Sanitize credentials from system logs: where are logs stored?

I mounted shares with:

mount -t cifs -o username=[USER],password=[PASSWORD] //[HOST]/[SHARE] /[MOUNT_POINT]

and when I checked system logs with journalctl I found that the entire command including the password is recorded.

How can I purge the credentials from the logs? In particular, where are the logs stored? I see many files in /var/log but I’m not sure which would contain this info.

And on a side note, why are credentials being logged??

Because you provided them as an option.
See the mount.cifs manual and use an environment variable or a credentials file.

2 Likes

I don’t want to clear the logs, just redact the credentials.

Then is it possible to clear based on a search term such as “cifs”? Or a given date range?

I did find the logs at /var/log/journal/machine-id/ but there are many .journal files, some starting with “system” others with “user” and they do not open properly in a text editor.

You can’t, it is designed this way to avoid security issues:

No, the ability to modify system logs is a security flaw.

The data is saved in a binary format:
https://www.freedesktop.org/wiki/Software/systemd/journal-files/

2 Likes

Just my two cents.

Because if you can modify the logs, then someone who gains an access to you machine can do it as well. And in fact it’s widely known that when some system is compromised, the good attacker knows to clean all the traces of the compromise from the system logs so that the fact of the compromise would go unnoticed.

Systemd’s binary immutable logs were designed to solve exactly this problem – as far as I understand.

Th whole command you enter is logged – and always been, that’s not systemd’s fault. It’s widely known and considered a bad practice to provide credentials as options on a cli command invocation. In addition to

usually can also provide them after command invocation, interactively – and then the credential aren’t logged.

So instead of

mount -t cifs -o username=[USER],password=[PASSWORD] //[HOST]/[SHARE] /[MOUNT_POINT]

you could issue

mount -t cifs -o username=[USER] //[HOST]/[SHARE] /[MOUNT_POINT]

and mount replies:

Password for username@host/share:

and you enter you password interactively. As far as I know in such a case password isn’t logged. Of course, it can be used only if you’re issuing commands interactively, for entry in fstab or automatic mounting from a script you’ll have to use ways @vgaetera mentioned.

5 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.