単純にRsyslogでログ転送の設定をした場合、サーバへのログのパケットは平文で転送されるのでパケットキャプチャをされると中身が見えてしまう。 これを防ぐには、ログの転送時に暗号化をするように設定をする必要がある。
今回は、RsyslogサーバにCentOS 7を用いての設定を行う。
1.Rsyslogサーバ側の設定
前提となるパッケージの導入
まず、以下のコマンドを実行し暗号化に必要となるパッケージの導入を行う。
yum install -y gnutls-utils rsyslog-gnutls openssl
CA証明書の作成
パッケージの導入後、CA証明書の作成を行う。
mkdir /etc/ssl/rsyslog
certtool --generate-privkey --outfile /etc/ssl/rsyslog/ca-key.pem --bits 2048
certtool --generate-self-signed --load-privkey /etc/ssl/rsyslog/ca-key.pem --outfile /etc/ssl/rsyslog/ca.pem
chmod 400 /etc/ssl/rsyslog/ca-key.pem
[root@BS-PUB-CENT7-02 ~]# mkdir /etc/ssl/rsyslog
[root@BS-PUB-CENT7-02 ~]# certtool --generate-privkey --outfile /etc/ssl/rsyslog/ca-key.pem --bits 2048
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
[root@BS-PUB-CENT7-02 ~]# certtool --generate-self-signed --load-privkey /etc/ssl/rsyslog/ca-key.pem --outfile /etc/ssl/rsyslog/ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: BS-PUB-CENT7-02
UID:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars): JP
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6355015508154653019):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N): y
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 58318cef31a8195b
Validity:
Not Before: Sun Nov 20 11:45:54 UTC 2016
Not After: Wed Nov 18 11:46:00 UTC 2026
Subject: CN=BS-PUB-CENT7-02,C=JP
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:a3:68:09:85:69:fb:ee:f5:37:9a:12:6f:9f:2b:08
80:76:c9:05:2d:7f:5e:c7:11:ce:94:63:39:aa:80:5e
cb:bd:18:fe:f9:31:99:28:bd:f6:8c:83:cd:68:88:36
af:c6:c3:df:62:aa:b2:d3:3c:bd:96:25:0b:33:7a:ad
b8:37:56:d0:5f:33:2c:cf:69:0b:64:02:11:1a:0e:a0
8e:d2:09:94:62:55:26:ed:a6:9d:ad:3d:a3:b1:08:8c
27:78:1d:94:25:25:f4:68:29:3b:36:3f:60:01:f2:93
f2:a1:74:55:24:f6:87:cd:58:ea:b3:dd:4d:6e:9e:8a
47:62:f0:37:e0:2f:46:f7:01:17:52:eb:35:c2:9c:5b
c5:eb:2c:11:d8:0a:b7:8b:51:ce:97:c6:f4:cd:60:71
3d:eb:71:03:ad:3b:71:15:b9:15:dd:8f:09:5e:f6:08
83:e7:e9:81:93:3b:e9:87:99:62:8a:22:89:23:22:c6
84:ac:eb:ca:d5:3b:48:1c:2b:b2:cf:0c:a2:8a:83:6d
fc:5f:56:1b:1c:31:51:f4:f1:9a:43:22:95:87:e7:b7
17:11:a4:cc:8c:b7:b2:82:6e:d8:0b:80:c4:8e:85:13
02:18:a4:fd:b9:24:48:87:c2:94:b6:a7:99:69:d6:f3
b3
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Ipsec IKE.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
32c89642493ffd875807abf9d2b4fe1ece1bbb0c
Other Information:
Public Key ID:
32c89642493ffd875807abf9d2b4fe1ece1bbb0c
Public key's random art:
+--[ RSA 2048]----+
| . . |
| . o . o |
| o o . o . |
| . . + * o |
| . = * S . |
| o * o |
| . E o |
| o = + |
| .oXo |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
証明書の作成
証明書の作成を行う。
certtool --generate-privkey --outfile /etc/ssl/rsyslog/key.pem --bits 2048
certtool --generate-request --load-privkey /etc/ssl/rsyslog/key.pem --outfile /etc/ssl/rsyslog/request.pem
certtool --generate-certificate --load-request /etc/ssl/rsyslog/request.pem --outfile /etc/ssl/rsyslog/cert.pem --load-ca-certificate /etc/ssl/rsyslog/ca.pem --load-ca-privkey /etc/ssl/rsyslog/ca-key.pem
rm -f /etc/ssl/rsyslog/request.pem
[root@BS-PUB-CENT7-02 ~]# certtool --generate-privkey --outfile /etc/ssl/rsyslog/key.pem --bits 2048
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...
