Re: [systemd-devel] how to encrypt journalctl metadata
On Thu, 18.08.16 15:55, Mikhail Kasimov (mikhail.kasi...@gmail.com) wrote: > Hello! > Personally, don't we have philosophical contradiction here? -- Journal is > positioned as syslog alternative with more wide functionality, but in > current case we offer to turn off whole journal to make functionality only > as transport. No problem, but is RFE to incorporate ExcludeMetaData= > parameter to /journald.conf acceptable here? No, we explicitly never had the goal to be as featureful as rsyslog or syslog-ng. The journal has a different feature set, and puts a strong emphasis on structured log events, implicit metadata and indexed lookups. It's completely OK if people look for a different feature set and it's easy to install a different logger side-by-side to journald and it will get all the same data the journal gets. Quite frankly, I am very much against turning the journal into something that processes log data at collection time with matches and regexes and suchlike. If you don't want the journal to collect metadata, then the journal is probably not the tool you want, but something else, and in that case turn stroage in it off, and just use it as a multiplexer that collects data from all the various sources and passes it to the syslog implementation of your choice. Of course, you'll lose all the journal hook-up in tools like "systemctl status" if you don#t use the journal, but I think that's a fair deal. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
Ok, thanks for making this aspect more clear! 18.08.2016 18:00, Lennart Poettering пишет: On Thu, 18.08.16 15:55, Mikhail Kasimov (mikhail.kasi...@gmail.com) wrote: Hello! Personally, don't we have philosophical contradiction here? -- Journal is positioned as syslog alternative with more wide functionality, but in current case we offer to turn off whole journal to make functionality only as transport. No problem, but is RFE to incorporate ExcludeMetaData= parameter to /journald.conf acceptable here? No, we explicitly never had the goal to be as featureful as rsyslog or syslog-ng. The journal has a different feature set, and puts a strong emphasis on structured log events, implicit metadata and indexed lookups. It's completely OK if people look for a different feature set and it's easy to install a different logger side-by-side to journald and it will get all the same data the journal gets. Quite frankly, I am very much against turning the journal into something that processes log data at collection time with matches and regexes and suchlike. If you don't want the journal to collect metadata, then the journal is probably not the tool you want, but something else, and in that case turn stroage in it off, and just use it as a multiplexer that collects data from all the various sources and passes it to the syslog implementation of your choice. Of course, you'll lose all the journal hook-up in tools like "systemctl status" if you don#t use the journal, but I think that's a fair deal. Lennart ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
Hello! Personally, don't we have philosophical contradiction here? -- Journal is positioned as syslog alternative with more wide functionality, but in current case we offer to turn off whole journal to make functionality only as transport. No problem, but is RFE to incorporate ExcludeMetaData= parameter to /journald.conf acceptable here? Syntax: ExcludeMetaData=[meta[=keyword1,keyword2,...keywordN]] For current usecase: ExcludeMetaData=_CMDLINE. Or, to make it more flexible: ExcludeMetaData=_CMDLINE=[keyword1],[keyword2],...[keywordN]. E.g.: === ExcludeMetaData=_CMDLINE=pass,password ExcludeMetaData=_UID=1000,k_mikhail === to exclude defined parameters. Or: === ExcludeMetaData=_CMDLINE ExcludeMetaData=_UID === to exclude common (whole) metadata. Acceptable? 18.08.2016 14:25, Lennart Poettering пишет: On Wed, 17.08.16 12:10, Divya Thaluru (divya.thal...@gmail.com) wrote: Hi, Journalctl stores metadata like "_UID,_GID,_CMDLINE,_SYSTEMD_CGROUP etc…" for each message. Is there any way, can we encrypt metadata (commandline info) so sensitive information wont be stored. If encryption of metadata is not possible, can we disable collecting the metadata? The journal does not support encryption, and it does not disable collecting metadata implicitly. You may however turn off all storage by the journal by setting Storage=none in journald.conf. In that mode you may optionally connect another syslog daemon to it via ForwardToSyslog=yes, which implements the features you are looking for. Lennart ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
On Wed, 17.08.16 13:02, Divya Thaluru (divya.thal...@gmail.com) wrote: > Thanks Mantas!!! In my case, metadata "cmdline" had sensitive information > which I am not intended to store. Is there any way to disable collecting > metadata? If your cmdline field contains sensitive information then you really should work on that and not include the sensitive information there. The cmdline field is generally exposed to user users, and hence unsafe for passwords and suchlike, regardless if you use the journal or not. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
On Wed, 17.08.16 12:10, Divya Thaluru (divya.thal...@gmail.com) wrote: > Hi, > > Journalctl stores metadata like "_UID,_GID,_CMDLINE,_SYSTEMD_CGROUP etc…" > for each message. Is there any way, can we encrypt metadata (commandline > info) so sensitive information wont be stored. > > If encryption of metadata is not possible, can we disable collecting the > metadata? The journal does not support encryption, and it does not disable collecting metadata implicitly. You may however turn off all storage by the journal by setting Storage=none in journald.conf. In that mode you may optionally connect another syslog daemon to it via ForwardToSyslog=yes, which implements the features you are looking for. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
On Wed, Aug 17, 2016 at 10:10 PM, Divya Thaluruwrote: > Hi, > > Journalctl stores metadata like "_UID,_GID,_CMDLINE,_SYSTEMD_CGROUP etc…" > for each message. Is there any way, can we encrypt metadata (commandline > info) so sensitive information wont be stored. > > If encryption of metadata is not possible, can we disable collecting the > metadata? > Store your logs in a LUKS volume. There's no built-in encryption in journald. And... quite frankly, I cannot imagine how service name or its UID would be more sensitive than the messages themselves? It seems the opposite of every single system I've seen. The *messages* often contain sensitive information, whereas PIDs or service names are mostly generic info. Just set up a LUKS container for /var/log. -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] how to encrypt journalctl metadata
Thanks Mantas!!! In my case, metadata "cmdline" had sensitive information which I am not intended to store. Is there any way to disable collecting metadata? Thanks, Divya On Wed, Aug 17, 2016 at 12:55 PM, Mantas Mikulėnaswrote: > On Wed, Aug 17, 2016 at 10:10 PM, Divya Thaluru > wrote: > >> Hi, >> >> Journalctl stores metadata like "_UID,_GID,_CMDLINE,_SYSTEMD_CGROUP >> etc…" for each message. Is there any way, can we encrypt metadata >> (commandline info) so sensitive information wont be stored. >> >> If encryption of metadata is not possible, can we disable collecting the >> metadata? >> > > Store your logs in a LUKS volume. There's no built-in encryption in > journald. > > And... quite frankly, I cannot imagine how service name or its UID would > be more sensitive than the messages themselves? It seems the opposite of > every single system I've seen. The *messages* often contain sensitive > information, whereas PIDs or service names are mostly generic info. > > Just set up a LUKS container for /var/log. > > -- > Mantas Mikulėnas > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel