HACK THE SYSTEM: systemd-journald | CentOS 7 totally crashed

RSS

 Seguime por RSS

2 dic 2014

systemd-journald | CentOS 7 totally crashed

In several times, Lennart P. says that the reason for binary log in the output of journald, the replacement for syslog, is that a binary log is more secure, no alterable for any intruder.
Well... I say that Lennart P. is a bad programmer and worse security guy.
The case is that LP says that binary log are like terminator, non destructable. The point of LP is that in case of hacking, editing a binary log is not possible, or is obviously that the log was edited.

Well, to edit journal and syslog, both need root privilegies, so, edit syslog is a bit more complex, because you should edit every line, that the line matches with secure log, audit log and auth log, and if you has a NIDS, more log.

Using journal, only editing the system.journal log, you has NO LOG after that,  and if is editing in the correct way, the system is totally crashed, so, customers calling at 3am because the server is hanged for a stupid binary LOG.

The reason is that systemd is a big pig hanging of PID 1, so, if any piece of systemd is affected, all system crash.

The VUA's guys of Devuan, and others experts, say that, but, LP and Red Rat don't listen, so, I recorded a video, for show that. If you guy are running a CentOS 7 or RHEL7 server... be careful, change to BSD or stay for Devuan release :)

Resuming:

If you have syslog system, the old system, for access to the log, you need root, right?. For access to journald log, you need root, right?, both logging systems need root, or uid 0.

When systemd was released, Lennart says that the reason for binary and no plain text output of logger, is because a plain text logger can easily modified and readed for X person, while a binary and propietary log, is more secure, that is true, BUT.

Actual result with journald:

1.- If you have old UNIX-like system, CentOS 6.x, using rsyslog, and you are hacked, the logs can be edited, deleted, and eventually you will find that your server was pwned if you use NIDS, IDS or compare all logs and timestamp (stat command).

2.- If you are using a modern windows-like systemd with CentOS 7 or RHEL7, and you are hacked, the log can be edited, result?: no log, empty

Or (50% probably or more) the log can be set to zero, empty AND server crashed. No security added, just an advantage?, only need watch the log of today for know that you was pwned, but, the cost?: Stability.

So, is REALLY more secure binary log or are a stupid design?, think that.

Lennart's like Windows, remember that.
eventvwr = journalctl, userinit.exe/smss.exe + services.exe = systemd, winlogon = systemd-logind



11 comentarios:

  1. Pero si la rata roja y el próximo Bill Gates(LP), dicen que todo esta perfecto en su segundo kernel de inicio es increíblemente seguro, fiable, antihackers, malware, etc... ; ya esta probado, depurado y listo para ser usado en servidores dedicados, como es posible que suceda esto!!!
    Acaso solo sera un pequeño bug que se les paso?
    No es nada del otro mundo, para eso están los devdeb ellos encontraran la solución y todos felices con la reconvención Winx/Linux.

    ResponderEliminar
  2. jajajaja, deci que solo me puse a mirarlo porque un fedora member metido en devuan me instigo, me toreo por asi decirlo, que no pasaba nada, que no se corrompian... no solo se corrompen sino que encima crashean el servidor, que maravilla windolera han logrado el nene con carita de tontin y las ratas rojas

    ResponderEliminar
  3. Buen Bug encontrado, No es para tomarsela a broma por lo que veo.....Este bug puede hacer cerrar la boca a más de uno que decia que era seguro.......

    Bien por ti, Usar systemd pase lo que pase yo no lo usaré antes me voy a FreeBsd......

    ResponderEliminar
  4. seguro y estable, centos 7, servidores, que chiste.

    ResponderEliminar
  5. me cuesta creer que tenga bugs tan gordos y haya sido adoptado de forma masiva por casi todas las distribuciones especialmente para servidores.

    ResponderEliminar
  6. https://www.reddit.com/r/LinuxActionShow/comments/2nv4hp/ask_lennart_poettering_a_question/

    ResponderEliminar
  7. Interesante, pero dudo que me responda, adema seria una discusion mas que una pregunta y es notable que cuando algo no le cierra, cambia de tema o responde otra cosa. Igual, hare el intento

    ResponderEliminar
  8. Mas cuesta creer que CentOS 7 es un clon binario de RHEL7 el cual te cobran y es el producto enterprise por excelencia. Si, la verdad que craso error por parte de Debian en adoptarlo, que RH use sus propias basuras vaya y pase pero Debian... se paso por el culo eso del sistema operativo universal, quiero ver esos servidores usando Debian con systemd jaja. Por suerte vamos a tener Devuan.

    ResponderEliminar
  9. Lo traduciré para DesdeLinux para que se den cuenta que SystemD en Debian es precisamente lo peor.

    ResponderEliminar
  10. el bug fue arreglado el que hacia crash el que no se recupera no, pero ya en su momento lo puse en desdelinux en los comentarios y me trataron de troll

    ResponderEliminar

Dejá tu comentario