From owner-freebsd-security Mon Feb 11 18:45:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 460CC37B64B for ; Mon, 11 Feb 2002 18:19:08 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id 21F96232E3; Mon, 11 Feb 2002 21:18:00 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 04DCF9F3BA; Mon, 11 Feb 2002 21:12:41 -0500 (EST) Date: Sun, 10 Feb 2002 22:10:29 -0800 From: "Crist J. Clark" To: "f.johan.beisser" Cc: Bill Vermillion , security@FreeBSD.ORG Subject: Re: Is the technique described in this article do-able with Message-Id: <20020212021241.04DCF9F3BA@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Feb 10, 2002 at 07:18:31PM -0800, f.johan.beisser wrote: > On Sun, 10 Feb 2002, Bill Vermillion wrote: > > > Hardcopy is fairly hard to search with a text editor though :-) > > 2 copies. one electronic, so you can do a grep on it :) > > > If you worry about the logs being alterable - and you did suggest > > logging to a second machine - then you have a real problem with > > security I'd guess. You could always run chflags on the logging > > machine to make the logs append only. Wouldn't that take care > > of the problem of being alterable without having to use hardcopy? > > not really. you can change chflags on a live machine. How do you do it when there is an elevated securelevel(8)? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message