[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] locking down rsyslog.service

Michael Biebl wrote:
> While the attempt is to secure the default configuration of rsyslog, I
> do not want to restrict it so much that it becomes unusable.
> If you think, that one of those directives could cause issues with
> commonly used setups, please let me know, so I can adjust the
> configuration.
> Looking forward to your feedback.

Maybe also add `RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX`?

I see the rsyslog package is compiled without capng support:

  --enable-libcap-ng      Enable dropping capabilities to only the necessary
                          set [default=no]

With the libcap-ng dependency rsyslog can apparently perform capability
privilege dropping at some point during startup:


I seem to recall that capability dropping requires additional
privileges, though (CAP_SETPCAP?).

Is this code in rsyslog maybe redundant if the process starts up with
the already reduced set of capabilities and that's the rationale for not
building the package with --enable-libcap-ng? I guess if that's the case
then there aren't any capabilities that are needed by rsyslog only
briefly at startup that can be dropped by the daemon itself?

Robert Edmonds

Reply to: