[deprecated] How to sign log messages through signature provider Guardtime
Please note: This method is deprecated. Please refer to the new log signing method with KSI.
With rsyslog v7.3.9 we introduced the possibility to sign log messages through Guardtime, a signature provider. The process to enable this is relativey easy. And in the end you have your log files signed with a keyless signature that relies on hash functions through Guardtime. The signature functionality will be automatically loaded by omfile if so requested. It just requires that the signature provider itself is installed. For our RPMs and Ubuntu packages, it is available in the base packe. In the signature process a second file to your logfile will be created that has “.gtsig” as ending. This pair of files will later be needed to prove the integrity of your logfile.
In addition to rsyslog 7.3.9 or above you need “libgt”. The library is either available from Guardtime directly or from our git. If you installed rsyslog from our packages, libgt will be installed automatically.
When installing manually, you need to enable the signature function. The most basic configure command looks like this:
./configure --prefix=/usr --enable-guardtime
When rsyslog is installed, you can use the Guardtime signatures easily with a few additional configuration directives. For detailed information about the configuration directives, please review the manual. The correct action would look like this:
action(type="omfile" file="/var/log/logfile" sig.provider="gt" sig.timestampService="http://user:password@stamper.guardtime.net/gt-signingservice" # Please contact Guardtime for authentication details sig.keepTreeHashes="on" sig.keepRecordHashes="on")
The directive sig.provider determines the provider that will be used. Currently, only Guardtime (gt) is available, but other providers might be added in the future. The other two options control the granularity of signature hashes at the cost of disk space. Though, when trying to detect a security breach, it might come in handy as it enables you to spot the location of the security breach. You will receive two files, that share the same name, but have a different extension.
/var/log/logfile /var/log/logfile.gtsig
When having rsyslog installed you get a new tool called “rsgtutil”. This will help you check the integrity of your logfile in conjunction with the signature file. By issuing
tools/rsgtutil --verify --show-verified /var/log/logfile
you can make an easy check if the logfile is matching the stored hash. If the check was successful you will see it directly. If not, you will be notified as well and further investigation will be necessary.
Please note:
The Guardtime KSI service has been upgraded to mitigate DOS attacks by adding user authentication. Please contact Guardtime for more information.
rsyslog 7.3.9 (v7-devel)
Download file name: rsyslog 7.3.9 (devel)
rsyslog 7.3.9 (devel)
sha256 hash: 81011e153d73a71d3504ce9852d618c22d7262c9f6f1a95820733223f9b7de51
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 7.3.9 File size: 2.719 MB
rsyslog 7.3.9 (v7-devel) released
We have just released v 7.3.9 of the rsyslog development branch. The most important feature of this release is the capability to digitally sign log files. This is done via RFC3161. It also contains some other feature enhancements as well as bug fixes. Note that 7.3.9 is almost feature-complete and can be considered a beta. It is our goal to release a new v7.4 stable within the next few weeks.
ChangeLog:
http://www.rsyslog.com/changelog-for-7-3-9-v7-devel/
Download:
http://www.rsyslog.com/rsyslog-7-3-9-v7-devel/
As always, feedback is appreciated.
Best regards,
Tim Eifler
Changelog for 7.3.9 (v7-devel)
Version 7.3.9 [devel] 2013-03-27
- support for signing logs added
- imudp: now supports user-selectable inputname
- omlibdbi: now supports transaction interface
if recent enough lbdbi is present - imuxsock: add ability to NOT create/delete sockets during startup and
shutdown
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=259 - imfile: errors persisting state file are now reported
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=292 - imfile: now detects file change when rsyslog was inactive
Previosly, this case could not be detected, so if a file was overwritten
or rotated away while rsyslog was stopped, some data was missing. This
is now detected and the new file being forwarded right from the
beginning.
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=228 - updated systemd files to match current systemd source
- bugfix: imudp scheduling parameters did affect main thread, not imudp
closes: http://bugzilla.adiscon.com/show_bug.cgi?id=409 - bugfix: build problem on platforms without GLOB_NOMAGIC
- bugfix: build problems on non-Linux platforms
- bugfix: stdout/stderr were not closed on forking
but were closed when running in the forground – this was just reversed
of what it should be. This is a regression of a recent change.
rsyslog 7.3.8 (v7-devel)
Download file name: rsyslog 7.3.8 (devel)
rsyslog 7.3.8 (devel)
sha256 hash: bc5586ac66db766418f2d34cacd6a2d2240458deb590f545e966e411af0883e9
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 7.3.8 File size: 2.699 MB
rsyslog 7.3.8 (v7-devel) released
We have just released v 7.3.8 of the rsyslog development branch. The new version supports specifying IPv4/v6 only fo imrelp. Other than that, it is a bug-fixing release.
ChangeLog:
http://www.rsyslog.com/changelog-for-7-3-8-v7-devel/
Download:
http://www.rsyslog.com/rsyslog-7-3-7-v8-devel/
As always, feedback is appreciated.
Best regards,
Tim Eifler
librelp 1.0.2
librelp 1.0.2 [download]: added capability to support only IPv4/v6 instead of both [sha256 hash:d8ef77cb00f7d4db9ff96157242b3e4fb0eb0d68d7e846fcf12dc5fed92e4d4a]
rsyslog 7.3.7 (v7-devel) released
We have just released v 7.3.7 of the rsyslog development branch. This release offers some important new features, most importantly a plugin to anonymize IPv4 addresses and a plugin to write to the systemd journal. Also, the field() RainerScript function has been upgraded to support multi-character field delimiters. There is also a number of bug fixes present.
ChangeLog:
http://www.rsyslog.com/changelog-for-7-3-7-v7-devel/
Download:
http://www.rsyslog.com/rsyslog-7-3-7-v7-devel/
As always, feedback is appreciated.
Best regards,
Florian Riedl
rsyslog 7.3.7 (v7-devel)
Download file name: rsyslog 7.3.7 (devel)
rsyslog 7.3.7 (devel)
sha256 hash: 922e619b1666da42c20ec723aa93fd7c29d4a3854234275a6031ac6e5c308d2b
Author: Rainer Gerhards (rgerhards@adiscon.com)
Version: 7.3.7 File size: 2.742 MB
Changelog for 7.3.7 (v7-devel)
Version 7.3.7 [devel] 2013-03-12
- add support for anonymizing IPv4 addresses
- add support for writing to the Linux Journal (omjournal)
- imuxsock: add capability to ignore messages from ourselves
This helps prevent message routing loops, and is vital to have if omjournal is used together with traditional syslog. - field() function now supports a string as field delimiter
- added ability to configure debug system via rsyslog.conf
- bugfix: imuxsock segfault when system log socket was used
- bugfix: mmjsonparse segfault if new-style config was used
- bugfix: script == comparison did not work properly on JSON objects
- bugfix: field() function did never return “***FIELD NOT FOUND***”
instead it returned “***ERROR in field() FUNCTION***” in that case