[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd's journal

previously on this list Helmut Grohne contributed:

> > It's just occurred to me that the binary format may not work with append
> > only logging?  
> 
> That's true for the journal. When the journal opens its binary log, it
> flags the file as being opened, but what is the issue with not being
> append only?
> 

I like to use the kernel to enforce append only on certain log files so
that they can't be tampered without finding a kernel exploit or
rebooting. Your right in that it does mean you can't compress but I
find logs are small on modern disks.

I do it all the time on OpenBSD with schg backed up by it's ace
critical bug free kernel and have done so on Linux with chattr -a mixed
with another trick that I forget right now though I believe it can be
done with RBACs like grsecurities or SELinux.

> > Also recovering those logs from a possibly intentionally
> > uncompletely wiped disk would be much harder especially on an ext3/ext4
> > filesystem where carving is required when otherwise you could image or
> > ddrescue in case of hardware failure and use grep.  
> 
> I have not tried, but I imagine it not being that much harder for the
> following reasons:
> 
> If your journal is compressed, you basically lose, but that is true for
> compressed text logs as well. So if you need this recovery scenario,
> don't compress.
> 
> If your journal is uncompressed, you can exploit aspects of the format
> to find the log. Specifically, log entry consists of key-value pairs,
> most of which likely match /\(_SYSTEMD_[A-Z_]*\|MESSAGE\)=.*/. Another

True and fair enough, though can you read partial fragments from a
journal or does it need the whole thing or complete chunks recovered.

Anyway it's not like I have ever needed to do this but it's good to
know you can and for the same reason I save my odt files as text
occasionally when writing them as a more reliable format and advise
others to do so.

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________
Reply to: