Skip to content
This repository has been archived by the owner on Jan 5, 2024. It is now read-only.

Commit

Permalink
Adds initial scripts to use rsyslog for logging in workstation
Browse files Browse the repository at this point in the history
`sd-rsyslog` is the output plugin of rsyslog to be installed in
/usr/sbin

`sdlog.conf` is the configuration of rsyslog in /etc/rsyslog.d/

`securedrop-redis-log` is part of the Qrexec service inside of
sd-log vm.  This will receive the messages from any other vm,
and add them into a queue in Redis.

`securedrop-log-saver` will be the service inside `sd-log` VM,
this will monitor the queue, and save any incoming message to
the `syslog.log` file of the respective directory for each VM.

It also has the Makefile for the project.
  • Loading branch information
kushaldas committed Jan 23, 2020
1 parent daaa709 commit 7c5ab29
Show file tree
Hide file tree
Showing 18 changed files with 420 additions and 25 deletions.
9 changes: 5 additions & 4 deletions MANIFEST.in
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ include README.md
include changelog.md
include build-requirements.txt
include requirements.txt
include securedrop_log/*.py
include securedrop_log/VERSION
include setup.py
include securedrop-log
include securedrop-log*
include securedrop-redis-log
include securedrop.Log
include sd-rsyslog*
include sdlog.conf
include VERSION
40 changes: 40 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
DEFAULT_GOAL: help
SHELL := /bin/bash

# Bandit is a static code analysis tool to detect security vulnerabilities in Python applications
# https://wiki.openstack.org/wiki/Security/Projects/Bandit
.PHONY: bandit
bandit: ## Run bandit with medium level excluding test-related folders
pip install --upgrade pip && \
pip install --upgrade bandit!=1.6.0 && \
bandit -ll --recursive . --exclude tests,.venv

.PHONY: safety
safety: ## Runs `safety check` to check python dependencies for vulnerabilities
pip install --upgrade safety && \
for req_file in `find . -type f -name '*requirements.txt'`; do \
echo "Checking file $$req_file" \
&& safety check --full-report -r $$req_file \
&& echo -e '\n' \
|| exit 1; \
done

.PHONY: update-pip-requirements
update-pip-requirements: ## Updates all Python requirements files via pip-compile.
pip-compile --generate-hashes --output-file requirements.txt requirements.in


# Explaination of the below shell command should it ever break.
# 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
# 2. Use sed-like syntax to remove the make targets
# 3. Format the split fields into $$1) the target name (in blue) and $$2) the target descrption
# 4. Pass this file as an arg to awk
# 5. Sort it alphabetically
# 6. Format columns with colon as delimiter.
.PHONY: help
help: ## Print this message and exit.
@printf "Makefile for developing and testing the SecureDrop Logging system.\n"
@printf "Subcommands:\n\n"
@awk 'BEGIN {FS = ":.*?## "} /^[0-9a-zA-Z_-]+:.*?## / {printf "\033[36m%s\033[0m : %s\n", $$1, $$2}' $(MAKEFILE_LIST) \
| sort \
| column -s ':' -t
43 changes: 36 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,47 @@ Add the following content to `/etc/qubes-rpc/securedrop.Log`
/usr/sbin/securedrop-log
```

and then place `securedrop-log` script to `/usr/sbin/` directory and make sure that
it is executable.
and then place `securedrop-redis-log` and `securedrop-log-saver` scripts to the
virtualenv at `/opt/venvs/securedrop-log` and create links to `/usr/sbin/`
directory and make sure that they are executable. This step will be automated via
the Debian package.


Copy `securedrop-log.service` file to `/usr/systemd/system` and then

```
sudo systemctl daemon-reload
sudo systemctl start redis
sudo systemctl start securedrop-log
```

To test the logging, make sure to execute `securedrop-log-saver` from a terminal in `sd-log`
and check the ~/QubesIncomingLogs/vmname/syslog.log file via **tail -f**.


### To use from any Python code in workvm

Put `sd-rsyslog-example.conf` file to `/etc/sd-rsyslog.conf`, make sure update
it so that is shows the right **localvm** name.

Copy `sd-rsyslog` executable to **/usr/sbin**, and remember to `chmod +x`
the binary.

Next, restart the rsyslog service.

