Discussion:
Q: encryted log
Add Reply
Ranran
2018-11-24 15:37:41 UTC
Reply
Permalink
Hello,

Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it
?

Thank you,
ran
Richard Guy Briggs
2018-11-26 18:37:36 UTC
Reply
Permalink
Post by Ranran
Hello,
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it?
The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.

You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.
Post by Ranran
ran
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Marko Horn
2018-11-27 06:08:24 UTC
Reply
Permalink
hello,
you can easily do an encrypted
/var/log/auditlog partition
and save the logs there
Post by Richard Guy Briggs
Post by Ranran
Hello,
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do
it?
The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.
You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.
Post by Ranran
ran
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Michael Halcrow
2018-11-27 23:01:47 UTC
Reply
Permalink
Post by Marko Horn
hello,
you can easily do an encrypted
/var/log/auditlog partition
and save the logs there
This has the disadvantage of reserving a fixed amount of disk space
for the logs. If you need that reserved disk space for something
else, you don't have it. If you end up needing more space for the
logs, you don't have it.

If you're using ext4 or f2fs, another option is to use their native
encryption capability. If you're using another local file system,
well, I haven't gotten around to ripping eCryptfs out of the kernel
yet, so there's also that.
Post by Marko Horn
Post by Richard Guy Briggs
Post by Ranran
Hello,
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it?
The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.
You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.
Post by Ranran
ran
- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Steve Grubb
2018-11-26 20:30:28 UTC
Reply
Permalink
Post by Ranran
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it
Typically audit logs are protected by virtue of needing root to read
anything. An untrusted root user is something Linux isn't designed for.

-Steve
Loading...