Fedora – How to get access to the root journal for systemd

fedorasystemdsystemd-journald

When I execute journalctl -f -a under Fedora 20 for different users I get different results. For root I get something similar to tail -f /var/log/syslog on older systems. As normal user I get gnome-shell warnings, some su messages, stuff Firefox writes to stdout etc. – basically a user session log.

I understand that journalctl has the concept of different journals (journalctl(1)):

Output is interleaved from all accessible journal files, whether they are rotated or currently being written, and regardless of whether they belong to the system itself or are accessible user journals.

But how to get list which journals are available for a given user?

And how to give a normal user also access to the root journal?

The journalctl man page states:

All users are granted access to their private per-user journals. However, by default, only root and users who are members of the "systemd-journal" group get access to the system journal and the journals of other users.

But this sounds like too much – the user should not have access to the journals of other normal users (just to the root journal).

Best Answer

The systemd-journald man page explains how journal access control is done:

Journal files are, by default, owned and readable by the "systemd-journal"
system group but are not writable. Adding a user to this group thus enables
her/him to read the journal files.

By default, each logged in user will get her/his own set of journal files in
/var/log/journal/. These files will not be owned by the user, however, in order
to avoid that the user can write to them directly. Instead, file system ACLs
are used to ensure the user gets read access only.

Additional users and groups may be granted access to journal files via file
system access control lists (ACL).

Fedora 20 uses ACLs to give users in the adm and wheel groups read access to all the journals.

how to give a normal user also access to the root journal?

Run setfacl -n -m u:username:r /var/log/journal/*/system.journal .

how to get list which journals are available for a given user?

You can su to the user and run journalctl --header|grep '^File Path' to see the names of the journals he or she has access to.

getfacl can be used to see which groups and users have access to journal files. I don't know of a simple way to list the files that are readable by a specific user.

Related Solutions

Log every command typed in any shell: output (from logger function to syslog-ng/journald) contains duplicate entries for commands

You have a lot going on there..... My best answer to this is to explain simply how I have seen session logging done in the past. Hopefully that will give you some options to explore.

As you have already mentioned, pulling the bash history from the user accounts. This only works after the session has ended. Not really the best option but it's easy and reliable.
Using a virtual terminal such as the screen command in Linux. This is not very robust as it starts on the user login however if they know it's being logged you can still kill the service. This works well in an end-user scenario. End users generally are trapped in a specified area anyway and don't have the knowledge to get around this.
Pam_tty_audit module & aureport --tty This is a tool that allows you to specify which users get logged and allow you to specify the storage location of said logs... as always keep the logs off of the host server. I have the session logs on our SFTP server being copied off to a central logging server and a local cronjob moving them to a non shared location for archive.

This is built in for RedHat and Fedora however you can install it on Debian and Ubuntu. It's part of the auditd package I believe. Here is some documentation on auditd and the required configuration changes to pam (in /etc/pam.d/system-auth), specifying a single user here(root):

session required pam_tty_audit.so disable=* enable=root

Example output of aureport --tty:

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 1/29/2014 00:08:52 122249 0000 ? 4686960298 bash "ls -la",<ret>

How to see when a systemd service was started/stopped/restarted

If you need to script this, you should look into using the systemctl show command. It is more useful for scripts than trying to parse anything from status. For example, to find when the service last started you can use:

$ systemctl show systemd-journald --property=ActiveEnterTimestamp
ActiveEnterTimestamp=Wed 2017-11-08 05:55:17 UTC

If you would like to see all the properties available just omit the flag and it will dump them all out.

$ systemctl show <service_name>

The documentation for these properties can be found here.

Best Answer

Related Solutions

Log every command typed in any shell: output (from logger function to syslog-ng/journald) contains duplicate entries for commands

How to see when a systemd service was started/stopped/restarted

Related Question