Sealing journald log files for security
I've already told you how easy it is for a malicious person to tamper with the text-mode rsyslog
files to delete his or her nefarious activities. The journald
log files are already harder to tamper with because they're in binary format. We can make it even harder to tamper with them by sealing them. (Of course, this only works if you have persistent journald
logs.)
The first step is to create a set of Forward Secure Sealing (FSS) keys, like this:
donnie@ubuntu2004:~$ sudo journalctl --setup-keys
This command creates two keys. The sealing key is named fss
and is stored in the same directory as the journald
log files, as we see here:
donnie@ubuntu2004:~$ cd /var/log/journal/55520bc0900c428ab8a27f5c7d8c3927/ donnie@ubuntu2004:/var/log/journal/55520bc0900c428ab8a27f5c7d8c3927$ ls -l fss -rw-------+ 1 root systemd-journal 482 Aug 10 16:50 fss donnie@ubuntu2004:/var/log/journal/55520bc0900c428ab8a27f5c7d8c3927$
The verification...