Ensure Default Log Storage on Persistent Storage Instead of RAM

[cotosso]

Description
Currently, log files are stored in RAM by default. However, for installations with advanced security requirements, logs should be persistently saved by default.

Proposed Solution
To align with security-by-design and security-by-default principles, logging should be enabled immediately upon deployment. A minimally invasive approach that maintains the current behavior while improving security is proposed:

On first UI access, display a modal asking whether to save logs on persistent storage.

The modal must be acknowledged before it disappears.

Until explicitly answered, the modal will reappear on every UI access (e.g., reopening a closed tab).

Available Choices

• Log on installation storage partition (default)
• No logging

For cases where an additional storage partition is available, the user can later navigate to the storage settings, disable logging on the current partition, and enable it on the new storage.

Impact & Benefits

Ensures critical logs are not lost due to RAM storage volatility.
Provides users with an informed choice while maintaining security defaults.
Allows for flexible log storage reconfiguration post-installation.

In case of presence of a controller

In case of use of a controller the admin can link NethSecurity to the controller too, saving logs in both local and remote resources.
This also guarantee log save in case of connectivity issues (including attack scenarios) that may prevent logs from reaching the controller, resulting in loss of critical data.

[filippocarletti]

Couldn't we disable the option to have logs in RAM?

[cotosso]

Couldn't we disable the option to have logs in RAM?

yes, it depends from the implementation we are going to use to write all of them in the storage.
We need to make sure that the logs are maintained even after version updates.
If this feature is preserved we can also decide to always write them to the storage.

[Tbaile]

Proposed solution:
Move the logs inside the storage by default (this can, however, be lost during updates) and then if the Secure Installation Flag is enabled, prompt the user perpetually to enable the storage logs. This will be forced even if the controller logging is enabled.

Due to the shift from logging in the RAM to logging in the storage, this needs to be put in function in a ready to repair system when 8.5 gets released, so that we can verify the impact.

[Tbaile]

Image: 24.10.0-ns.1.5.1-28-ga635366e

[filippocarletti]

• Test case 1: new ns-install
  • Write the image to a USB key, and use the key to
  • Boot a new hardware, then check with df that /mnt/data is NOT mounted
  • Run ns-install, remove the USB key, and boot the system from permanent storage
  • Verify that /mnt/data IS mounted
• Test case 2: upgrade without storage
  • Pick a system running without storage
  • Update flashing the img
  • After reboot, check that /mnt/data IS mounted and /mnt/data/log/messages is being written
• Test case 3: upgrade with storage on the same media
  • Pick a system running with storage configured on the boot disk
  • Update flashing the img
  • After reboot, check that /mnt/data IS mounted and /mnt/data/log/messages is being written
• Test case 4: upgrade with storage on additional media
  • Pick a system running with storage on an external/additional disk
  • Update flashing the img
  • After reboot, check that /mnt/data IS still mounted from the external disk
• Test case 5: new virtual machine
  • Install a VM using the img
  • Check that /mnt/data is NOT mounted
  • Verify that the Storage UI page doesn't offer to create storage
• Test case 6: virtual machine upgrade
  • Update a VM using the img
  • Check that /mnt/data is NOT mounted
  • Verify that the Storage UI page doesn't offer to create storage