Date: Thu, 10 Dec 1998 01:47:11 -0800 From: "Jan B. Koum " <jkb@best.com> To: Jay Tribick <netadmin@fastnet.co.uk> Cc: security@FreeBSD.ORG Subject: Re: append-only devices for logging Message-ID: <19981210014711.A3541@best.com> In-Reply-To: <Pine.BSF.4.05.9812100906050.9677-100000@bofh.fast.net.uk>; from Jay Tribick on Thu, Dec 10, 1998 at 09:17:39AM %2B0000 References: <199812100028.KAA21421@frenzy.ct> <Pine.BSF.4.05.9812100906050.9677-100000@bofh.fast.net.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 10, 1998 at 09:17:39AM +0000, Jay Tribick <netadmin@fastnet.co.uk> wrote: > > | > I've been looking for an append-only device for logging, which a remote > | > hacker (with root access) can not erase or alter. Other than a > | > line-printer, are there any such devices that actually work with Unix? > | > | Files fit the bill on FreeBSD. Set your securelevel to 2 and > | apply the "sappnd" flag (using chflags) to any files you wish > | to set as "append-only". Not even root can remove the append-only > | flag unless first bringing the system to a lower security level, > | which requires physical access to the console for single user mode > | operation. > > True but if they have root then they can quite easily alter /etc/rc.local > (or wherever your using to run sysctl) so that it doesn't alter the > securelevel and then just reboot the machine. Their other option would be > to launch something like sshd and then boot the system down to single user > mode[1]. > > [1] probly won't work, haven't woken up yet.. > > Regards, > > Jay Tribick <netadmin@fastnet.co.uk> > -- > [| Network Admin | FastNet International | http://fast.net.uk/ |] > [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] > [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Well.. one should in theory notice their security critical box reboot and do some further investigation... -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981210014711.A3541>