logvm(s) #830
Comments
marmarek
added
T: enhancement
marmarek
added
the
release notes
|
This is EXCELLENT. Plus, with journald log replication, it should be trivial to do. Care must be taken that the files received by the logvm do not compromise the logvm upon using journalctl to read those logs. |
andrewdavidwong
added
the
help wanted
|
@Rudd-O: Would you be interested in taking this on? |
|
I wish I could, but I am extremely busy. Is this intended to send/receive arbitrary logs, or specific structured logs like systemd ones? systemd has a good protocol for incremental send and receive of logs, and it is quite possible that it can be adapted to this use case with a minimal shim. What's the idea w.r.t. who initiates the copy? Is it the logvm that extracts logs from other machines? Or is it the VM producing the log entries which sends it to the logvm? |
I think it's fair assumption to have systemd (or generally syslog-like) logs. But this shouldn't use any complex protocol, to not expose too much code for attacks. It looks like a simple "one log message per line" should be enough.
Logically VM producing the logs should send them to logvm. After all it know when there is anything for sending, so no need for polling. Maybe even send logs to logvm instead of writing them to |
|
On 06/12/2016 06:09 PM, Marek Marczykowski-Górecki wrote:
You would lose a LOT of useful and certified metadata if you only Look into how it works.
Send instead of write sounds like a sensible thing. It sounds like what you want is a systemd-journald log forwarder on each |
Yes, something like this. But the priority is to not allow such logvm being compromised with some mis-formatted message. If that requirement means dropping some metadata, so be it. |
|
On 06/12/2016 06:31 PM, Marek Marczykowski-Górecki wrote:
This is why the receiving code in the systemd log forwarder needs to be If you reuse the log forwarder system, you also get forward secure |
|
So one option would be redirect journald using a version of systemd-journal-remote with vchan connections but it could be security problem due complex protocol and potentially a VM could compromise it. Another option I see, doing a very simple logVM wich just receives messages and save thems, is using an unikernel for it. It could dump the received lines in xen console so you can easily see all logs events in realtime and save them in files (separed by VM, dates, ...), if you need more detailed analysis of logs you could then bypass them (maybe with readonly access) to guiVM, dom0 or another trusted VM. |
|
I like the unikernel idea to save RAM in the VM that receives logs, but then querying the log would be tricky. I'd very much like to aggregate logs from several Qubes servers as well.
|
|
Yes the idea is querying the log with another trusted VM which direct access to log files, it will not be as powerful as journald but the unikernel logic would be remain very minimal. By Qubes servers do you mean like AppVM's? |
|
Another option could be using the unikernel for saving raw json output from journald without parsing it. Maybe with a very basic parsing logic so it could dump something readable in the console. Then, if you want a detailed log analysys, you create a offline disposableVM which loads the desired logs from the read-only data (or a copy of it) in logVM. This way the only vulnerable part is the disposableVM, if later appears some bug in journald you could load the unmodified original logs with a patched version. If some VM tried to exploit this bug you could detect it later. |
|
See also related discussion from last year here |
Without the metadata, the logs would be FAR less useful to me. I use |
|
Update: The export format used is extremely simple and should be very easy to validate. There is a bunch of complicated indexing logic, but the indexes are not included in the exports, so we do not need to validate them. They will be regenerated by the receiving To compromise the LogVM, an attacker would need to either find a vulnerability in parsing the incoming log stream, find a vulnerability in the indexing process, or find a way to cause We do need to prevent spoofing and injection attacks: one qube must not be able to inject logs that claim to be from another qube. That can be done by either overriding the |
|
It is fairly simple to implement this via e.g. I'd recommend using |
|
Prove it please. A random search shows me 19 CVEs since 2005 most of which would have been irrelevant for the setup I proposed. |
rsyslog is a large project with a lot of C code, and we would prefer to use something simpler by default. Users should be able to install rsyslog if they want more functionality. |
|
On Thu, Jul 08, 2021 at 12:44:57PM -0700, Demi Marie Obenour wrote:
> > `rsyslog` has a history of vulnerabilities, so something simpler is to be preferred.
>
> Prove it please.
>
> A [random search](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rsyslog) shows me 19 CVEs since 2005 most of which would have been irrelevant for the setup I proposed.
> Moreover paranoid users could simply not install a logvm (it's not needed by most users anyway).
rsyslog is a large project with a lot of C code, and we would prefer to use something simpler by default. Users should be able to install rsyslog if they want more functionality.
