From owner-freebsd-security Mon Jan 17 21:24:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from public.bta.net.cn (public.bta.net.cn [202.96.0.97]) by hub.freebsd.org (Postfix) with ESMTP id 446611514A for ; Mon, 17 Jan 2000 21:24:45 -0800 (PST) (envelope-from robinson@netrinsics.com) Received: from netrinsics.com (gj-05-213.bta.net.cn [202.106.5.213]) by public.bta.net.cn (8.9.3/8.9.3) with ESMTP id NAA02939 for ; Tue, 18 Jan 2000 13:24:38 +0800 (CST) Received: (from robinson@localhost) by netrinsics.com (8.9.3/8.9.3) id NAA03003; Tue, 18 Jan 2000 13:25:17 +0800 (+0800) (envelope-from robinson) Date: Tue, 18 Jan 2000 13:25:17 +0800 (+0800) From: Michael Robinson Message-Id: <200001180525.NAA03003@netrinsics.com> To: k.stevenson@louisville.edu, oogali@intranova.net Subject: Re: Parent Logging Patch for sh(1) Cc: freebsd-security@freebsd.org In-Reply-To: <20000117232022.A87011@osaka.louisville.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Keith Stevenson writes: >However >in the case of a root compromise all local logs are useless since they may >have been altered by the attacker. (After all, they can't _all_ be script >kidz.) That would be the case for logs that don't have the sappnd flag set. You *do* set the sappnd flag on your security-related logfiles, don't you? -Michael Robinson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message