Add support for setting secure_mode=[0,1,2] in .conf file
Logic for secure mode setting in .conf file - Command line always wins - SIGHUP activates changes Note, if -s is given on command line it always wins, regardless. Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
This commit is contained in:
parent
577d20b8da
commit
075815eeb8
@ -68,6 +68,11 @@ OPTION := [OPTION,]
|
||||
|= RFC3164
|
||||
|= RFC5424
|
||||
|= rotate=SIZE:COUNT
|
||||
|
||||
secure_mode [0,1,2]
|
||||
|
||||
include /etc/syslog.d/*.conf
|
||||
notify /path/to/script-on-rotate
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
@ -105,9 +110,34 @@ cron or a separate log rotate daemon.
|
||||
Comments, lines starting with a hash mark ('#'), and empty lines are
|
||||
ignored. If an error occurs during parsing the whole line is ignored.
|
||||
.Pp
|
||||
The special keyword
|
||||
.Em notify
|
||||
specifies the path to an executable program which will get called
|
||||
Additional options include
|
||||
.Ql secure_mode <0-2>
|
||||
which is the same as the
|
||||
.Nm syslogd Fl s
|
||||
commandline option.
|
||||
.Sy Note:
|
||||
command line option always wins, so you need to drop
|
||||
.Fl s
|
||||
from the command line to use this .conf file option instead.
|
||||
.Pp
|
||||
.Bl -tag -compact -width "01" -offset indent
|
||||
.It 0
|
||||
act as a syslog sink, listening on UDP port 514 by default, as well as
|
||||
support for sending to remote syslog servers
|
||||
.It 1
|
||||
only support for sending to remote syslog servers, no Internet ports
|
||||
open
|
||||
.It 2
|
||||
no Internet ports open at all, and no remote logging possible
|
||||
.El
|
||||
.Bd -literal -offset indent
|
||||
# Example: only allow logging to remote servers
|
||||
secure_mode 1
|
||||
.Ed
|
||||
.Pp
|
||||
The
|
||||
.Ql notify <PATH>
|
||||
option specifies the path to an executable program which will get called
|
||||
whenever a log file has been rotated, with the name of the file, less
|
||||
its rotation suffix
|
||||
.Ql .0 ,
|
||||
@ -116,10 +146,10 @@ For example:
|
||||
.Ql notify /sbin/on-log-rotate.sh .
|
||||
Any number of notifiers may be installed.
|
||||
.Pp
|
||||
A special
|
||||
.Em include
|
||||
keyword can be used to include all files with names ending in '.conf'
|
||||
and not beginning with a '.' contained in the directory following the
|
||||
The
|
||||
.Ql include <PATH/*.conf>
|
||||
option can be used to include all files with names ending in '.conf' and
|
||||
not beginning with a '.' contained in the directory following the
|
||||
keyword. This keyword can only be used in the first level configuration
|
||||
file. The included example
|
||||
.Pa /etc/syslog.conf
|
||||
|
@ -334,6 +334,21 @@ is 5.
|
||||
Operate in secure mode. Do not log messages from remote machines. If
|
||||
specified twice, no network socket will be opened at all, which also
|
||||
disables logging to remote machines.
|
||||
.Pp
|
||||
Secure mode can also be set in
|
||||
.Xr syslog.conf 5
|
||||
using the
|
||||
.Cm secure_mode
|
||||
config option. This is more flexible since you can change the option
|
||||
and simply send
|
||||
.Ar SIGHUP
|
||||
to activate the changes, instead of having to restart
|
||||
.Nm .
|
||||
.Pp
|
||||
.Sy Note:
|
||||
the command line option always wins, so it must be removed for
|
||||
.Nm
|
||||
to consider the .conf file option instead.
|
||||
.It Fl T
|
||||
Always use the local time and date for messages received from the network,
|
||||
instead of the timestamp field supplied in the message by the remote host.
