On Tue, Dec 27, 2011 at 12:16 AM, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
"in the journal all entries are cryptographically hashed along with the hash of the previous entry in the file. This results in a chain of entries, where each entry authenticates all previous ones. If the top-most hash is regularly saved to a secure write-once location, the full chain is authenticated by it."
So tampering any entry will cause a mismatch that can be easily detected, the attacker would have to rewrite the _whole_ content of the history of a particular user (journald stores 1 log for each system user)
That's quite naive. Usually, you just want to fake or delete the last few records. Deleting is quite simple. Altering the latest records too, since they haven't yet been backed up. In fact, even without hashes, if you back up your logs, you can authenticate against the backups. So, the hashes are useless complexity. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org