replacing rsyslogd in minimal with journald [was Re: systemd requires HTTP server and serves QR codes]
kay at vrfy.org
Wed Oct 10 16:13:16 UTC 2012
On Wed, Oct 10, 2012 at 5:05 PM, Miloslav Trmač <mitr at volny.cz> wrote:
> On Tue, Oct 9, 2012 at 11:24 PM, Lennart Poettering <mzerqung at 0pointer.de> wrote:
>> which syslog does not: for example per-service rate limits,
> False. http://www.rsyslog.com/doc/imuxsock.html, "There is input rate
> limiting available", currently enabled by default in Fedora.
Insufficient in rsyslog. And it's right what Lennart said. This really
needs to be per service/user not per pid. Pids are almost entirely
useless to key-off here.
>> unfakable meta-data for log messages.
> False: http://www.rsyslog.com/doc/imuxsock.html, "trusted syslog
> properties are available" (and in v7 they can be enabled in the Fedora
> configuration by default)
It's well meant, but really, it sounds more like a joke. Adding
"garbage" to the end of the human readable plain text is not
comparable with the journal.
> On Wed, Oct 10, 2012 at 12:08 AM, Lennart Poettering
> <mzerqung at 0pointer.de> wrote:
>> I am not a security guy, but having
>> logs where unprivileged users cannot insert undetectable fakes
> (Re: the implied claim that systemd provides that):
It surely does provide it. Rsyslog can do something similar, but
really, with pushing stuff into plain text files, mixing it into the
human readable message it can't really get too far without creating a
mess in the files.
> For the "unprivileged user" part, see above.
> For the cryptographic protection, false.
It's not about tamper-proof log files, it was about unfakeable message
> defaults to 15 minutes, which is an eternity.
The sealing was not even mentioned, but it's still better than
nothing. And 15 min are the current default, and this will change as
soon as the details are hashed out to efficiently move the sealing
forward in time.
>  An adjective belongs here. I can think of about 10 candidates,
> but I feel too ill and grumpy to trust myself to choose well.
I'm sure you should wait until you are back to full speed. You
comparision seem pretty bad researched. :)
More information about the devel