[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse
Subject:    Re: [opensuse] Re: Why are systemd's logs stored as binaries?
From:       Wols Lists <antlists () youngman ! org ! uk>
Date:       2016-12-24 0:52:21
Message-ID: 585DC6C5.4020502 () youngman ! org ! uk
[Download RAW message or body]

On 23/12/16 23:19, Greg Freemyer wrote:
> On Fri, Dec 23, 2016 at 5:19 PM, John Andersen <jsamyth@gmail.com> wrote:
>> On 12/23/2016 02:16 PM, Carlos E. R. wrote:
>>> To be valid in a legal environment the binary logs have to arrive
>>> intact to the people doing the investigation.
>>
>> That would be pointless, if, as you insisted, the mere act of dumping
>> them to text renders them suspect.  Judges will just need to learn
>> to read binary, and compare it to the binary catalog apparently.
> 
> Judges don't do that stage of analysis.
> 
> People like me do.  I hope to learn that journald has a high-level of
> integrity so I can be the one that takes possession of a journald
> binary log and converts it to a text log and prints it.  I would then
> testify to the fact I did so as a trusted party.
> 
> Any pointers to why journald logs have a high-level of integrity?  Why
> they can't be easily manipulated after the fact?
> 
> I understand that was a design goal, but I've yet to read how it was
> accomplished.
> 
Simple chaining of checksums I believe. If each record contains the
checksum of the previous record, in order to modify one old record you
then have to re-checksum the ENTIRE log from that point on.

And any competent sysadmin should do what I did for an accounting system
years ago. Every night, I ran an integrity check which spat out a hard
copy double-entry summary. It didn't add up to zero, but the point is
that total should NEVER change. And every morning, the accountant got
the summary off the printer, checked it against the previous night's
summary, and filed it.

I heard of a legal office that did the same sort of thing - every night
at close of business, they got day's final checksum off their document
management system, and sent it to the local newspaper as a tiny legal
notice ad to be printed next day.

So you can't necessarily detect tampering, but any attempt to alter the
historic record across one of those boundaries will be tamper-evident.
And because systemd doesn't have to store the log on the machine that
generated it, an intruder could easily find he has no access to the logs
that need to be altered.

Cheers,
Wol


-- 
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse+owner@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]