On Fri, Oct 18, 2013 at 1:17 PM, Radu Gheorghe <[email protected]>wrote:
> > If you need additional signing, then I guess you're referring to this: > > http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/ > > which, as David said, currently works only with files. In order to make > that work in your usecase, you might want to contribute or sponsor signing > for omelasticsearch, or maybe as a message modifying module. I don't know > which is the best, because it's beyond my knowledge of rsyslog internals. A > message modifier, if feasible, should work with all output modules. > Crypto is always tricky ;) Creating a generic "signuature module" that you put into the middle of the processing chain is very dangerous and most probably does not lead to the desired results. That's the prime reason I have not done this. If you sign messages for real security, you want to make sure that a) the message itself is authentic b) there is no message missing inside the message stream c) there has no additional message been inserted into the message stream note that doing a) is entangeld with b+c, as we have very short messages to deal with, so the collision resistance of a single message is not very high (e.g. you can brute-force hashes). Doing real signatures for single messages is far to expensive - both computational too intense and requires too much space (avg syslog message is ~80 bytes, avg signature 1.5k). If you now place a signer into the middle of the chain, you must ensure that the full signature stream receives at *each* output and nothing is reorderd (e.g. udp). In short, tons of things that you can misconfigure. And then you still have the problem of local compromise, even by an malicious admin. And this is just scratching on the issues that exists ;) Some more background can be found here: http://blog.gerhards.net/2013/05/rsyslogs-first-signature-provider-why.html Rainer _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
