From owner-freebsd-security  Mon Feb 11 18:43:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67])
	by hub.freebsd.org (Postfix) with ESMTP id C1E5B37B647
	for <security@FreeBSD.ORG>; Mon, 11 Feb 2002 18:19:11 -0800 (PST)
Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110])
	by newman2.bestweb.net (Postfix) with ESMTP
	id 2413F23307; Mon, 11 Feb 2002 21:18:04 -0500 (EST)
Received: by okeeffe.bestweb.net (Postfix, from userid 0)
	id 8A72A9F131; Mon, 11 Feb 2002 21:12:41 -0500 (EST)
Date: Sun, 10 Feb 2002 19:18:31 -0800 (PST)
From: "f.johan.beisser" <jan@caustic.org>
To: Bill Vermillion <bv@wjv.com>
Cc: security@FreeBSD.ORG
Subject: Re: Is the technique described in this article do-able with
Message-Id: <20020212021241.8A72A9F131@okeeffe.bestweb.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 10 Feb 2002, Bill Vermillion wrote:

> Hardcopy is fairly hard to search with a text editor though :-)

2 copies. one electronic, so you can do a grep on it :)

> If you worry about the logs being alterable - and you did suggest
> logging to a second machine - then you have a real problem with
> security I'd guess.  You could always run chflags on the logging
> machine to make the logs append only.  Wouldn't that take care
> of the problem of being alterable without having to use hardcopy?

not really. you can change chflags on a live machine. any attacker that's
going to alter the logs will be able to see the append only flag. so,
really, it's not actually secure. against a scriptkiddie, though, this may
be effective.

logging to another machine that *only* listens to syslog, or is attached
to the serial port and only listens to the console log, and can't be
accessed from the network may be a solution. this is, as i said, outside
of "normal home usage", and generally only done at really paranoid places.


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message