Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 825574 Details for
Bug 1030040
Ads and 3rd party tracking in TLS section of rsyslog documentation
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
proposed patch
rsyslog-5.8.10-bz1030040.patch (text/plain), 9.23 KB, created by
Marcel Kolaja
on 2013-11-18 12:19:25 UTC
(
hide
)
Description:
proposed patch
Filename:
MIME Type:
Creator:
Marcel Kolaja
Created:
2013-11-18 12:19:25 UTC
Size:
9.23 KB
patch
obsolete
>diff -up rsyslog-5.8.10/doc/rsyslog_secure_tls.html.bz1030040 rsyslog-5.8.10/doc/rsyslog_secure_tls.html >--- rsyslog-5.8.10/doc/rsyslog_secure_tls.html.bz1030040 2013-11-18 11:45:19.380141382 +0100 >+++ rsyslog-5.8.10/doc/rsyslog_secure_tls.html 2013-11-18 12:11:18.592390353 +0100 >@@ -38,19 +38,6 @@ below. Do not blame us if it doesn't pro > </ul> > <p>Our secrity goals are achived via public/private key security. As such, it is > vital that private keys are well protected and not accessible to third parties. >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > If private keys have become known to third parties, the system does not provide > any security at all. Also, our solution bases on X.509 certificates and a (very > limited) chain of trust. We have one instance (the CA) that issues all machine >diff -up rsyslog-5.8.10/doc/tls_cert_ca.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_ca.html >--- rsyslog-5.8.10/doc/tls_cert_ca.html.bz1030040 2013-11-18 12:18:16.944170412 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_ca.html 2013-11-18 12:18:37.062399700 +0100 >@@ -23,19 +23,6 @@ Gerhards</a> (2008-06-17)</i></small></p > maintained by a trustworthy person (or group) and approves the indentities of > all machines. It does so by issuing their certificates. In a small setup, the > administrator can provide the CA function. What is important is the the CA's >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > private key is well-protocted and machine certificates are only issued if it is > know they are valid (in a single-admin case that means the admin should not > issue certificates to anyone else except himself).</p> >diff -up rsyslog-5.8.10/doc/tls_cert_client.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_client.html >--- rsyslog-5.8.10/doc/tls_cert_client.html.bz1030040 2013-11-18 12:20:39.409800052 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_client.html 2013-11-18 12:20:48.567901435 +0100 >@@ -25,19 +25,6 @@ example, that meanst turng.example.net). > talks to it only if it is the expected server. This is a very important step. > Without it, you would not detect man-in-the-middle attacks or simple malicious servers > who try to get hold of your valuable log data. >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > <p><center><img src="tls_cert_100.jpg"></center> > <p>Steps to do: > <ul> >diff -up rsyslog-5.8.10/doc/tls_cert_errmsgs.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_errmsgs.html >--- rsyslog-5.8.10/doc/tls_cert_errmsgs.html.bz1030040 2013-11-18 12:17:33.288660360 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_errmsgs.html 2013-11-18 12:17:52.603891462 +0100 >@@ -21,19 +21,6 @@ Gerhards</a> (2008-06-17)</i></small></p > > <h3>Error Messages</h3> > <p>This page covers error message you may see when setting up >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > <a href="http://www.rsyslog.com">rsyslog</a> with TLS. Please note that many > of the message stem back to the TLS library being used. In those cases, there is > not always a good explanation available in rsyslog alone. >diff -up rsyslog-5.8.10/doc/tls_cert_machine.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_machine.html >--- rsyslog-5.8.10/doc/tls_cert_machine.html.bz1030040 2013-11-18 12:18:57.030628130 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_machine.html 2013-11-18 12:19:06.865736615 +0100 >@@ -22,19 +22,6 @@ Gerhards</a> (2008-06-18)</i></small></p > <p>In this step, we generate certificates for each of the machines. Please note > that both clients and servers need certificates. The certificate identifies each > machine to the remote peer. The DNSName specified inside the certificate can >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > be specified inside the $<object>PermittedPeer config statements. > <p>For now, we assume that a single person (or group) is responsible for the whole > rsyslog system and thus it is OK if that single person is in posession of all >diff -up rsyslog-5.8.10/doc/tls_cert_scenario.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_scenario.html >--- rsyslog-5.8.10/doc/tls_cert_scenario.html.bz1030040 2013-11-18 12:19:26.256970700 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_scenario.html 2013-11-18 12:19:34.988057091 +0100 >@@ -21,19 +21,6 @@ Gerhards</a> (2008-06-17)</i></small></p > > <h3>Sample Scenario</h3> > <p>We have a quite simple scenario. There is one central syslog server, >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > named central.example.net. These server is being reported to by two Linux > machines with name zuse.example.net and turing.example.net. Also, there is a > third client - ada.example.net - which send both its own messages to the central >diff -up rsyslog-5.8.10/doc/tls_cert_server.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_server.html >--- rsyslog-5.8.10/doc/tls_cert_server.html.bz1030040 2013-11-18 12:19:56.949316731 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_server.html 2013-11-18 12:20:15.790528814 +0100 >@@ -23,19 +23,6 @@ Gerhards</a> (2008-06-18)</i></small></p > via TLS protected plain tcp based syslog from those peers that are explicitely permitted > to send to it. The picture below show our configuration. This step configures > the server central.example.net. >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > <p><center><img src="tls_cert_100.jpg"></center> > <p><i><font color="red"><b>Important:</b> Keep in mind that the order of configuration directives > is very important in rsyslog. As such, the samples given below do only work if the given >diff -up rsyslog-5.8.10/doc/tls_cert_summary.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_summary.html >--- rsyslog-5.8.10/doc/tls_cert_summary.html.bz1030040 2013-11-18 12:21:47.443586511 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_summary.html 2013-11-18 12:22:08.828818297 +0100 >@@ -20,19 +20,6 @@ Gerhards</a> (2008-07-03)</i></small></p > > <h3>Summary</h3> > <p>If you followed the steps outlined in this documentation set, you now have >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > a reasonable (for most needs) secure setup for the following environment: > <center><img src="tls_cert_100.jpg"></center> > <p>You have learned about the security decisions involved and which we >diff -up rsyslog-5.8.10/doc/tls_cert_udp_relay.html.bz1030040 rsyslog-5.8.10/doc/tls_cert_udp_relay.html >--- rsyslog-5.8.10/doc/tls_cert_udp_relay.html.bz1030040 2013-11-18 12:21:07.575122453 +0100 >+++ rsyslog-5.8.10/doc/tls_cert_udp_relay.html 2013-11-18 12:21:29.794374794 +0100 >@@ -26,19 +26,6 @@ directly to it, because we would like to > logs. If the router and the syslog relay are on a sufficiently secure private > network, this setup can be considered reasonable secure. In any case, it is the > best alternative among the possible configuration scenarios. >-<span style="float: left"> >-<script type="text/javascript"><!-- >-google_ad_client = "pub-3204610807458280"; >-/* rsyslog doc inline */ >-google_ad_slot = "5958614527"; >-google_ad_width = 125; >-google_ad_height = 125; >-//--> >-</script> >-<script type="text/javascript" >-src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> >-</script> >-</span> > <p><center><img src="tls_cert_100.jpg"></center> > <p>Steps to do: > <ul>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=825574">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1030040
: 825574