1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
GuardTime Log Signature Provider (gt)
=====================================
**Signature Provider Name: gt**
**Author:** Rainer Gerhards <rgerhards@adiscon.com>
**Supported:** from 7.3.9 to 8.26.0
**Description**:
Provides the ability to sign syslog messages via the GuardTime signature
services.
**Configuration Parameters**:
Note: parameter names are case-insensitive.
Signature providers are loaded by omfile, when the provider is selected
in its "sig.providerName" parameter. Parameters for the provider are
given in the omfile action instance line.
This provider creates a signature file with the same base name but the
extension ".gtsig" for each log file (both for fixed-name files as well
as dynafiles). Both files together form a set. So you need to archive
both in order to prove integrity.
- **sig.hashFunction** <Hash Algorithm>
The following hash algorithms are currently supported:
- SHA1
- RIPEMD-160
- SHA2-224
- SHA2-256
- SHA2-384
- SHA2-512
- **sig.timestampService** <timestamper URL>
This provides the URL of the timestamper service. If not selected, a
default server is selected. This may not necessarily be a good one
for your region.
*Note:* If you need to supply user credentials, you can add them to
the timestamper URL. If, for example, you have a user "user" with
password "pass", you can do so as follows:
http://user:pass@timestamper.example.net
- **sig.block.sizeLimit** <nbr-records>
The maximum number of records inside a single signature block. By
default, there is no size limit, so the signature is only written on
file closure. Note that a signature request typically takes between
one and two seconds. So signing to frequently is probably not a good
idea.
- **sig.keepRecordHashes** <on/**off**>
Controls if record hashes are written to the .gtsig file. This
enhances the ability to spot the location of a signature breach, but
costs considerable disk space (65 bytes for each log record for
SHA2-512 hashes, for example).
- **sig.keepTreeHashes** <on/**off**>
Controls if tree (intermediate) hashes are written to the .gtsig
file. This enhances the ability to spot the location of a signature
breach, but costs considerable disk space (a bit mire than the amount
sig.keepRecordHashes requries). Note that both Tree and Record hashes
can be kept inside the signature file.
**See Also**
- `How to sign log messages through signature provider
Guardtime <http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/>`_
**Caveats/Known Bugs:**
- currently none known
**Samples:**
This writes a log file with it's associated signature file. Default
parameters are used.
::
action(type="omfile" file="/var/log/somelog" sig.provider="gt")
In the next sample, we use the more secure SHA2-512 hash function, sign
every 10,000 records and Tree and Record hashes are kept.
::
action(type="omfile" file="/var/log/somelog" sig.provider="gt"
sig.hashfunction="SHA2-512" sig.block.sizelimit="10000"
sig.keepTreeHashes="on" sig.keepRecordHashes="on")
|