```
systemctl restart rsyslog
```


Here is an example code using Python logging

```Python
import logging
from securedrop_log import SecureDropLog
import logging.handlers

def main():
handler = SecureDropLog("workvm", "proxy-debian")
handler = logging.handlers.SysLogHandler(address="/dev/log")
logging.basicConfig(level=logging.DEBUG, handlers=[handler])
logger = logging.getLogger("example")

Expand All @@ -48,8 +76,9 @@ if __name__ == "__main__":

```

## The journalctl example
Or use the logger command.

You will need `python3-systemd` package for the same.
```
logger This line should show in the syslog.log file in the sd-log file.
```

The code is in `journal-example.py` file.
1 change: 1 addition & 0 deletions VERSION
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
0.0.4
1 change: 1 addition & 0 deletions build-requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
redis==3.3.11 --hash=sha256:4b824640b12ff2a3d32275eb9fc3381314ecf7fa3582ff1a78dccd0f30221212
4 changes: 4 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog

## 0.0.4

* Converts into rsyslog based logging system.

## 0.0.3

* Fixes typos MANIFEST.in and setup.py
Expand Down
1 change: 1 addition & 0 deletions requirements.in
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
redis==3.3.11
9 changes: 9 additions & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
#
# This file is autogenerated by pip-compile
# To update, run:
#
# pip-compile --generate-hashes --output-file=requirements.txt requirements.in
#
redis==3.3.11 \
--hash=sha256:3613daad9ce5951e426f460deddd5caf469e08a3af633e9578fc77d362becf62 \
--hash=sha256:8d0fc278d3f5e1249967cba2eb4a5632d19e45ce5c09442b8422d15ee2c22cc2
193 changes: 193 additions & 0 deletions sd-rsyslog
Original file line number Diff line number Diff line change
@@ -0,0 +1,193 @@
#!/opt/venvs/securedrop-log/bin/python3
"""A skeleton for a Python rsyslog output plugin with error handling.
Requires Python 3.
To integrate a plugin based on this skeleton with rsyslog, configure an
'omprog' action like the following:
action(type="omprog"
binary="/usr/bin/myplugin.py"
output="/var/log/myplugin.log"
confirmMessages="on"
...)
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
-or-
see COPYING.ASL20 in the source distribution
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
"""

import sys
import os
import logging
import configparser
from subprocess import Popen, PIPE

# Global definitions specific to your plugin
process = None

class RecoverableError(Exception):
"""An error that has caused the processing of the current message to
fail, but does not require restarting the plugin.
An example of such an error would be a temporary loss of connection to
a database or a server. If such an error occurs in the onMessage function,
your plugin should wrap it in a RecoverableError before raising it.
For example:
try:
# code that connects to a database
except DbConnectionError as e:
raise RecoverableError from e
Recoverable errors will cause the 'omprog' action to be temporarily
suspended by rsyslog, during a period that can be configured using the
"action.resumeInterval" action parameter. When the action is resumed,
rsyslog will resend the failed message to your plugin.
"""


def onInit():
"""Do everything that is needed to initialize processing (e.g. open files,
create handles, connect to systems...).
"""
# Apart from processing the logs received from rsyslog, you want your plugin
# to be able to report its own logs in some way. This will facilitate
# diagnosing problems and debugging your code. Here we set up the standard
# Python logging system to output the logs to stderr. In the rsyslog
# configuration, you can configure the 'omprog' action to capture the stderr
# of your plugin by specifying the action's "output" parameter.
logging.basicConfig(stream=sys.stderr,
level=logging.WARNING,
format='%(asctime)s %(levelname)s %(message)s')

# This is an example of a debug log. (Note that for debug logs to be
# emitted you must set 'level' to logging.DEBUG above.)
logging.debug("onInit called")


