Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UFW software firewall for Malcolm ISO should automatically open ports for syslog #560

Open
mmguero opened this issue Jan 17, 2025 · 0 comments
Open

UFW software firewall for Malcolm ISO should automatically open ports for syslog #560

mmguero opened this issue Jan 17, 2025 · 0 comments
Labels
bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog security Related to issues with bearing on the security of Malcolm itself
Milestone
v25.02.0

Comments

@mmguero
Copy link
Collaborator

mmguero commented Jan 17, 2025

#354 added support for syslog ingestion. However, in the ISO install of Malcolm the ports will not be open in the firewall, and require this workaround (depending on the ports specified):

$ sudo ufw allow 514/tcp
Rule added
$ sudo ufw allow 514/udp
Rule added

We could just add 514/tcp and 514/udp to the default firewall rules but the user is allowed to specify the port, so we can't just do that.

The thing probably to do is to add an entry to config/includes.chroot/etc/sudoers.d/ to allow the user (technically users of the docker group or, maybe, the network group) the run ufw as sudo without password, then adjust it when they set the ports either in the install.py script or upon startup.

For now I will document that the user needs to run the UFW command manually.
@mmguero mmguero added bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog security Related to issues with bearing on the security of Malcolm itself labels Jan 17, 2025
@mmguero mmguero added this to the v25.02.0 milestone Jan 17, 2025
@mmguero mmguero added this to Malcolm Jan 17, 2025
@mmguero mmguero moved this to Todo (develop) in Malcolm Jan 17, 2025
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 17, 2025
@mmguero
documentation for workaround for UFW software firewall for Malcolm IS…
b92528b 
…O should automatically open ports for syslog cisagov#560)
mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025
@mmguero
documentation for workaround for UFW software firewall for Malcolm IS…
3b5b021 
…O should automatically open ports for syslog cisagov#560)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working iso relating to the ISO-installed environment for Malcolm and/or Hedgehog security Related to issues with bearing on the security of Malcolm itself
Projects
Malcolm
Status: Todo (develop)
Milestone
v25.02.0
Development

No branches or pull requests
1 participant
@mmguero