Firstly, I got question for this, I didn't know this is not difficulty trhough by google but it is my bad..
Because howto is just simple but I could not found exactly information for this even if spent 1 hour for googling...
I asked to ChatGPT but they came over more confusion to me because they provided to faked information.
Actuall almost article introduce to just TLS encryption for security communication between remote log server.
( Link: Secure Log-Server with Rsyslog on Oracle Linux )
Anyway, I just quickly share to how to encryption/decryption to linux system log files via Rsyslog.
For encryption to logfiles, that available via libgcrypto library.
In rsyslog, that provide by "lmcry_gcry.so"
- Install lmcry_gcry.so module for rsyslog service (Install to all of dependency packages) :
# yum install rsyslog-crypto - Load module in /etc/rsyslog.conf
- Add to "module(load="lmcry_gcry")" in any line
For example:
#### MODULES #### module(load="lmcry_gcry") - Define to encrypted files in /etc/rsyslog.conf ( Add or change to all of encryption files )
For example:*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages" cry.provider="gcry" cry.keyfile="/etc/rs.key") authpriv.* action(type="omfile" file="/var/log/secure" cry.provider="gcry" cry.keyfile="/etc/rs.key") - Save and Exit
- Generate Key file (Must be 16 bytes over)
For example:# rscryutil -r 16 --write-keyfile /etc/rs.key ** -r: generation key file - Restart rsyslog service
# systemctl restart rsyslog - Check any error for rsyslog service
# systemctl status rsyslog ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2024-04-02 09:08:23 GMT; 4s ago Docs: man:rsyslogd(8) https://www.rsyslog.com/doc/ Main PID: 43280 (rsyslogd) Tasks: 3 (limit: 35677) Memory: 1.1M CGroup: /system.slice/rsyslog.service └─43280 /usr/sbin/rsyslogd -n Apr 02 09:08:23 instance-20231122-mltest systemd[1]: rsyslog.service: Succeeded. Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Stopped System Logging Service. Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Starting System Logging Service... Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Started System Logging Service. Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: [origin software="rsyslogd" swVersion="8.2102.0-15.el8" x-pid="43280" x-info="htt> Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: imjournal: journal files changed, reloading... [v8.2102.0-15.el8 try https://www> Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: Libgcrypt warning: missing initialization - please fix the application - Check log file
# logger "Encryption Test" # tail -n 3 /var/log/messages @<O▒▒▒▒t▒▒▒)g▒▒▒=9▒▒dQ▒9▒ ▒▒W▒Zٖ-▒Y▒▒\_▒R▒(q2▒▒P▒▒ H▒▒▒A▒▒▒ʄ▒q#▒]▒S㔽2͕ ▒c▒|▒3|jH'ǀ▒▒ - Decryption a encrypted files
# rscryutil -d -k /etc/rs.key /var/log/messages Apr 3 03:05:30 instance-20231122-mltest systemd[1]: Started User Manager for UID 1000. Apr 3 03:05:30 instance-20231122-mltest systemd[1]: Started Session 7 of user opc. ## For decrypted file # rscryutil -d -k /etc/rs.key /var/log/messages > messages.dec Apr 2 09:20:01 instance-20231122-mltest systemd[1]: Starting system activity accounting tool... Apr 2 09:20:01 instance-20231122-mltest systemd[1]: sysstat-collect.service: Succeeded.
Of course, rsyslog and crypto module not recommended this library using on production environment.
( In my opinion, key management and enc/dec management is not easy and vulnerable )
But it is very simply way for keeping security file logging.
'Skills > mY Technutz' 카테고리의 다른 글
| ChatGPT 에 내 일에 대한 해결책을 물어보았다 (0) | 2023.03.06 |
|---|---|
| Guest VM 의 rx overflow issue vmcore 분석 (1) | 2021.12.29 |
| kernel dump 로 생성된 vmcore 에서 NIC device name 확인하기 (0) | 2021.04.29 |
| eBPF vmcore Analysis (1) | 2020.04.06 |
| Mac 에서 launchctl 을 이용하여 특정 명령을 지정된 시간에 자동수행 시켜보자 (0) | 2020.03.19 |
