Bug #780: Default _updown script is logging IP address to syslog - strongSwan

Bug #780

Default _updown script is logging IP address to syslog

Added by Lian Duan over 7 years ago. Updated over 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Martin Willi

Category:

libcharon

Target version:

5.2.2

Start date:

01.12.2014

Due date:

Estimated time:

Affected version:

5.2.1

Resolution:

Fixed

Description

We found logs with sensitive client information(IP address) in our servers' syslog after we have explicitly setting all logging levels to -1.

HOSTNAME vpn: - CLIENT_ID VIRTUAL_IP/32 CLIENT_IP -- SERVER_IP 0.0.0.0/0

It turns out to be the default _updown script is sending this log line to syslog.

In src/_updown/_updown.in,

131 # uncomment to log VPN connections
132    VPN_LOGGING=1
133    #

Line 132 should be commented out by default, as also stated by the comment.

Associated revisions

Revision dcae0a39 (diff)
Added by Martin Willi over 7 years ago

updown: Inverse comment of VPN_LOGGING variable, as it is enabled by default

Fixes #780.

History

#1 Updated by Martin Willi over 7 years ago

Status changed from New to Feedback

Hi,

Yes, this is the default behavior when the updown script is used, and it has been ever since (at least with charon).

I'd like to avoid changing that default behavior, as some installations might rely on it. We certainly can improve the documentation, which I've tried to address with the new updown Wiki page.

Regards
Martin

#2 Updated by Martin Willi over 7 years ago

The associated commit fixes the comment in the default updown script.

#3 Updated by Martin Willi over 7 years ago

Tracker changed from Issue to Bug
Category set to libcharon
Status changed from Feedback to Closed
Target version set to 5.2.2
Resolution set to Fixed

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues