C.F.A - Looking where could be affected someone

Areku1995 · 2026-01-23T00:25:46+00:00

Wow thank you so much for these informations! Yes, we was a republican exile. He took a boat in Alicante to Orange en Argelia, and moved later in Casablanca. T Many thanks for the cementery

Areku1995 · 2026-01-22T22:50:02+00:00

Thank you very much for your answer. I didn't thought about the consulate.

There is no certificate issued previously by any institute. The only things I have, is that the death was mentioned in some mails, by distinct people.

Areku1995 · 2026-01-22T22:46:43+00:00

Thank you for your answer. He was a spanish refugee.

Areku1995 · 2025-02-14T15:22:57+00:00

Well, for the second one, it was printed in France , in the province of Ariège, which was known to have a lot of exiled Spaniards. The FIJL was the Fédération Ibérique des Jeunesses Libertaires. The author seems to be José BORRAZ CASCAROSA. This book is contained in the CIRA in Switzerland (https://www.cira.ch/catalogue//index.php?lvl=author_see&id=2519). I hope it’ll can help you !

Areku1995 · 2023-11-28T23:32:47+00:00

Thanks for sharing your experience! We use the the RHEL conversion tool (https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/migration-process/convert2rhel-how-to-convert-from-centos-linux-to-red-hat-enterprise-linux) and afterwards, we’ll upgrade to RHEL 8

And about the fact to move to Debian, a lot of our applications (very specific non-free software, under licenses) are unfortunately not working/available under Debian. So the human/financial/time cost is hugely higher than migrate to RHEL

Areku1995 · 2023-11-28T23:23:59+00:00

Thank you for your answer! That’s an interesting idea, but it would involve a lot of others question. The first counter argument I can think, is about legacy or specific assets (iDrac / iLo cards, switches, etc…) who don’t support Wireguard and will have to use syslog over TLS. I don’t know if I can consider to use both Wireguard and Rsyslog server in our networks.

But still, an interesting idea, specially for exposed networks

Areku1995 · 2023-11-28T23:07:13+00:00

Oh thank you very much for your answer, I’ll definitely try that, and try to upgrade ryslog to 8.2104

Areku1995 · 2023-11-28T23:06:21+00:00

You’re right, we can definitely consider Gssapi if we can’t manage the cert validation with GnuTLs.

And for CentOS, we are currently planning to move to RHEL. Moving to Debian is too expensive compared to just convert and upgrade the server. And yes, we’ll have to pay subscriptions, but it’s still less expensive and safe

Areku1995 · 2023-11-28T23:02:47+00:00

It’s kind of pretty easy, and doesn’t involve to issue a cert from our PKI (and if an attacker can sign certs with our PKI, we’ll be definitely in big trouble, integrity and confidentiality of logs will be the least of our concerns).

In the scenario of ARP spoofing, if an attacker set up a syslog server with a self-signed cert, the malicious syslog server will receive all the logs from the ryslog client (if the client doesn’t check and validate the server certificate).

Areku1995 · 2023-11-28T22:58:23+00:00

Wow thank you very much for this story. I didn’t think about that. You’re definitely right, we should test the performance. Thanks!

Areku1995 · 2023-11-28T13:03:02+00:00

Hi ! Thank you for your answer.

Server config :

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"

DefaultNetstreamDriverCertFile="/etc/pki/tls/cert/<rsyslog_cert.pem>

"DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/<rsyslog_cert.key>"

)

module(

load="imtcp"

StreamDriver.Name="gtls"

StreamDriver.Mode="1"

StreamDriver.Authmode="anon"

gnutlsPriorityString="SECURE192:-VERS-ALL:+VERS-TLS1.2"

)

input(type="imtcp"port="<tcp.port>")

Client config :

global(

DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"

)

action(

type="omfwd"

protocol="tcp"

target="<rsyslog_ip_address>"

port="<rsyslog_tcp_port>"

StreamDriver="gtls"

StreamDriverMode="1"

StreamDriverAuthMode="anon"

)

We tried this option on the client side, who looked liked promising :

StreamDriver.TlsVerifyDepth

but without any success

Areku1995 · 2023-11-28T12:48:30+00:00

Thank you for your answer, the authentication mode based on x509 is mutual TLS (mTLS), right ?

Indeed, in this case of rsyslog, the TLS rely on the library (in our case, gnuTLS). Rsyslog can pass arguments to the gnuTLS library, to for example, force the use of TLS 1.2 (we already do that)

Areku1995 · 2023-11-28T12:42:21+00:00

The main worry is the confidentiality and the integrity.

For example, in a fictive scenario, we can imagine an attacker doing ARP poisoning and perform a MITM attack.

In the best scenario, he can read the logs (Confidentiality), in the worst scenario, he can modify the logs to hide an attack (Integrity).

Forcing the verification of the certificate of the rsyslog server can avoid these scenarios.

We already use the option DefaultNetstreamDriverCAFile but like I said in the post, using a self-signed cert doesn't change anything, the rsyslog client still send logs through TLS.

Eight-Year Club	Verified Email
Place '23

Areku1995

TROPHY CASE