Summary: | app-admin-syslog-ng-3.0.4 configuration file format update | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Aurélien Requiem <bugs> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andre, brendlerjg, doron.fediuck, H4xX0Rz1sT, laen, sirkonst, skunk, themactep, zut |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
patch to update the configuration for 3.0.x branch
This patch fix bug #232874 and #291259 really fix bug #232847, simpler fix for #291259 |
Description
Aurélien Requiem
2009-10-31 06:51:22 UTC
Created attachment 208833 [details, diff]
patch to update the configuration for 3.0.x branch
I wonder if any of these could be changed to header-based matches, instead of applying a regex to the entire header + message, which is quite inefficient. For example (not tested): filter f_avc { program("avc"); }; filter f_audit { not program("avc") and match("regex" value("^audit.*")); }; filter f_pax { program("PAX"); }; filter f_grsec { program("grsec"); }; In fact, I think it should actually be: filter f_avc { program("avc"); }; filter f_audit { not program("avc") and message("^audit.*"); }; filter f_pax { program("PAX"); }; filter f_grsec { program("grsec"); }; Based on their documentation at: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s04.html Or maybe they should all be message() filters (depending on whether that text shows up in the headers or the message body). At any rate, the format of the match filter is (according to the documentation): match("<some regexp>" value("<a macro name>")) Not match(regexp value("<some regexp>") (In reply to comment #0) > Hi, > > After installing syslog-ng 3.0.x, the daemon complained about the configuration > file. > > Starting with syslog-ng 3.0.x the configuration file format for syslog-ng has > changed. With hardened gentoo, the "match() filters based on regex should be > upadted accordingly. > > Please see patch attached to this bug. > > > Reproducible: Always > > Steps to Reproduce: > 1. install syslog-ng 3.0.x > 2. start the server > 3. observe the warning > > Actual Results: > The displayed warning is as follow : > > WARNING: the match() filter without the use of the value() option is deprecated > and hinders performance, please update your configuration; > > > Expected Results: > no warnings > > I filled this bug in hardened section has this is only related to the syslog-ng > configuration with hardened profile. > Someone who is familiar with the configs could also update the sample configuration exibited here: http://www.gentoo-wiki.info/Syslog-ng Read the documentation thoroughly, as posted before: >http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch08s04.html Important is what it says concerning match() and message(). In syslog-ng 2.1, match() was applied to the message only, not to the header. In syslog-ng 3.x, match() is applied to the message AND the header. To get the old 2.1 match() behaviour in 3.x, there is the message() filter. So it should be (just translating old file, not doing any optimizations): filter f_avc { message(".*avc: .*"); }; filter f_audit { message("^audit.*") and not message(".*avc: .*"); }; filter f_pax { message("^PAX:.*"); }; filter f_grsec { message("^grsec:.*"); }; >filter f_pax { program("PAX"); };# njet Filtering match with program() won't work, since there are no programs called "avc", "PAX", or "grsec" (these messages are sent by the kernel, not by some program). There is also no real need for optimization here, cause this filter is only applied to kernel messages, not all messages: log { source(kernsrc); filter(f_pax); destination(pax); }; log { source(kernsrc); filter(f_grsec); destination(grsec); }; log { source(kernsrc); filter(f_audit); destination(audit); }; log { source(kernsrc); filter(f_avc); destination(avc); }; >filter f_pax { match("regex" value("^PAX:.*")); };# njet The method as posted in the patch won't work either. HTH, Oliver Please also note bug #232847 with another configuration problem with syslog-ng which could be fixed together with this one (files/syslog-ng.conf.gentoo.hardened and files/syslog-ng.conf.gentoo.hardened.3.0). Considering #232847, my above statements should be changed to: # <H4xX0Rz1sT@eyeq.de> newer kernels have kernel time prefix with CONFIG_PRINTK_TIME set, see #232847 # <H4xX0Rz1sT@eyeq.de> syslog-ng 3.x deprecates old match() syntax, use message() as equivalent, see #291259 filter f_avc { message(".