:: Re: [DNG] ..forensics on systemd or…
Góra strony
Delete this message
Reply to this message
Autor: Arnt Gulbrandsen
Data:  
Dla: dng
Temat: Re: [DNG] ..forensics on systemd or journald logs, was: rc.local removed from Debian 9, rly?
Arnt Karlsen writes:
> you appear to suggest that law enforcement wanting to read systemd
> journal logs, _should_ depend on the mercy of systemd developers not
> "filtering" away inconvenient evidence of e.g. systemd developer
> wrongdoing from said law enforcement.


That's routine. Few readers read everything that can be read. For example,
look at postgres. Its binary file format reveals quite a bit more than you
can get using psql, and by design: The writer and binary format are
intended for storing things quickly and reliably, and the reader for
reading what was stored. Anything that's in the file but wasn't stored by
instruction of an SQL user is uninteresting to psql, and the file format
writer has no particular reason to avoid storing other information.

If you really want to look at the details in postgres, you can take a good
guess at whether two rows were inserted at the same time or one later than
the other.

That's why forensics people use the files. Systemd is about the millionth
system to join the club. Flame postgres and vast numbers of others before
you flame systemd. Or better yet, limit your statements about systemd to
what's correct.

Arnt