14

I have an Ubuntu 18.04 server that is running a service I'm developing. The output is being sent to the system journal for logging.

I accidentally failed to sanitize some logging and a plaintext password (for my own user) was accidentally leaked in the logs.

I have fixed the service's logging behavior. Now I simply want to edit the journal files to remove the lines with the plaintext password.

How do I edit a journalctl file?

Ashoat
  • 241
  • Related https://unix.stackexchange.com/q/139513/7453 – slm Jul 10 '18 at 22:48
  • Possible dup https://unix.stackexchange.com/q/272662/7453 – slm Jul 10 '18 at 22:52
  • https://askubuntu.com/q/864722/17531 shows the paths where logs are stored. I'd look there for your line and use an editor to delete what you want. – slm Jul 10 '18 at 23:00
  • In respect of that last, slm: You seem to be unaware of one of the most famous aspects of systemd's journal files, which ironically makes the explicit question here also the response to your question comment. (-: – JdeBP Jul 11 '18 at 06:38
  • Thanks for helping search @slm! I've seen all three of those.
    1. The first deals with how to truncate the logs, not how to remove a specific, single line.
    2. The second deals with how to remove lines on a per-unit basis, but not how to remove arbitrary lines.
    3. The third includes information on where the journal files are stored, but their format makes it impossible to parse through and find the specific line I want to remove.
     – Ashoat Jul 11 '18 at 19:10
  • @JdeBP - are you meaning that the logs are not meant to be edited and you're not suppose to try and reach into the files and muck with them? If so I'm aware, I'm only providing leads at this point, not fully baked answers 8-) – slm Jul 11 '18 at 19:36
  • @Ashoat - understood, so I think the answer to your Q is ultimately you cannot do what you want, and your only recourse is to truncate whatever service's logs but that's about all you can do here, and it's by design of journald. – slm Jul 11 '18 at 19:37
  • @JdeBP - you can now see the method to my "madness" 8-) – slm Jul 11 '18 at 19:38
  • 4
    It must be possible. It should at least be possible to scan the entire journal, grep -v out whatever I don't need, and then write all of the results to a new journal file. There is nothing technically preventing that from happening. It's just that there doesn't appear to be an existing tool to do the job. – Ashoat Jul 12 '18 at 03:00
  • The question is totally relevant, and useful for example if you are and administrator (or an 'etical' hacker) and for example you need to change the content on a file without changing the changing time (see this https://www.shellhacks.com/fake-file-access-modify-change-timestamps-linux/). – Luis Vazquez Apr 22 '19 at 21:55
  • 1
    Regardless whether you can solve your question or not. Better simply change the password. – rudimeier May 27 '20 at 11:33

2 Answers2

3

systemd's journal is designed to prevent this kind of tampering.

The journal file format is documented here and it describes its support for in-line Forward Secure Sealing:

Tag objects are used to seal off the journal for alteration. In regular intervals a tag object is appended to the file. The tag object consists of a SHA-256 HMAC tag that is calculated from the objects stored in the file since the last tag was written, or from the beginning if no tag was written yet. The key for the HMAC is calculated via the externally maintained FSPRG logic for the epoch that is written into epoch. The sequence number seqnum is increased with each tag. [..]

see Tag Object

What you can do is clear the journal with the log entries from the time before you fixed the service (e.g. you fixed it two days ago):

journalctl --rotate --vacuum-time=2d

Source: How To Clear The systemd journal Logs

laktak
  • 5,946
  • 1
    According to the man page, --vacuum-time will only "Remove the oldest archived journal files until ...". If the entry in question is not archived (as it is in my case now), even journalctl --vacuum-time=1m won't remove it. I edited the answer to point this out. – 3VYZkz7t May 11 '21 at 14:20
  • @3VYZkz7t Thanks, you can actually do this in a single command. – laktak May 11 '21 at 18:28
-2
strings "$file" | grep "xxxxx"

will show your additions. However, that are binary files, I am not sure when manually editing, what consequences this might have. I use them only for reading.

Olaf
  • 81
  • 2
    "I am not sure when manually editing, what consequences this might have." While in general it is always a bad idea to edit binary files specially when you don't understand the format, for systemd journal files it is even a worst idea, as it uses Forward Secure Sealing, see https://lwn.net/Articles/512895/ – Patrick Mevzek Aug 24 '20 at 17:51