SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Are you serious...? No comment. You are missing the point here.
But let me be nice and add: So you got hacked system logs manipulated... now what? who did? how? what? when? where?...
talk to you guys later i gotta study.
Do you really think you can trust your logs after a hack & break-in? Even with tagged and signed logs, the hacker will either use his hacker tools to violate your records or will just delete all logs and therefore will leave you out in the cold.
Do not underestimate the criminal hacker scene. That is a hidden IT industry turning around many millions of dollars a year, which produces tools which are as good or better than any white-hat forensics tools.
Do you really think you can trust your logs after a hack & break-in? Even with tagged and signed logs, the hacker will either use his hacker tools to violate your records or will just delete all logs and therefore will leave you out in the cold.
Do not underestimate the criminal hacker scene. That is a hidden IT industry turning around many millions of dollars a year, which produces tools which are as good or better than any white-hat forensics tools.
Exactly.
I am not underestimating. But encrypting log files makes lots of sense to slow them down... Hey then why use /etc/shadow? The hacker will decrypt it anyways right? lets just give up on security since everything is insecure and not worry about encryption from now on. Hackers can crack it anyway...
I'm not trying to sound condescending but this is the logic of what you are saying. If he decides to delete them... then you don't think the admin will notice?
There is no way to justify this imo.
Last edited by Mercury305; 08-28-2012 at 10:14 AM.
Obfuscating a logging facility actually makes it easer to cover tracks. It's not about deleting logs, its about hiding activities. A whole malware industry lives off the fact, that Windows is opaque, mostly undocumented and has its configuration and logs stored in BLOBs. The only people that really know this stuff in-depth (including knowledge gained by reverse engineering) are the black hats.
You can be sure, that within weeks your rootkit programmer next door knows more about systemd/journald and its undocumented features than your regular sysadmin, who can't even tell, if the output of the fancy frontend tool has anything to do with the real content of the "journal".
I'll just simply ignore systemd until it goes away -I have already done just that with other such things. Even udev itself could go that way. I won't be too worried until something like this shows up in the kernel:
Since there seems to be a misconception about it, I'll kindly point out that using systemd's journal is *not* required. You can simply ignore the journal all together, and the data it stores ( sitting in /run by default ) will sit and consume little to no space (10mb max by default, iirc? and configurable), and be wiped away at boot.
syslogging continues to work exactly how it does today. Again, projects like rsyslog even go so far as to provide native systemd files. Of course, in large scale operations which depend on heavy log monitoring, the standard system logger will never go away. And it's not the intention of systemd to ever do so.
Personally? I agree that the binary log format is a little strange. But as a single-user on my laptop, the journal has completely made a system logger obsolete. I can ask systemd about a service, and it tells me the state of the the service, and even pops up the last few entries regarding that service that the journal has seen. It's really, really neat in practice.
Again, it's all about choice. systemd has really cool stuff built in which caters a little easier to the standard user, but in the event you want the kitchen-sink solution, it works just as well.
Obfuscating a logging facility actually makes it easer to cover tracks. It's not about deleting logs, its about hiding activities. A whole malware industry lives off the fact, that Windows is opaque, mostly undocumented and has its configuration and logs stored in BLOBs. The only people that really know this stuff in-depth (including knowledge gained by reverse engineering) are the black hats.
You can be sure, that within weeks your rootkit programmer next door knows more about systemd/journald and its undocumented features than your regular sysadmin, who can't even tell, if the output of the fancy frontend tool has anything to do with the real content of the "journal".
Please someone decypher this for me. I can't seem to understand the reasoning of what you are trying to say.
Leaving the log files as text simply cp a snapshot of logs then to upload new one makes great sense for a hacker. The admin can just log on and walla! Nothing happened in my logs, my system is secure carry on... (admin)
Oh now you are going to say the dates? and time file is created?
So hackers can hack the systemd encryption and all the added security features but can't manipulate dates to files?
Since there seems to be a misconception about it, I'll kindly point out that using systemd's journal is *not* required. You can simply ignore the journal all together, and the data it stores ( sitting in /run by default ) will sit and consume little to no space (10mb max by default, iirc? and configurable), and be wiped away at boot.
syslogging continues to work exactly how it does today. Again, projects like rsyslog even go so far as to provide native systemd files. Of course, in large scale operations which depend on heavy log monitoring, the standard system logger will never go away. And it's not the intention of systemd to ever do so.
Personally? I agree that the binary log format is a little strange. But as a single-user on my laptop, the journal has completely made a system logger obsolete. I can ask systemd about a service, and it tells me the state of the the service, and even pops up the last few entries regarding that service that the journal has seen. It's really, really neat in practice.
Again, it's all about choice. systemd has really cool stuff built in which caters a little easier to the standard user, but in the event you want the kitchen-sink solution, it works just as well.
lets not get into the improvements in processes and startup in deamons. let me continue studying i will end up here forever again.
I am not underestimating. But encrypting log files makes lots of sense to slow them down... Hey then why use /etc/shadow? The hacker will decrypt it anyways right? lets just give up on security since everything is insecure and not worry about encryption from now on. Hackers can crack it anyway...
The efficacy of /etc/shadow is not that the passwords within it are encrypted (they were encrypted when they were originally in Unix's /etc/passwd), it is that /etc/shadow is only readable by root (/etc/passwd is world readable).
If your concern is in "slowing down" hackers who have gained root privilege, you should rethink your security model.
The efficacy of /etc/shadow is not that the passwords within it are encrypted (they were encrypted when they were originally in Unix's /etc/passwd), it is that /etc/shadow is only readable by root (/etc/passwd is world readable).
If your concern is in "slowing down" hackers who have gained root privilege, you should rethink your security model.
what is the point of the Shadow file passwords being encrypted then? I'm about to break LQ rules by cursing you out here...
Hackers can crack it anyway right?
True...
so why encrypt it? Why encrypt anything if hackers can crack it so easily.
You think the log files for systemd is world readable?
(added: I am assuming that you don't think there are exploits to escalate permission priveledges huh?)
So lets all just depend on UNIX File Permissions... is that the way you deal with security here?
Common man.... im out! Too much nonsense in here!
Last edited by Mercury305; 08-28-2012 at 11:15 AM.
Reason: more reasons...
Please someone decypher this for me. I can't seem to understand the reasoning of what you are trying to say.
By keeping things simple, people defending their systems can be on par with the potential attackers. Make a system unique and you can even gain an advantage, because you know your individual environment, your attacker does not.
By standardizing on an unneeded complex solution, the black hats always gain an advantage even over experienced users. The attackers always understand more about complex opaque stuff, because they are smart -- some of them are even smarter than Poettering.
That's the whole point of the KISS philosophy regarding IT security.
By keeping things simple, people defending their systems can be on par with the potential attackers. Make a system unique and you can even gain an advantage, because you know your individual environment, your attacker does not.
By standardizing on an unneeded complex solution, the black hats always gain an advantage even over experienced users. The attackers always understand more about complex opaque stuff, because they are smart -- some of them are even smarter than Poettering.
That's the whole point of the KISS philosophy regarding IT security.
If that is what you believe to be true to not encrypt log files more secure then plain text (simple files)... i sure won't be hiring you anytime soon.
You think the log files for systemd is world readable?
The distinction is that there is no reason for the root account (or any other) to know a user's password, there are valid reasons for root to examine log files (else why would you even maintain them).
Quote:
Originally Posted by Mercury305
Common man.... im out!
You keep using that word. I do not think it means what you think it means. (Though I appreciate that you consider me not to be "elitist".)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.