Forward Secure Sealing or FSS allows application to cryptographically "seal" the system logs in regular time intervals, so that if your machine is hacked the attacker cannot alter log history (but can still entirely delete it). It works by generating a key pair of "sealing key" and "verification key".
read more at https://eprint.iacr.org/2013/397
Okay, let's set it up. With this, we will use CentOS 7 for learning.
As root, let's setup the keys.
[root@centos7-test1 ~]# journalctl --setup-keys
/var/log/journal is not a directory, must be using persistent logging for FSS.
Hmm.. not possible because /run is mounted on tmpfs. We will now enable persistent storage for journald.
- as root, create directory # mkdir -p /var/log/journal
- edit /etc/systemd/journald.conf and uncomment the following.
- Storage=persistence
- Seal=yes
- restart journald using command systemctl restart systemd-journald
- Rerun command journalctl --setup-keys. See screenshot below.
- Now we verify the log using command
[root@centos7-test1 ~]# journalctl --verify
PASS: /var/log/journal/e25a4e0b618f43879af033a74902d0af/system.journal
Looks good. Although I am not sure what is the verify-key as different verify key is used, it is always passed. Probably it will be fail if the logging is tampered.