We've had this discussion at #5722 - rsyslog is installed by default in
a standard Debian install.
I doubt that systemd is substantially simpler than rsyslog.
|
systemd as a whole, no, but I suspect that systemd-journald is. |
Well, and I think the same about the relatively small part of |
Is it possible to preserve structured logging metadata this way? systemd-journald can. |
|
On Fri, Jul 09, 2021 at 06:11:55AM -0700, Demi Marie Obenour wrote:
> > > I doubt that systemd is substantially simpler than rsyslog.
> >
> >
> > systemd as a whole, no, but I suspect that systemd-journald is.
>
> Well, and I think the same about the relatively small part of `rsyslog` that would be used in the target `logvm`. Reading log data from stdin and writing to a Unix socket (`logger`) and reading from a Unix socket and writing to a file (`rsyslog`) should not be too complex. I don't care about the sending part as that would be the attacker VM anyway.
Is it possible to preserve structured logging metadata this way? systemd-journald can.
Of course.
But seems there's a fair bit of mission creep going on here, blocking a 7
year old problem.
|
The important part while doing so, is to clearly mark which log line comes from where. VM should not be able to spoof the log origin, and probably timestamp too. |
Should we try to get a patch to upstream |
|
I would strongly recommend against using Use the journal's export format, and import it, perhaps adding an attribute |
|
On 10/26/21 1:24 PM, Rudd-O wrote:
I would strongly recommend against using `rsyslog` for any of this. `rsyslog` logs are text, rather than structured. They are much lower fidelity -- we will lose important data when transferring data this way. This suggestion I oppose would also impose a requirement that we run yet another daemon which is neither default nor required to run Fedora or Debian these days.
The PR doesn't impose any restrictions on the data sent or with what software it is sent or received, but implements the method of transport.
`rsyslog` is just an example for the sender side. If you find some journal config more suitable for you, use that. If you wish to write your own tool, do that.
Also experience shows that the data you mention is not so important after all.
Use the journal's export format, and import it, perhaps adding an attribute `_SOURCE_VM` or something if really necessary (I think it won't be). The journal has utilities to ingest said logs, index said logs, and query said logs, which vastly outstrip what `rsyslog` offers.
The last statement is mostly wrong. The journal doesn't do log sending/receiving/parsing/modifying as its main job. `rsyslog` does and is the standard utility for that purpose for the last ~15 years. The journal job is mostly storing and indexing for local viewing. There are some tools like `systemd-journal-remote` for very special log forwarding (i.e. journal logs only), but nothing general-purpose (aka any kind of log).
|
|
You yourself admit that there's |
|
On 10/26/21 11:44 PM, Rudd-O wrote:
You yourself admit that there's `systemd-journal-remote`. This is what should be used. `rsyslog` is nice if your log server permissibly receives arbitrary unstructured junk on an UDP port. For structured logging, `systemd-journal-remote` is the right design choice.
Then use it. It should already work via `journalctl -f -o export | qrexec-client-vm [logvm] qubes.ConnectTCP [port]` with `[port]` being a listener for a `systemd-journal-remote` instance inside `[logvm]` since ~2019 or so, not sure why people are still complaining it's not there. Probably they were too lazy to look or the log content was not so important after all?
The `qubes.Syslog` PR supports _arbitrarily_ formatted single line logs (you called it "unstructured junk") even from sources that don't run systemd (such as Windows systems, Unixes, ...). Only the target system needs to be _some_ Linux (with or without systemd), Unix might work as well (assuming qrexec runs without systemd and on Unix).
To stick with the systemd example, it would e.g. be `journalctl -f -o json | qrexec-client-vm [logvm] qubes.Syslog`.
So in total all systemd fans should be happy with what already exists and the others might put the PR to use in the rare case when it's needed. Decentralized logs still have the best security features IMHO.
|
Reported by joanna on 25 Apr 2014 16:41 UTC
A VM to collect logs from other VMs via qrexec service. Allow tools to easy copy logs to other VMs, as well as do log processing (logs are untrusted, but the logvm should be considered not-sensitive).
Potentially allow more than one logvm for paranoid configurations, cofigurable via qrexec policy.
Migrated-From: https://wiki.qubes-os.org/ticket/830
The text was updated successfully, but these errors were encountered: