Hi, I have a single short question ($SUBJ). If you know the answer, you can stop reading further and ping me, please. Below is background behind the question.
Short background: Working on a security hardening rule for Red Hat Insights and it looks like there are hundreds of openshift systems without rsyslog and trying to find out why. Long background: Red Hat Insights is a service for customers that detects problems on their systems and reports them. The official page - https://access.redhat.com/insights/ and an internal lightning talk how it works with Product Security - https://redhat.bluejeans.com/playback/s/MlgsPNrCxrvmGNSoiHJsXC6znElXPXIKsleyKRk6ueRYFBgLKF5xnI9d4sEggjQ1# (starts at 23:15) (it's nearly the same pres we gave to customers, so it's not confidential). I'm working on a detection rule that detects certain non-default configurations that compromise security regarding logging and auditing. One part of the rule detects whether the rsyslog rpm is installed and whether the rsyslog service is enabled. If it is not installed & enabled, it reports a "hit" - a result that the particular system should be reported to the customer regarding this issue (a human-readable frontend is presented, with ways of fixing the issue). Because of privacy, we gather the absolute minimum amount of required data - so the only data that are returned from the system for that detection rule are two bools - rpm installed, service enabled. Because some people use syslog-ng, the code that runs on the customers' machines suppresses warnings (doesn't report a "hit") when syslog-ng is used instead of rsyslog. There's no easy way to see whether a different solution is used - because of privacy reasons. Now, if all possible ways of installing the Red Hat-supported paid OpenShift do not disable rsyslog (and if all underlying ways to install RHEL do not disable rsyslog), then we should activate the rule and let customers know about the problem. If there are some default configurations where rsyslog is disabled, we first need to solve it internally within Red Hat (e.g. through better detection in Insights) before activating it. The data we got back from customer systems suggest that the overwhelming majority of hits are OpenShift systems and that there are no versions of RHEL that would disable it by default. Therefore, I'm trying to find out about OpenShift - whether there is any official way at all that would install OpenShift and disable rsyslog. The Insights rules run detection code locally on the "client" systems (customers' servers) and report minimum amount of data to our backend and the backend then tells the frontend what to display. The Insights rules run also within OpenShift containers and treat them as more or less normal RHEL systems. Any help or nudges in the right direction are appreciated. Sincerely, -- Jakub Svoboda / Red Hat Product Security
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