|
||||
|
@ -96,6 +96,8 @@ static char sccsid[] __attribute__((unused)) =
|
||||
#include "timer.h"
|
||||
#include "compat.h"
|
||||
|
||||
#define SecureMode (secure_opt > 0 ? secure_opt : secure_mode)
|
||||
|
||||
char *CacheFile = _PATH_CACHE;
|
||||
char *ConfFile = _PATH_LOGCONF;
|
||||
char *PidFile = _PATH_LOGPID;
|
||||
@ -136,7 +138,8 @@ static int MarkInterval = 20 * 60; /* interval between marks in seconds */
|
||||
static int family = PF_UNSPEC; /* protocol family (IPv4, IPv6 or both) */
|
||||
static int mask_C1 = 1; /* mask characters from 0x80 - 0x9F */
|
||||
static int send_to_all; /* send message to all IPv4/IPv6 addresses */
|
||||
static int SecureMode; /* when true, receive only unix domain socks */
|
||||
static int secure_opt; /* sink for others, log to remote, or only unix domain socks */
|
||||
static int secure_mode; /* same as above but from syslog.conf, only if cmdline unset */
|
||||
|
||||
static int RemoteAddDate; /* Always set the date on remote messages */
|
||||
static int RemoteHostname; /* Log remote hostname from the message */
|
||||
@ -175,6 +178,7 @@ const struct cfkey {
|
||||
char **var;
|
||||
} cfkey[] = {
|
||||
{ "notify", NULL },
|
||||
{ "secure_mode", &secure_str },
|
||||
};
|
||||
|
||||
/* Function prototypes. */
|
||||
@ -478,7 +482,7 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
|
||||
case 's':
|
||||
SecureMode++;
|
||||
secure_opt++;
|
||||
break;
|
||||
|
||||
case 'T':
|
||||
@ -727,6 +731,9 @@ static void create_unix_socket(struct peer *pe)
|
||||
struct addrinfo ai;
|
||||
int sd = -1;
|
||||
|
||||
if (pe->pe_socknum)
|
||||
return; /* Already set up */
|
||||
|
||||
memset(&ai, 0, sizeof(ai));
|
||||
ai.ai_addr = (struct sockaddr *)&sun;
|
||||
ai.ai_addrlen = sizeof(sun);
|
||||
@ -2244,6 +2251,14 @@ static void forw_lookup(struct filed *f)
|
||||
int err, first;
|
||||
time_t diff;
|
||||
|
||||
if (SecureMode > 1) {
|
||||
if (f->f_un.f_forw.f_addr)
|
||||
freeaddrinfo(f->f_un.f_forw.f_addr);
|
||||
f->f_un.f_forw.f_addr = NULL;
|
||||
f->f_type = F_FORW_UNKN;
|
||||
return;
|
||||
}
|
||||
|
||||
/* Called from cfline() for initial lookup? */
|
||||
first = f->f_type == F_UNUSED ? 1 : 0;
|
||||
|
||||
@ -2525,10 +2540,10 @@ static void boot_time_init(void)
|
||||
*/
|
||||
static void init(void)
|
||||
{
|
||||
static int once = 1;
|
||||
struct notifiers newn = SIMPLEQ_HEAD_INITIALIZER(newn);
|
||||
struct filed *f;
|
||||
struct files newf = SIMPLEQ_HEAD_INITIALIZER(newf);
|
||||
struct filed *f;
|
||||
struct peer *pe;
|
||||
FILE *fp;
|
||||
char *p;
|
||||
|
||||
@ -2574,23 +2589,6 @@ static void init(void)
|
||||
*p = tolower(*p);
|
||||
}
|
||||
|
||||
/*
|
||||
* Open sockets for local and remote communication
|
||||
*/
|
||||
if (once) {
|
||||
struct peer *pe;
|
||||
|
||||
/* Only once at startup */
|
||||
once = 0;
|
||||
|
||||
SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
|
||||
if (pe->pe_name && pe->pe_name[0] == '/')
|
||||
create_unix_socket(pe);
|
||||
else if (SecureMode < 2)
|
||||
create_inet_socket(pe);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Load / reload timezone data (in case it changed)
|
||||
*/
|
||||
@ -2630,6 +2628,21 @@ static void init(void)
|
||||
|
||||
nothead = newn;
|
||||
|
||||
/*
|
||||
* Open or close sockets for local and remote communication
|
||||
*/
|
||||
SIMPLEQ_FOREACH(pe, &pqueue, pe_link) {
|
||||
if (pe->pe_name && pe->pe_name[0] == '/') {
|
||||
create_unix_socket(pe);
|
||||
} else {
|
||||
for (size_t i = 0; i < pe->pe_socknum; i++)
|
||||
socket_close(pe->pe_sock[i]);
|
||||
|
||||
if (SecureMode < 2)
|
||||
create_inet_socket(pe);
|
||||
}
|
||||
}
|
||||
|
||||
Initialized = 1;
|
||||
|
||||
if (Debug) {
|
||||
@ -2771,7 +2784,7 @@ static struct filed *cfline(char *line)
|
||||
int syncfile, pri;
|
||||
int i, i2;
|
||||
|
||||
logit("cfline(%s)\n", line);
|
||||
logit("cfline[%s]\n", line);
|
||||
|
||||
f = calloc(1, sizeof(*f));
|
||||
if (!f) {
|
||||
@ -3033,7 +3046,7 @@ const struct cfkey *cfkey_match(char *cline)
|
||||
p++;
|
||||
|
||||
if (cfk->var)
|
||||
*cfk->var = strdupa(p);
|
||||
*cfk->var = strdup(p);
|
||||
else
|
||||
memmove(cline, p, strlen(p) + 1);
|
||||
|
||||
@ -3133,6 +3146,19 @@ static int cfparse(FILE *fp, struct files *newf, struct notifiers *newn)
|
||||
SIMPLEQ_INSERT_TAIL(newf, f, f_link);
|
||||
}
|
||||
|
||||
if (secure_str) {
|
||||
int val;
|
||||
|
||||
val = atoi(secure_str);
|
||||
if (val < 0 || val > 2)
|
||||
logit("Invalid value to secure_mode = %s\n", secure_str);
|
||||
else
|
||||
secure_mode = val;
|
||||
|
||||
free(secure_str);
|
||||
secure_str = NULL;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user