[root@BS-PUB-CENT7-02 ~]#
[root@BS-PUB-CENT7-02 ~]#
[root@BS-PUB-CENT7-02 ~]# certtool --generate-request --load-privkey /etc/ssl/rsyslog/key.pem --outfile /etc/ssl/rsyslog/request.pem
Generating a PKCS #10 certificate request...
Common name: BS-PUB-CENT7-02
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars): JP
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web client certificate? (y/N):
Is this a TLS web server certificate? (y/N):
[root@BS-PUB-CENT7-02 ~]# certtool --generate-certificate --load-request /etc/ssl/rsyslog/request.pem --outfile /etc/ssl/rsyslog/cert.pem --load-ca-certificate /etc/ssl/rsyslog/ca.pem --load-ca-privkey /etc/ssl/rsyslog/ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 6355021138327316579):
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Do you want to honour the extensions from the request? (y/N): y
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N):
Will the certificate be used to sign CRLs? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used for time stamping? (y/N):
X.509 Certificate Information:
Version: 3
Serial Number (hex): 5831920e12192863
Validity:
Not Before: Sun Nov 20 12:07:43 UTC 2016
Not After: Wed Nov 18 12:07:46 UTC 2026
Subject: CN=BS-PUB-CENT7-02,C=JP
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:ad:b1:a8:8d:84:27:20:bc:1e:84:4b:98:40:3b:b9
82:59:27:47:76:34:fe:4c:ab:28:70:00:fa:16:bc:81
90:7c:f6:65:8c:c7:00:fc:4c:48:b5:0d:d7:d8:5a:b3
5a:6d:06:71:d5:39:75:83:87:09:f9:45:7d:cf:52:d7
ba:76:29:30:2e:d1:cc:86:96:e6:c9:b2:c9:83:6f:52
25:4d:f0:c9:d6:ee:37:8f:2b:24:b1:1e:f0:85:c3:19
51:b4:d0:0b:84:9b:ee:b0:5a:21:6b:4c:79:ba:bd:48
f6:a2:da:82:9d:78:0e:dd:16:2e:7a:8f:33:cb:78:94
2e:78:50:ae:fd:81:d6:f5:c4:41:08:8f:6c:d0:fa:65
9b:d9:54:f3:98:76:f8:7a:12:64:c0:1d:3c:b1:fe:b5
7b:a7:69:6f:5a:59:44:5b:c5:8c:22:3a:95:60:b1:a8
8a:81:a9:39:b5:72:f3:d3:a0:dd:88:a7:94:59:70:c2
9f:92:23:cc:b6:ed:d6:ce:87:80:05:9e:4f:4c:c2:5f
12:0a:2a:8c:c1:24:cb:88:63:3f:2e:25:6c:68:7c:b0
ad:64:4c:2c:a5:df:ec:dd:ef:d3:f1:fe:d8:72:1e:3f
89:da:30:e5:27:35:be:47:f6:4d:9e:22:ee:5a:1d:87
41
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
a6eb9027de41fa731929efcd7a324b9656de756b
Authority Key Identifier (not critical):
32c89642493ffd875807abf9d2b4fe1ece1bbb0c
Other Information:
Public Key ID:
a6eb9027de41fa731929efcd7a324b9656de756b
Public key's random art:
+--[ RSA 2048]----+
| |
| |
| |
| |
| . S.. . .|
| +.oo+ . . ..|
| = +o=o. . E |
| . *.**o. . |
| ..=++*o |
+-----------------+
Is the above information ok? (y/N): y
Signing certificate...
設定ファイルの編集
証明書が作成できたら、以下の内容を設定ファイルに追記する。
●/etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/key.pem
$DefaultNetstreamDriver gtls
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode anon
$template ClinetMessage,"/var/log/rsyslog/%fromhost%/%$year%%$month%%$day%_messages.log"
*.* -?ClinetMessage
追記後、rsyslogのサービスを再起動する。
systemctl restart rsyslog
2.クライアント側の設定
クライアント側にca.pemを転送し、「/etc/rsyslog.conf」に以下の内容を追記する。
●/etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
*.* @@Rsyslogサーバのホスト名orIPアドレス:514
設定追記後、rsyslogサービスの再起動をする。
systemctl restart rsyslog
これで、ログの転送が暗号化されているはずだ。