F. Secure logging over TLS using DNS/hostnames
In this configuration, there will be a two-way tls handshake so client is validated by host and host is validated by client. This prevent rogue clients from writing to loghost.
1. Create certifcates for client and move to client:
Now, let's create a certificate for the client primo.example.local. (This is done on loghost although any OpenBSD host could be used.) First, the key:
doas openssl genrsa -out /etc/ssl/private/primo.example.local.key 2048
Now, the csr:
doas openssl req -new -sha256 \
-key /etc/ssl/private/primo.example.local.key \
-subj "/C=US/ST=FL/O=example.local/CN=primo.example.local" \
-out /etc/ssl/primo.example.local.csr
Now sign the csr with the local CA certificate:
doas openssl x509 -req -in /etc/ssl/primo.example.local.csr \
-CA /etc/ssl/example.local.CA.crt -CAkey /etc/ssl/private/example.local.CA.key \
-CAcreateserial -out /etc/ssl/primo.example.local.crt -days 365 -sha256
Check the contents of the certificate:
doas openssl x509 -n /etc/ssl/secundum.example.local.crt -test -noout
Now move the the client crt and key to the client.
2. Configure loghost
a. No changes to /etc/syslog.conf
...
# Write logs coming from host primo to a separate file.
++primo.example.local
*.* /var/log/primo/example.log
+*
#
...
b. Add flags to syslogd and restart:
Flags used are:
-a (as above),
-S (as above),
and -K (-K CAfile: PEM encoded file containing CA certificates used for client certificate validation on the local listen socket. By default incoming connections from any TLS client are allowed.)
doas rcctl set syslog flags "-a primo.example.local:* -S secundum.example.local \
-K /etc/ssl/example.local.CA.crt"
doas rcctl restart syslogd
c. Edit pf.conf:
No changes are necessary:
# Pass in log from selected network hosts
pass in log (all. on pflog0) on $ext_if inet from ip.addr.of.client to $ext_if port 6154
Check config and reload pf:
doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.conf
d. Testing:
Check if there is a port and socket listening:
netstat -a | grep 6514
netstat -a | grep secundum
netstat -a | grep primo
3. Configure client:
a. Move copy of client certificate and key from loghost (or whatever machine it was created on) to client. Check that client.crt is in /etc/ssl, client.key is in /etc/ssl/private, check ownership is root:wheel and mode is 644.
b. No changes to /etc/syslog.conf:
...
# Divert messages to /var/log/example.log
*.* @tls4://secundum.example.local
#
...
c. Restart syslogd:
Set syslogd flags. Flags used are:
-C (as above),
-c (-c: PEM encoded file containing the client certificate for TLS connections to a remote loghost. The default is not to use a client certificate for the outgoing connection to a syslog server. This option has to be used together with -k key_file),
and -k (k key_file: PEM encoded file containing the client private key for TLS connections to a remote loghost. This option has to be used together with -c cert_file),
doas rcctl set syslog flags "-C /etc/ssl/example.local.CA.crt \
-c /etc/ssl/primo.example.local.crt -k /etc/ssl/private/primo.example.local.key"
doas rcctl restart syslogd
d. Edit pf.conf: No changes.
... # Pass out logs to loghost pass out log (all, to pflog0) on $ext_if inet from $ext_if to $loghost port 6514 ...Check config and reload pf:
doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.conf
e. Testing:
Check for errors in /var/log/messages.
Check pflog to see if there are packets outbound:
doas tcpdump -n -e -ttt -r /var/log/pflog
Now go back to the loghost and check for packets going in, then check for proper receipt by loghost.
tail -f /var/log/primo/example.log
Posted by Gordon, No Hair Github Pages, March 10, 2022
©the author
For comments, corrections, and addenda, email: sudogeek[AT]gmail.com