Date: Thu, 10 Dec 1998 13:12:21 -0600 (CST) From: James Wyatt <jwyatt@rwsystr.RWSystems.net> To: Mark Newton <newton@camtech.com.au> Cc: Jim Yuill <jjyuill@eos.ncsu.edu>, FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging Message-ID: <Pine.LNX.3.91.981210125145.24133C-100000@rwsystr.RWSystems.net> In-Reply-To: <199812100028.KAA21421@frenzy.ct>
next in thread | previous in thread | raw e-mail | index | archive | help
> Jim Yuill wrote: > I've been looking for an append-only device for logging, which a remote > hacker (with root access) can not erase or alter. Other than a > line-printer, are there any such devices that actually work with Unix? On Thu, 10 Dec 1998, Mark Newton wrote: > Files fit the bill on FreeBSD. Set your securelevel to 2 and > apply the "sappnd" flag (using chflags) to any files you wish > to set as "append-only". Not even root can remove the append-only > flag unless first bringing the system to a lower security level, > which requires physical access to the console for single user mode > operation. For the truly paranoid: How many of you audit your system scripts on reboot? If I wanted to erase my tracks (and thought you might not know I was there or wanted to hide how long I'd been there), I could tamper with scripts to kill logs next bringup. <PLUG>Tripwire(tm) is nearly perfect for watching rc.* changes and such.</PLUG> Many of us just take the machine down, go '-s', blindly run our single-user-mode-admin-scripts, and go multiuser. This does have better logging bandwidth than serial/parallel port logging, though. (^_^) Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.981210125145.24133C-100000>