Project

General

Profile

Bug #6428

Syslog accept reports from non-accepted nodes

Added by François ARMAND over 3 years ago. Updated about 2 months ago.

Status:
New
Priority:
N/A
Assignee:
-
Category:
System integration
Target version:
Target version (plugin):
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Large
Pull Request:
Priority:
40

Description

We don't refuse reports from non-accepted node. That may cause disponibility problem (DoD, filling of the base leading to slow query or filling of the harddrive, etc) and since 3.0, it may display erroneous "changes" for rules.


Related issues

Related to Rudder - Bug #6481: Create a rudder variable containing all IP of agentsReleased2015-04-09

History

#1 Updated by François ARMAND over 3 years ago

Most likelly we need to use: http://www.rsyslog.com/doc/rsconf1_allowedsender.html and have system rules for relays and root server that configure them correctly.

#2 Updated by François ARMAND over 3 years ago

  • Parent task set to #6363

#3 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 2.10.12 to 2.10.13

#4 Updated by Benoît PECCATTE over 3 years ago

I tried with 8000 entries in rsyslog: there is no difference when starting rsyslog nor when sending a log line.
So this should not impact performances.

#5 Updated by Benoît PECCATTE over 3 years ago

  • Status changed from 8 to Discussion
  • Assignee set to Nicolas CHARLES

We are missing the list of IP to be authorized somewhere in a a rudder variable.

But do not have them yet since there is a problem getting those IP:
- If there is a NAT
- If there is more than one IP on the agent

Alternatives are:
- using hostname and reverse DNS : big performance hit and probably not available in rsyslog
- trying to collect real source ip from agents : we would need to find the information and to manage configuration transition
- using only the allowed network : easy but does not solve the case of removed agent

NCH, do you have an idea ?

#6 Updated by Benoît PECCATTE over 3 years ago

- If there is more than one IP on the agent
-> allow all IPs of each node

- If there is a NAT
-> in this case the used should have already disabled "Use reverse DNS"
-> use only ALLOWED_NETWORKS and not each IP individually

#7 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 2.10.13 to 2.10.14

#8 Updated by Benoît PECCATTE over 3 years ago

  • Parent task changed from #6363 to #6589

#9 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 2.10.14 to 2.10.15

#10 Updated by Vincent MEMBRÉ over 3 years ago

  • Parent task deleted (#6589)

#11 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 2.10.15 to 2.10.14

#12 Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Discussion to Pending technical review

#13 Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending technical review to Pending release

#14 Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released

Edit: We thought this bug was fixed in 3.0.5 but clearly this is not working, more explanantion in a following update

#15 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 2.10.14 to 3.0.5

#16 Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Released to New
  • Assignee changed from Nicolas CHARLES to Benoît PECCATTE
  • Target version changed from 3.0.5 to 3.0.6

The fix provided in #6507, was not functionning and reverted by #6761.

We still keep the added variable in #6498 in 3.0.6 even if it is not really used

#17 Updated by Vincent MEMBRÉ over 3 years ago

  • Related to Bug #6481: Create a rudder variable containing all IP of agents added

#18 Updated by Vincent MEMBRÉ over 3 years ago

  • Target version changed from 3.0.6 to 3.0.7

#19 Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 3.0.7 to 3.0.8

#20 Updated by Vincent MEMBRÉ about 3 years ago

  • Target version changed from 3.0.8 to 3.0.9

#21 Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 3.0.9 to 3.0.10

#22 Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 3.0.10 to 3.0.11

#23 Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 3.0.11 to 3.0.12

#24 Updated by Vincent MEMBRÉ almost 3 years ago

  • Target version changed from 3.0.12 to 3.0.13

#25 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 3.0.13 to 3.0.14

#26 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 3.0.14 to 3.0.15

#27 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 3.0.15 to 3.0.16

#28 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 3.0.16 to 3.0.17

#29 Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 3.0.17 to 302

#30 Updated by Alexis MOUSSET over 2 years ago

  • Target version changed from 302 to 3.1.12

#31 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.12 to 3.1.13

#32 Updated by Vincent MEMBRÉ about 2 years ago

  • Target version changed from 3.1.13 to 3.1.14

#33 Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 3.1.14 to 3.1.15

#34 Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 3.1.15 to 3.1.16

#35 Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 3.1.16 to 3.1.17

#36 Updated by Vincent MEMBRÉ almost 2 years ago

  • Target version changed from 3.1.17 to 3.1.18

#37 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.18 to 3.1.19

#38 Updated by Jonathan CLARKE over 1 year ago

  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • User visibility set to Operational - other Techniques | Technique editor | Rudder settings
  • Priority set to 50

I assume this would be simple enough to do based solely on allowed networks?

#39 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.19 to 3.1.20

#40 Updated by Jonathan CLARKE over 1 year ago

  • Assignee deleted (Benoît PECCATTE)

#41 Updated by Benoît PECCATTE over 1 year ago

As demonstrated by the previous attempt in #6761, doing this makes rsyslog segfault.
So let's do the simple version with allowed network.

#42 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.20 to 3.1.21

#43 Updated by Vincent MEMBRÉ over 1 year ago

  • Target version changed from 3.1.21 to 3.1.22

#44 Updated by Benoît PECCATTE about 1 year ago

  • Priority changed from 50 to 63

#45 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.22 to 3.1.23

#46 Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 3.1.23 to 3.1.24

#47 Updated by Vincent MEMBRÉ 11 months ago

  • Target version changed from 3.1.24 to 3.1.25

#48 Updated by Vincent MEMBRÉ 10 months ago

  • Target version changed from 3.1.25 to 387

#49 Updated by Vincent MEMBRÉ 9 months ago

  • Target version changed from 387 to 4.1.10

#50 Updated by Benoît PECCATTE 8 months ago

  • Effort required set to Large
  • Priority changed from 63 to 38

There is no simple version based on allowed network, since the problem is rsyslog itself.
"Some versions of rsyslog segfaults when receiving logs from disallowed senders. It happens only on TCP."

As long as we support those versions, we are stuck.

#51 Updated by Vincent MEMBRÉ 7 months ago

  • Target version changed from 4.1.10 to 4.1.11

#52 Updated by Vincent MEMBRÉ 5 months ago

  • Target version changed from 4.1.11 to 4.1.12

#53 Updated by Vincent MEMBRÉ 4 months ago

  • Target version changed from 4.1.12 to 4.1.13
  • Priority changed from 38 to 39

#54 Updated by Vincent MEMBRÉ 2 months ago

  • Target version changed from 4.1.13 to 4.1.14

#55 Updated by Benoît PECCATTE about 2 months ago

  • Target version changed from 4.1.14 to 4.1.15
  • Priority changed from 39 to 40

Also available in: Atom PDF