Q: encryted log

Q: encryted log

[Ranran]

Hello,

Is there a way to encrypt the auditd logs which are saved to disk?
The system need to save logs from local into disk (not a remote
connection), but it should be saved encryped. Is there a way to do it
?

Thank you,
ran

Re: Q: encryted log

[Richard Guy Briggs]

On 2018-11-24 17:37, Ranran wrote:
> Hello,
> 
> Is there a way to encrypt the auditd logs which are saved to disk?
> The system need to save logs from local into disk (not a remote
> connection), but it should be saved encryped. Is there a way to do it?

The easy answer is that any system that is configured to use full disk
encryption (LUKS is the default one on many distros.) will give you that
automatically.

You have not provided more detail to know if this is what you had in
mind or would be sufficient for your requirements.  If you require the
daemon to write to encrypted log files, then you may be out of luck.

> ran

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Re: Q: encryted log

[Steve Grubb]

On Saturday, November 24, 2018 10:37:41 AM EST Ranran wrote:
> Is there a way to encrypt the auditd logs which are saved to disk?
> The system need to save logs from local into disk (not a remote
> connection), but it should be saved encryped. Is there a way to do it

Typically audit logs are protected by virtue of needing root to read 
anything. An untrusted root user is something Linux isn't designed for. 

-Steve

Re: Q: encryted log

[Marko Horn]

[-- Attachment #1.1: Type: text/plain, Size: 1177 bytes --]

hello,
you can easily do an encrypted
/var/log/auditlog partition
and save the logs there

Am 26. November 2018 19:37:36 MEZ schrieb Richard Guy Briggs <rgb@redhat.com>:
>On 2018-11-24 17:37, Ranran wrote:
>> Hello,
>> 
>> Is there a way to encrypt the auditd logs which are saved to disk?
>> The system need to save logs from local into disk (not a remote
>> connection), but it should be saved encryped. Is there a way to do
>it?
>
>The easy answer is that any system that is configured to use full disk
>encryption (LUKS is the default one on many distros.) will give you
>that
>automatically.
>
>You have not provided more detail to know if this is what you had in
>mind or would be sufficient for your requirements.  If you require the
>daemon to write to encrypted log files, then you may be out of luck.
>
>> ran
>
>- RGB
>
>--
>Richard Guy Briggs <rgb@redhat.com>
>Sr. S/W Engineer, Kernel Security, Base Operating Systems
>Remote, Ottawa, Red Hat Canada
>IRC: rgb, SunRaycer
>Voice: +1.647.777.2635, Internal: (81) 32635
>
>--
>Linux-audit mailing list
>Linux-audit@redhat.com
>https://www.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 1779 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Q: encryted log

[Michael Halcrow]

On Mon, Nov 26, 2018 at 10:15 PM Marko Horn <weber@zbfmail.de> wrote:
>
> hello,
> you can easily do an encrypted
> /var/log/auditlog partition
> and save the logs there

This has the disadvantage of reserving a fixed amount of disk space
for the logs.  If you need that reserved disk space for something
else, you don't have it. If you end up needing more space for the
logs, you don't have it.

If you're using ext4 or f2fs, another option is to use their native
encryption capability.  If you're using another local file system,
well, I haven't gotten around to ripping eCryptfs out of the kernel
yet, so there's also that.

> Am 26. November 2018 19:37:36 MEZ schrieb Richard Guy Briggs <rgb@redhat.com>:
>>
>> On 2018-11-24 17:37, Ranran wrote:
>>>
>>> Hello,
>>>
>>> Is there a way to encrypt the auditd logs which are saved to disk?
>>> The system need to save logs from local into disk (not a remote
>>> connection), but it should be saved encryped. Is there a way to do it?
>>
>>
>> The easy answer is that any system that is configured to use full disk
>> encryption (LUKS is the default one on many distros.) will give you that
>> automatically.
>>
>> You have not provided more detail to know if this is what you had in
>> mind or would be sufficient for your requirements.  If you require the
>> daemon to write to encrypted log files, then you may be out of luck.
>>
>>> ran
>>
>>
>> - RGB
>>
>> --
>> Richard Guy Briggs <rgb@redhat.com>
>> Sr. S/W Engineer, Kernel Security, Base Operating Systems
>> Remote, Ottawa, Red Hat Canada
>> IRC: rgb, SunRaycer
>> Voice: +1.647.777.2635, Internal: (81) 32635
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit