Date: Wed, 9 Dec 1998 21:54:21 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mark Newton <newton@camtech.com.au> Cc: Jim Yuill <jjyuill@eos.ncsu.edu>, FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging Message-ID: <Pine.BSF.3.96.981209215052.15123A-100000@fledge.watson.org> In-Reply-To: <199812100028.KAA21421@frenzy.ct>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Dec 1998, Mark Newton wrote: > > I've been looking for an append-only device for logging, which a remote > > hacker (with root access) can not erase or alter. Other than a > > line-printer, are there any such devices that actually work with Unix? > > Files fit the bill on FreeBSD. Set your securelevel to 2 and > apply the "sappnd" flag (using chflags) to any files you wish > to set as "append-only". Not even root can remove the append-only > flag unless first bringing the system to a lower security level, > which requires physical access to the console for single user mode > operation. You should note, however, that to get this to be literally the case, you need to protect many other files against modification (such as boot scripts, etc). There has been extensive discussion in the archives, and the Jan's how-to probably has good information. I discuss a few details on my (temporarily neglected) hardening project page. Take a look around the FreeBSD security page for details. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981209215052.15123A-100000>