On Tue, Dec 27, 2011 at 12:16 AM, Cristian Rodríguez
"in the journal all entries are cryptographically
hashed along with the hash
of the previous entry in the file. This results in a chain of entries, where
each entry authenticates all previous ones. If the top-most hash is
regularly saved to a secure write-once location, the full chain is
authenticated by it."
So tampering any entry will cause a mismatch that can be easily detected,
the attacker would have to rewrite the _whole_ content of the history of a
particular user (journald stores 1 log for each system user)
That's quite naive.
Usually, you just want to fake or delete the last few records.
Deleting is quite simple.
Altering the latest records too, since they haven't yet been backed up.
In fact, even without hashes, if you back up your logs, you can
authenticate against the backups.
So, the hashes are useless complexity.
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org