*avc: .*"); }; filter f_audit { message("^(\\[.*\\] )?audit.*") and not message(".*avc: .*"); }; filter f_pax { message("^(\\[.*\\] )?PAX:.*"); }; filter f_test { message("^(\\[.*\\] )?grsec:.*"); }; HTH, Oliver Yes, I concur with Oliver. Those match() filter functions should simply be replaced with message() filter functions. It works using: # grsec & pax filter f_avc { match("^\\[.*\] .*avc: .*" value("MESSAGE")); }; filter f_audit { match("^\\[.*\] audit.*" value("MESSAGE")) and not match(".*avc: .*" value("MESSAGE")); }; filter f_pax { match("^\\[.*\] PAX:.*" value("MESSAGE")); }; filter f_grsec { match("^\\[.*\] grsec:.*" value("MESSAGE")); }; fixes also: https://bugs.gentoo.org/232847 Created attachment 209354 [details, diff] This patch fix bug #232874 and #291259 Thanks for the help cilly (In reply to comment #9) Yes, that will work, but it's unnecessary added complexity. The "message()" filter is an abbreviated syntax of the same function. message(<some_regexp>); - is equivalent to - match(<some_regexp> value("MESSAGE")); filter f_test { message("^(\\[.*\\] )?grsec:.*"); }; should be no? filter f_grsec { message("^(\\[.*\\] )?grsec:.*"); }; > (In reply to comment #9)
>
> Yes, that will work, but it's unnecessary added complexity. The "message()"
> filter is an abbreviated syntax of the same function.
>
> message(<some_regexp>);
>
> - is equivalent to -
>
> match(<some_regexp> value("MESSAGE"));
/votes against using unnecessary added complexity. Replacing the current match with message, works flawlessly. Lets not go crazy on regexp when it's not needed.
Here's a snip: match("IN-*" value("MESSAGE")) not match("OUT-*" value("MESSAGE")) match("^PASS-*" value("MESSAGE")) program("kernel") Works like a charm. No warnings and life is good :) (In reply to comment #12) > filter f_test { message("^(\\[.*\\] )?grsec:.*"); }; > > should be no? > > filter f_grsec { message("^(\\[.*\\] )?grsec:.*"); }; > of course, you're right, filter should be named f_grsec, my mistake. Thanks. The patch as proposed by cilly and posted by Magnus Granberg is not backwards compatible with older kernels. It also won't work on newer ones with CONFIG_PRINTK_TIME disabled. The regex will fail in these two situations. Moreover, as also pointed out by John Brendler and Marvin Vek, it adds unnecessary complexity. Will post a patch. HTH, Oliver Created attachment 210124 [details, diff] really fix bug #232847, simpler fix for #291259 May be drop stable flag for version 3x before resolve this bug? What about fix this bug? I think this is critical. Was there some kind of pandemic and the hardened guys are all gone now? Are you guys needing some more manpower? and silence... :-\ Typo in URL above: it's "commons" not "common". Also, explanation for those of you too young to get it... Before cable television, TV channels used to stop broadcasting programming (i.e. content) at night (typically around midnight). When they ended their "broadcast day", most of them would throw up a "test pattern" on the screen, rather than broadcast completely dead air (static). This "indian head" test pattern was the standard until color television came along, at which time most stations started using a pattern of color bars. Today, stations will at least throw up an "infomercial" rather than a test pattern. But since a test pattern is preferable to completely dead air, I thought I'd provide one. ;) (In reply to comment #22) > Also, explanation for those of you too young to get it... > [CUT] > Before cable television, TV channels used to stop broadcasting programming > But since a test pattern is preferable to completely dead air, I thought I'd > provide one. ;) That sir, is off-topic awesomeness, and i love it! Back on-topic, i keep referring to https://bugs.gentoo.org/show_bug.cgi?id=291259#c15 and https://bugs.gentoo.org/show_bug.cgi?id=291259#c16 containing the patch. Don't see why this hasn't been implemented yet. *pokes $(grep email /usr/portage/app-admin/syslog-ng/metadata.xml) (In reply to comment #23) I think it's just that this item is of comparatively low priority, relative to many other tasks the hardened project is tackling to get caught up. Fixed in syslog-ng-3.0.5-r1 Thank you all |