference/5.0/architecture_and_dependencies.html#_network_architecture_in_client_server_mode
>
> The inventory (ie the node information about hardware, software, etc) is
> sent by HTTPS.
> The policy configuration files transport (ie where you will most likelly
> have sensitive data) uses a dedicated protocol which uses TLS.
> What you see on syslog are the run execution logs which are sent back to
> Rudder policy server for compliance computing, and should not contains
> sensitive data - but of course, you may want to also hide that
> information. In that case, you can configure syslog to be encrypted.
> That comes with some requirements though: you will need rsyslog on
> nodes, and you will need to use syslog on tcp. But we don't provide that
> configuration by default, because syslog is generally subject to
> company-wide rules, so we try to just plug on the existing configuration.
>
> As we are aware that the user should not have to even wonder about these
> things, we are currently working on a new protocol for agent-server
> communication (TSL based). In the end, it will encapsulate all
> server-node exchanges, and the first one to be replaced will be syslog,
> target in 5.1 (begining of 2019).
>
> Hope it helps, and please ask if you have any other questions or if you
> need more information !
>
> On 16/10/2018 20:23, Marko Winkler wrote:
>> Hi all,
>>
>> currently, I've setup a small rudder environment (server in version 5.0
>> and agents in version 4.3) for testing purposes using the simple
>> installation guide provided by the official documentation.
>>
>> During the tests, I notice that the node sends the inventory data using
>> the syslog protocol. However, a tcpdump on the network interface shows
>> that the data is sent in plaintext. Did I miss to setup any further
>> security configuration? A review of the documentation didn't help:
>> https://docs.rudder.io/history/4.3/_security_considerations.html#_inventory
>>
>> It's possible to encrypt all data which will passed between the rudder
>> components? I am pleased about feedback.
>>
>> Bests,
>> Marko
>>
>> _______________________________________________
>> FAQ: https://faq.rudder-project.org/
>> Bug Tracker: https://www.rudder-project.org/redmine/
>> _______________________________________________
>> rudder-users mailing list
>> rudder-users at lists.rudder-project.org
>> https://www.rudder-project.org/mailman/listinfo/rudder-users
>
>
> --
>
>
> ------------------------------------------------------------------------
> *François ARMAND*
> /Co-founder & CTO/
> Normation <http://www.normation.com>
> ------------------------------------------------------------------------
> *87 rue de Turbigo, 75003 Paris, France*
> Telephone: +33 (0)1 83 62 99 23
> Mobile: +33 (0)6 63 37 60 55
> ------------------------------------------------------------------------
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://www.rudder-project.org/pipermail/rudder-users/attachments/20181019/b2ad17ca/attachment.sig>
More information about the rudder-users
mailing list