Q: encryted log

Discussion:

Q: encryted log

Ranran

2018-11-24 15:37:41 UTC

Hello,

Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it
?

Thank you,
ran

Richard Guy Briggs

2018-11-26 18:37:36 UTC

Permalink

Post by Ranran
Hello,
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it?

The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.

You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.

Post by Ranran
ran

- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Marko Horn

2018-11-27 06:08:24 UTC

Permalink

hello,
you can easily do an encrypted
/var/log/auditlog partition
and save the logs there

Post by Richard Guy Briggs

it?
The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.
You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.

Post by Ranran
ran

- RGB
--
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit

Michael Halcrow

2018-11-27 23:01:47 UTC

Permalink

Post by Marko Horn
hello,
you can easily do an encrypted
/var/log/auditlog partition
and save the logs there

This has the disadvantage of reserving a fixed amount of disk space
for the logs. If you need that reserved disk space for something
else, you don't have it. If you end up needing more space for the
logs, you don't have it.

If you're using ext4 or f2fs, another option is to use their native
encryption capability. If you're using another local file system,
well, I haven't gotten around to ripping eCryptfs out of the kernel
yet, so there's also that.

Post by Marko Horn

Post by Richard Guy Briggs

The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.
You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements. If you require the
daemon to write to encrypted log files, then you may be out of luck.

Post by Ranran
ran

--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit

Steve Grubb

2018-11-26 20:30:28 UTC

Permalink

Post by Ranran
Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it

Typically audit logs are protected by virtue of needing root to read
anything. An untrusted root user is something Linux isn't designed for.

-Steve