[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 15/08/13 02:42, Kai Hendry wrote: > I uses rsyslog-ng with papertrail for an archive. I'm using systemd's > journalctl on my local system which has some security features such as > Forward Secure Sealing (FSS), though I haven't bothered to look into > it yet. For those who are interested (primarily security bods I'd imagine) and didn't already know, FSS is quite interesting - it's a relatively newish addition to the journalctl part of systemd, which is of course another creation of my favourite love-to-hate linux hacker, the dreaded Lennart Poettering. It's a different approach to securing your logs, particularly in the case of attackers gaining full root on your box and then hiding all their tracks. Whereas rsyslog would send your logs to another - and hopefully much better secured - server for archiving out of the reach of the hacker, FSS uses an ephemeral key pair to encrypt logs on the local machine after a certain interval (the admin has to maintain the access key out of band*, which could have a scaling problem). So the attacker could completely wipe the logs which is highly likely to trigger an alert, but they can't tamper with them, even as root. I'd ask Kai how he was getting on with it, but annoyingly the first other person I've seen who even knows what it is doesn't use it! Lennart himself describes it much better at a very interesting google+ post (I know, I know) here: https://plus.google.com/115547683951727699051/posts/g1E6AxVKtyc I highly recommend it, particularly for the comments section below, which is, well, pretty much what you'd expect from anything involving Lennart. Love him or hate him**, he does make a splash. For me, the most interesting thing that I learnt was not that Lennart himself hacked up this latest monstrosity, but terrifyingly he has a brother who apparently is a post-doctorate in cryptography and upon whom's work FSS is based on. So now we have two Poetterings for the price of one, seemingly conspiring to ruin*** Linux one step at a time. I can't wait to see what they come up with next! I really feel that both of them have kind of missed a trick here, but then so has pretty much every other OS ever made with one glaring exception: Plan9 from Bell Labs. No root user. Venti WORM datastore. Job done - I keep Plan9 From User Space on most of my personal linux boxes mainly for this reason, so I can talk to the "glenda" box running in the garage. Regards * by QR code... I shit you not! Or writing it down on a piece of paper. Seriously, read the link. ** considering I don't actually know the man, I'd go with neither, but I really hate pretty much every program he's ever written, except PulseAudio, which I really like for some reason. *** or save, depending on who you ask. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq