[syslog-ng] Certificate ip authentication

SZIGETVÁRI János jszigetvari at gmail.com
Mon Jul 27 13:30:35 UTC 2020 

Hi Alexandre,

AFAIK, there is no way to verify the certificate subjects of
connecting clients on a syslog-ng server.
A little over a month back I created this feature request:
https://github.com/syslog-ng/syslog-ng/issues/3312
On the other hand, even if this part of the of the security picture
would be spotless, the client machine's hostname could still be
changed through a rewrite rule on the client machine if the user has
any way of changing syslog-ng's configuration (through file
permissions, being member of a group or through possessing
administrative privileges).

Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692

LinkedIn: linkedin.com/in/janosszigetvari

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp

Alexandre Damas <alexandre.m.damas at nos.pt> ezt írta (időpont: 2020.
júl. 27., H, 13:34):
>
> Hi,
>
>
>
> As my objective on the utilization of syslog-ng is the authentication and certification of received security and auditing events, I implemented an internal CA which generates a certificate per syslog-ng client.
>
> Once there was someone that misconfigured a client and got a certificate for a different client. The funny part of it is that no one observed any problem as the certificate, which was generated for a client having an ip (different from the one configured on the machine), was working and communications (using ALTP with TLS) went up for the exchange of messages.
>
> Has anyone experienced this? Does someone have a clue on how to prevent certificate reutilization on the client side?
>
> On Linux side I did not find any way of preventing the utilization of a certificate for one machine, that was issued for a different machine, having a different ip. If there is no cross checking on the server for the ip addresses on the certificate with the ip address on the received event, I don’t have a way of non-repudiate a received event and the client can reuse the certificate for other machines, allowing the events to be received on the server.
>
>
>
> Kind Regards
>
> Alexandre Damas
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list