[xorcist]

Relevant work in the area is Log Hash Chaining as described in RFC 5848, which at least has been through some peer review.

I don't know why they chose to ignore that, let alone what their design is really supposed to guard against. Their design allows an attacker a window of 15 minutes where they can rewrite the log at will.

So the short of it is: Keep using remote logging. Authenticate that. Don't rely on journald.

(I too have had Drepper vibes about the whole situation for quite some time. But a new init standard was long overdue and if distros can finally rally around systemd it might be worth it.)