global process
if not os.path.exists("/etc/sd-rsyslog.conf"):
print("Please create the configuration file at /etc/sd-rsyslog.conf", file=sys.stderr)
sys.exit(1)
config = configparser.ConfigParser()
config.read('/etc/sd-rsyslog.conf')
logvmname = config['sd-rsyslog']['remotevm']
localvmname = config['sd-rsyslog']['localvm']
process = Popen(
["/usr/lib/qubes/qrexec-client-vm", logvmname, "securedrop.Log"],
stdin=PIPE,
stdout=PIPE,
stderr=PIPE,
)
process.stdin.write(localvmname.encode("utf-8"))
process.stdin.write(b"\n")
process.stdin.flush()


def onMessage(msg):
"""Process one log message received from rsyslog (e.g. send it to a
database). If this function raises an error, the message will be retried
by rsyslog.
Args:
msg (str): the log message. Does NOT include a trailing newline.
Raises:
RecoverableError: If a recoverable error occurs. The message will be
retried without restarting the plugin.
Exception: If a non-recoverable error occurs. The plugin will be
restarted before retrying the message.
"""
logging.debug("onMessage called")

# For illustrative purposes, this plugin skeleton appends the received logs
# to a file. When implementing your plugin, remove the following code.
global process
process.stdin.write(msg.encode("utf-8"))
process.stdin.write(b"\n")
process.stdin.flush()


def onExit():
"""Do everything that is needed to finish processing (e.g. close files,
handles, disconnect from systems...). This is being called immediately
before exiting.
This function should not raise any error. If it does, the error will be
logged as a warning and ignored.
"""
logging.debug("onExit called")

# For illustrative purposes, this plugin skeleton appends the received logs
# to a file. When implementing your plugin, remove the following code.
global process
process.stdin.flush()


"""
-------------------------------------------------------
This is plumbing that DOES NOT need to be CHANGED
-------------------------------------------------------
This is the main loop that receives messages from rsyslog via stdin,
invokes the above entrypoints, and provides status codes to rsyslog
via stdout. In most cases, modifying this code should not be necessary.
"""
try:
onInit()
except Exception as e:
# If an error occurs during initialization, log it and terminate. The
# 'omprog' action will eventually restart the program.
logging.exception("Initialization error, exiting program")
sys.exit(1)

# Tell rsyslog we are ready to start processing messages:
print("OK", flush=True)

endedWithError = False
try:
line = sys.stdin.readline()
while line:
line = line.rstrip('\n')
try:
onMessage(line)
status = "OK"
except RecoverableError as e:
# Any line written to stdout that is not a status code will be
# treated as a recoverable error by 'omprog', and cause the action
# to be temporarily suspended. In this skeleton, we simply return
# a one-line representation of the Python exception. (If debugging
# is enabled in rsyslog, this line will appear in the debug logs.)
status = repr(e)
# We also log the complete exception to stderr (or to the logging
# handler(s) configured in doInit, if any).
logging.exception(e)

# Send the status code (or the one-line error message) to rsyslog:
print(status, flush=True)
line = sys.stdin.readline()

except Exception:
# If a non-recoverable error occurs, log it and terminate. The 'omprog'
# action will eventually restart the program.
logging.exception("Unrecoverable error, exiting program")
endedWithError = True

try:
onExit()
except Exception:
logging.warning("Exception ignored in onExit", exc_info=True)

if endedWithError:
sys.exit(1)
else:
sys.exit(0)

3 changes: 3 additions & 0 deletions sd-rsyslog-example.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[sd-rsyslog]
remotevm = sd-log
localvm = sd-svs
4 changes: 4 additions & 0 deletions sdlog.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
module(load="omprog")
action(type="omprog"
binary="/usr/sbin/sd-rsyslog"
template="RSYSLOG_TraditionalFileFormat")
Loading

0 comments on commit 7c5ab29

Please sign in to comment.