Never Lose a Syslog Message

Similar documents
Lecture 10 Overview!

Overview. Daemon processes and advanced I/O. Source: Chapters 13&14 of Stevens book

Utilities. Introduction. Working with SCE Platform Files. Working with Directories CHAPTER

ECS 153 Discussion Section. April 6, 2015

Syslog components. Facility Severity Timestamp Host Tag Message

ovs dpctl(8) Open vswitch Manual ovs dpctl(8)

Interprocess Communication Mechanisms

shared storage These mechanisms have already been covered. examples: shared virtual memory message based signals

ovs dpctl(8) Open vswitch Manual ovs dpctl(8)

Processes COMPSCI 386

CS631 - Advanced Programming in the UNIX Environment. Dæmon processes, System Logging, Advanced I/O

ECE 650 Systems Programming & Engineering. Spring 2018

Forescout. Configuration Guide. Version 3.5

CSE 509: Computer Security

slaacd(8) Florian Obser

UNIX Sockets. Developed for the Azera Group By: Joseph D. Fournier B.Sc.E.E., M.Sc.E.E.

ovn-controller(8) Open vswitch Manual ovn-controller(8)

syslog: The UNIX System Logger

Memory-Mapped Files. generic interface: vaddr mmap(file descriptor,fileoffset,length) munmap(vaddr,length)

RSYSLOGD(8) Linux System Administration RSYSLOGD(8)

Socket Programming. Sungkyunkwan University. Hyunseung Choo Copyright Networking Laboratory

Configuring System Message Logs

Configuring System Message Logs

Socket Programming for TCP and UDP

Configuring System Message Logs

Configuring System Message Logging

Reliable Delivery and Filtering for Syslog

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Overview. Last Lecture. This Lecture. Daemon processes and advanced I/O functions

ovsdb server(1) Open vswitch Manual ovsdb server(1)

Motivation of VPN! Overview! VPN addressing and routing! Two basic techniques for VPN! ! How to guarantee privacy of network traffic?!

CounterACT Syslog Plugin

Configuring System Message Logs

Lecture 8. Network Layer (cont d) Network Layer 1-1

Group-A Assignment No. 6

Processes communicating. Network Communication. Sockets. Addressing processes 4/15/2013

Unix Network Programming

Oral. Total. Dated Sign (2) (5) (3) (2)

Outline. Option Types. Socket Options SWE 545. Socket Options. Out-of-Band Data. Advanced Socket. Many socket options are Boolean flags

9th Slide Set Computer Networks

Network Communication

Network System Services

Transport Layer Review

Micro Focus Security ArcSight Connectors. SmartConnector for Snort Syslog. Configuration Guide

CLIENT-SIDE PROGRAMMING

Configuring attack detection and prevention 1

External Alerting for Intrusion Events

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Table of Contents 1 Information Center Configuration Guide 1-1

HPE Security ArcSight Connectors

Transport Layer. Gursharan Singh Tatla. Upendra Sharma. 1

Introduction to Network. Topics

Sockets Sockets Communication domains

SYSLOG. Vladislav Marinov. February 18th, Jacobs University Bremen. Vladislav Marinov SYSLOG 1

Lecture 18 Overview. Last Lecture. This Lecture. Next Lecture. Internet Protocol (1) Internet Protocol (2)

Zero-Copy Socket Splicing

Configuring Logging. Information About Logging CHAPTER

Interprocess Communication Mechanisms

Interprocess Communication Mechanisms

IP Addressing: Fragmentation and Reassembly Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files

CSC209: Software tools. Unix files and directories permissions utilities/commands Shell programming quoting wild cards files. Compiler vs.

Agenda. Before we start: Assignment #1. Routing in a wide area network. Protocols more concepts. Internetworking. Congestion control

Context. Distributed Systems: Sockets Programming. Alberto Bosio, Associate Professor UM Microelectronic Departement

Assignment 2 Group 5 Simon Gerber Systems Group Dept. Computer Science ETH Zurich - Switzerland

Ports under 1024 are often considered special, and usually require special OS privileges to use.

Configuring attack detection and prevention 1

A Client-Server Exchange

Pipes and FIFOs. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

Interprocess Communication Mechanisms

Interprocess Communication Mechanisms

IP Addressing: Fragmentation and Reassembly Configuration Guide

HPE Security ArcSight Connectors

Q) Q) What is Linux and why is it so popular? Answer - Linux is an operating system that uses UNIX like Operating system...

Contents. Part 1. Introduction and TCP/IP 1. Foreword Preface. xix. I ntroduction 31

Outline. Inter-Process Communication. IPC across machines: Problems. CSCI 4061 Introduction to Operating Systems

UNIX Sockets. COS 461 Precept 1

Configuring System Message Logging

ECE 650 Systems Programming & Engineering. Spring 2018

Use of interaction networks in teaching Minix

IPng (IPv6) Motivation. Currently: mainly servers, workstations, SLIP/PPP Address space exhaustion + new uses:

CS 428/528 Computer Networks Lecture 01. Yan Wang

Logging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.

Lecture 3. The Network Layer (cont d) Network Layer 1-1

Configuring IP Services

Blacklist'd. A daemon to manage network attacks. Christos Zoulas

Presentation Services. Presentation Services: Motivation

CMPSC 311 Such Final Very Exam

Admin Guide ( Unix System Administration )

SYNOPSIS syslogd [ a socket ][ d ][ f config file ][ h ][ l hostlist ][ m interval ][ n ][ p socket ][ r ][ s domainlist ][ v ][ x ]

YAF(1) Yet Another Flowmeter YAF(1)

Operating Systems. Review ENCE 360

Transport layer Internet layer

CSC209 Review. Yeah! We made it!

