Tired of ads? Upgrade to paid account and never see ads again!


Dan Walsh's Blog

Got SELinux?

Previous Entry Share Next Entry
Fedora 17 New Security Feature part VI - systemd-journal
There has been a lot written about the systemd-journal, this link gives a pretty good description of why it is good from a security point of view, although I don't see this as a full replacement of syslog.


Since the syslog format is ubiquitous, I don't see it going away.  Also systemd-journal caused a lot of people who were working on "Structured Logging" to get all up in arms over it, since Lennart and Kay did not work with them.

I still like it. 

systemd has become the central point of launching system apps, so it knows more about what is going on in the system then any other process save the kernel.

Years ago when the audit system was being build Karl MacMillan of Tresys believed that some of the problems that the audit system was trying to fix could be handled by extending syslog to record all the information about the sending process.  ALL of the UIDs associated with a process as well as recording the SELinux Context.   Systemd-journald now does this. 

Let me give an example of where systemd-journal could be used to increase security. 

SELinux controls processes by only allowing them to do what they were designed to do.  Sometimes even less depending on the security goals of the policy writer.  This means SELinux would prevent a hacked ntpd process from doing anything other then handle  Network Time.  SELinux would prevent the hacked ntpd from reading mysql database or credit card data from the users home directory,  even if the ntpd process was running as root.  However, since the ntpd process sends syslog messages, SELinux would allow the hacked process to continue to send syslog messages.  The hacked ntpd could format syslog messages to match other daemons and potentially trick and administrator or even better a tool that reads the syslog file (Intrusion detection tools?) into doing something bad.   If all messages were verified with the systemd-journal then the administrator or syslog analysis tool could notice that ntpd_t is sending messages about sshd, and we could realize your ntpd daemon was hacked.

MESSAGE=sshd Fake message from sshd.
_CMDLINE=/usr/sbin/ntpd -n -u ntp:ntp -g

No HTML allowed in subject


(will be screened)

You are viewing danwalsh