danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
Fedora 17 New Security Feature part VI - systemd-journal
danwalsh
There has been a lot written about the systemd-journal, this link gives a pretty good description of why it is good from a security point of view, although I don't see this as a full replacement of syslog.

http://techspear.com/2011/11/systemd-journal-an-alternate-for-the-syslog/

Since the syslog format is ubiquitous, I don't see it going away.  Also systemd-journal caused a lot of people who were working on "Structured Logging" to get all up in arms over it, since Lennart and Kay did not work with them.

I still like it. 

systemd has become the central point of launching system apps, so it knows more about what is going on in the system then any other process save the kernel.

Years ago when the audit system was being build Karl MacMillan of Tresys believed that some of the problems that the audit system was trying to fix could be handled by extending syslog to record all the information about the sending process.  ALL of the UIDs associated with a process as well as recording the SELinux Context.   Systemd-journald now does this. 

Let me give an example of where systemd-journal could be used to increase security. 

SELinux controls processes by only allowing them to do what they were designed to do.  Sometimes even less depending on the security goals of the policy writer.  This means SELinux would prevent a hacked ntpd process from doing anything other then handle  Network Time.  SELinux would prevent the hacked ntpd from reading mysql database or credit card data from the users home directory,  even if the ntpd process was running as root.  However, since the ntpd process sends syslog messages, SELinux would allow the hacked process to continue to send syslog messages.  The hacked ntpd could format syslog messages to match other daemons and potentially trick and administrator or even better a tool that reads the syslog file (Intrusion detection tools?) into doing something bad.   If all messages were verified with the systemd-journal then the administrator or syslog analysis tool could notice that ntpd_t is sending messages about sshd, and we could realize your ntpd daemon was hacked.

.cursor=s=f328cc4b2615417189ab76b00c7ae041;i=2;b=4c3d0faf6b774fb7930972c1a4a5f87
.realtime=1329940273078467
...skipping...
SYSLOG_IDENTIFIER=sshd
SYSLOG_PID=2302
MESSAGE=sshd Fake message from sshd.
_PID=2302
_UID=0
_GID=0
_COMM=ntpd
_EXE=/usr/sbin/ntpd
_CMDLINE=/usr/sbin/ntpd -n -u ntp:ntp -g
_SYSTEMD_CGROUP=/system/ntpd.service
_SYSTEMD_UNIT=ntpd.service
_SELINUX_CONTEXT=system_u:system_r:ntpd_t:s0
_SOURCE_REALTIME_TIMESTAMP=1330527027590337
_BOOT_ID=4c3d0faf6b774fb7930972c1a4a5f870
_MACHINE_ID=432d8198a8fc421caf2dca48ccde1cf2
_HOSTNAME=dhcp-189-250.bos.redhat.com
 

You are viewing danwalsh