mount -t cifs -o username=[USER],password=[PASSWORD] //[HOST]/[SHARE] /[MOUNT_POINT]
and when I checked system logs with journalctl I found that the entire command including the password is recorded.
How can I purge the credentials from the logs? In particular, where are the logs stored? I see many files in /var/log but I’m not sure which would contain this info.
And on a side note, why are credentials being logged??
Then is it possible to clear based on a search term such as “cifs”? Or a given date range?
I did find the logs at /var/log/journal/machine-id/ but there are many .journal files, some starting with “system” others with “user” and they do not open properly in a text editor.
Because if you can modify the logs, then someone who gains an access to you machine can do it as well. And in fact it’s widely known that when some system is compromised, the good attacker knows to clean all the traces of the compromise from the system logs so that the fact of the compromise would go unnoticed.
Systemd’s binary immutable logs were designed to solve exactly this problem – as far as I understand.
Th whole command you enter is logged – and always been, that’s not systemd’s fault. It’s widely known and considered a bad practice to provide credentials as options on a cli command invocation. In addition to
usually can also provide them after command invocation, interactively – and then the credential aren’t logged.
So instead of
mount -t cifs -o username=[USER],password=[PASSWORD] //[HOST]/[SHARE] /[MOUNT_POINT]
you could issue
mount -t cifs -o username=[USER] //[HOST]/[SHARE] /[MOUNT_POINT]
and mount replies:
Password for username@host/share:
and you enter you password interactively. As far as I know in such a case password isn’t logged. Of course, it can be used only if you’re issuing commands interactively, for entry in fstab or automatic mounting from a script you’ll have to use ways @vgaetera mentioned.