Genesys Voice Platform. vrmrecorder Section

Concurrent Architectures - Unix: Sockets, Select & Signals

Configuring System Message Logging

UDP CONNECT TO A SERVER

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Transcription:

Never Lose a Syslog Message Alexander Bluhm bluhm@openbsd.org September 24, 2017

Agenda 1 Motivation 2 Starting Position 3 Local Improvements 4 Remote Logging 5 Conclusion

Why reliable logging? system analysis attacker tries to prevent log required by common criteria

What can go wrong? UDP for remote logs UNIX datagram for local logs file descriptors chroot environment timestamps and time zones

Agenda 1 Motivation 2 Starting Position 3 Local Improvements 4 Remote Logging 5 Conclusion

Traditional Message Flow program syslog(log ERR, "message %d", 7) libc kernel syslogd priority, timestamp, sprintf, send /dev/log recv, log file, send UDP

Priority, Facility, Level, Severity, Options openlog("ftpd", LOG PID LOG CONS, LOG FTP) syslog(log INFO, "%s logged in", user) #define LOG FTP (11<<3) /* ftp daemon */ #define LOG INFO 6 /* informational */ <94>Sep 24 09:35:00 ftpd[4711]: bluhm logged in

Agenda 1 Motivation 2 Starting Position 3 Local Improvements 4 Remote Logging 5 Conclusion

/dev/log Problems with /dev/log UNIX socket needs file descriptor use LOG NDELAY reconnect after SIGHUP syslogd needs UNIX socket in chroot needs pledge("unix") LOG CONS is even worse

sendsyslog New system call sendsyslog(2) int sendsyslog(const void *msg, size t len, int flags) sendsyslog("<94>sep 24 09:36:23 ftpd[4711]: bluhm logged in", 47, LOG CONS)

Using sendsyslog Syslogd does create socketpair register one end with ioctl(liocsfd) receive form other end Kernel does send to syslogd s socketpair write to console if necessary ktrace if activated count errors

Error Handling void syslog(int prio, const char *msg,...) libc cannot return error program cannot log error Kernel sendsyslog can do it count failures when sending to syslogd write message to syslog when it works again sendsyslog: dropped 2 messages, error 57

Libc Timestamp Timestamp from syslog(3) needs /etc/localtime in every chroot no year no time zone no indication of daylight saving time insufficient precision does not work for kernel messages Sep 24 09:37:42

Syslogd Timestamp Timestamp added by syslogd timestamp is optional in received message syslogd adds it if missing libc does not generate it syslogd -Z generates ISO format in UTC use millisecond precision 2017-09-24T07:38:59.333Z

Logging without Libc System call sendsyslog allows logging from signal handler at memcpy overlap from stack protector handler from ld.so dynamic linker

dmesg Overflow Detect dmesg overflow in log file ring buffer with kernel logs syslogd reads from /dev/klog messages may overwrite special kernel message at gap <4>klog: dropped 1243 bytes, message buffer full

Agenda 1 Motivation 2 Starting Position 3 Local Improvements 4 Remote Logging 5 Conclusion

Possibilities process tty user wall console sender loghost syslogd receiver loghost kernel file pipe memory buffer

Local Methods process sendsyslog /dev/log UNIX socket syslogd /dev/klog kernel

Remote Methods sender loghost UDP TCP TLS IPv4 IPv6 syslogd UDP TCP TLS IPv4 IPv6 receiver loghost

UDP Format single UDP packet max 1180 bytes <94>Sep 24 10:07:13 80.154.94.47 ftpd[4711]: bluhm logged in

TCP Format no proper RFC 6587 new line delimiter or NUL delimiter or octet counting 60 <94>Sep 24 10:08:52 80.154.94.47 ftpd[4711]: bluhm logged in

TLS Format octet counting must support 2048 bytes should support 8192 bytes libevent and libtls

Provide Server Certificate sender loghost -T host:port syslogd /etc/ssl/host.crt /etc/ssl/private/host.key syslogd must provide server certificate sender can identify syslogd attacker cannot see messages

Validate Client Certificate sender loghost client certificate -T host:port -K CAfile syslogd sender may provide client certificate syslogd can identify sender attacker cannot inject messages

Validate Server Certificate syslogd @tls://host:port -C CAfile /etc/ssl/cert.pem receiver server loghost certificate syslogd must know server CA hostname must be in server certificate syslogd can identify receiver attacker cannot see messages turn off with -V

Provide Client Certificate syslogd @tls://host:port -c cert file -k key file receiver loghost syslogd may provide client certificate receiver can identify syslogd attacker cannot inject messages

TCP/TLS Errors debug incoming connections log connection errors count dropped messages suppress last message repeated syslogd[17361]: dropped 2 messages to remote loghost

Agenda 1 Motivation 2 Starting Position 3 Local Improvements 4 Remote Logging 5 Conclusion

OpenBSD Message Flow program syslog(log ERR, "message %d", 7) libc kernel syslogd priority, sprintf, syscall sendsyslog, error handling recv, timestamp, log file, send TLS

Run and Log Reliably no fatal errors count dropped messages TCP and TLS transport libevent safe signal handlers file descriptor exhaustion privsep with re-exec pledge child and parent

Tests 180 regression tests for almost everything config, start, log, stop, check stderr, client, server, file, pipe, console, user, ktrace, fstat

TODO initialization errors to file continue after file system full log memory buffer overflow move format from RFC 3164 to 5424 fix bug found by mpi@openbsd ivadasz@dragonfly likes kernel timestamps

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback