1. 6
  1. 5

    This is a great overview and rationale for systemd’s logging and binary format.

    Inspired by git, in the journal all entries are cryptographically hashed along with the hash of the previous entry in the file. This results in a chain of entries, where each entry authenticates all previous ones. If the top-most hash is regularly saved to a secure write-once location, the full chain is authenticated by it. Manipulations by the attacker can hence easily be detected.

    I had not idea that this was the case.

    1. 3

      I am not too clear but I think Poettering calls this “log sealing” in some of the early written material on systemd. I haven’t used this feature in systemd but I have used it in other (proprietary) logging systems elsewhere and I can fully imagine that is was something the Red Hat’s clients commonly asked for.

      For me the part I like about the systemd journal is the indexed search/filtering, the automatic rolling and max sizing (logs can’t fill your disk) and interpolation of the logs from different services. It’s like a mini-ELK (and probably with sufficient config could replace a lot of ELK).

      Dare I say it given how unpopular systemd is everywhere, but I love systemd. Clearly someone thoughtful looked through all of the disparate, badly interacting parts of unix and just sorted heaps and heaps of it. Unit files, as a sysadmin, are way, way better than the old shell based init scripts, for example.

      1. 3

        This looks like the same model used by auditdistd on FreeBSD. It’s really useful for audit logs to know that an attacker who compromises the machine can’t tamper with audit logs undetectably (they can delete them, they can’t delete their activity in the middle, and with the distribution if they erase some entries at the end then the chain on the remote end will mismatch and point you directly to the entries that they deleted).

      2. 1

        Finally, you are actually wrong in believing that systemd was an abomination.

        “Your opinion is incorrect?”

        1. 1

          They really can be…