From 8f0c0ae6d2f605df5b2598af4db4a20ed0eef30b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 23 Sep 2005 10:36:21 +0000 Subject: updated doc for new MySQL escaping --- doc/rsyslog_conf.html | 58 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 6 deletions(-) (limited to 'doc') diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html index ddcec041..30dd025f 100644 --- a/doc/rsyslog_conf.html +++ b/doc/rsyslog_conf.html @@ -3,7 +3,7 @@ rsyslog.conf file -

rsyslog.conf configuration file

+

sqrsyslog.conf configuration file

This document is currently being enhanced. Please pardon its current appearance.

Rsyslogd is configured via the rsyslog.conf file, typically found in @@ -55,10 +55,23 @@ options - the later ones are processed by the property replacer and apply to a SINGLE property, only (and not the whole template).

Template options are case-insensitive. Currently defined are:

-

sql - format the string suitable for a SQL statement. This will -replace single quotes ("'") by two single quotes ("''") inside each field. This -option MUST be specified when a template is used for writing to a database, -otherwise SQL injection might occur.
+

sql - format the string suitable for a SQL statement in MySQL format. This will +replace single quotes ("'") and the backslash character by their +backslash-escaped counterpart ("\'" and "\\") inside each field. Please note +that in MySQL configuration, the NO_BACKSLASH_ESCAPES +mode must be turned off for this format to work (this is the default).

+

stdsql - format the string suitable for a SQL statement that is to be +sent to a standards-compliant sql server. This will +replace single quotes ("'") by two single quotes ("''") inside each field. +You must use stdsql together with MySQL if in MySQL configuration the +NO_BACKSLASH_ESCAPES is turned on.

+

Either the sql or stdsql  +option must be specified when a template is used for writing to a database, +otherwise injection might occur. Please note that due to the unfortunate fact +that several vendors have violated the sql standard and introduced their own +escape methods, it is impossible to have a single option doing all the work.  +So you yourself must make sure you are using the right format. If you choose +the wrong one, you are still vulnerable to sql injection.

Please note that the database writer *checks* that the sql option is present in the template. If it is not present, the write database action is disabled. This @@ -67,7 +80,13 @@ to SQL injection. The sql option can also be useful with files - especially if you want to import them into a database on another machine for performance reasons. However, do NOT use it if you do not have a real need for it - among others, it takes some toll on the processing time. Not much, but on a really -busy system you might notice it ;)
+busy system you might notice it ;)

+

The default template for the write to database action has the sql option set. +As we currently support only MySQL and the sql option matches the default MySQL +configuration, this is a good choice. However, if you have turned on +NO_BACKSLASH_ESCAPES in your MySQL config, you need +to supply a template with the stdsql option. Otherwise you will become +vulnerable to SQL injection.

To escape:
% = \%
@@ -315,6 +334,33 @@ the connect information. This is as follows:
Output channel actions must start with a $-sign, e.g. if you would like to bind your output channel definition "mychannel" to the action, use "$mychannel". Output channels support template definitions like all all other actions.

+

Shell Execute

+

This executes a program in a subshell. The programm is passed the +template-generated message as the only command line parameter. Rsyslog waits +until the program terminates and only then continues to run.

+

^programm-to-execute;template

+

The program-to-execute can be any valid executable.

+

WARNING: The Shell Execute action was added to serve an urgent need. +While it is considered reasonable save when used with some thinking, its +implications must be considered. The current implementation uses a system() call +to execute the command. This is not the best way to do it (and will hopefully +changed in further releases). Also, proper escaping of special characters is +done to prevent command injection. However, attackers always find smart ways to +circumvent escaping, so we can not say if the escaping applied will really safe +you from all hassles. Lastely, rsyslog will wait until the shell command +terminates. Thus, a program error in it (e.g. an infinite loop) can actually +disable rsyslog. Even without that, during the programs run-time no messages are +processed by rsyslog. As the IP stacks buffers are quickly overflowed, this +bears an increased risk of message loss. You must be aware of these implications. +Even though they are severe, there are several cases where the "shell execute" +action is very useful. This is the reason why we have included it in its current +form. To mitigate its risks, always a) test your program thouroughly, b) make +sure its runtime is as short as possible (if it requires a longer run-time, you +might want to spawn your own sub-shell asynchronously), c) apply proper +firewalling so that only known senders can send syslog messages to rsyslog. +Point c) is especially important: if rsyslog is accepting message from any hosts, +chances are much higher that an attacker might try to exploit the "shell execute" +action.

TEMPLATE NAME

Every ACTION can be followed by a template name. If so, that template is used for message formatting. If no name is given, a hardcoded default template is -- cgit