From owner-freebsd-security  Sun Feb 10 19:18:38 2002
Delivered-To: freebsd-security@freebsd.org
Received: from pogo.caustic.org (caustic.org [64.163.147.186])
	by hub.freebsd.org (Postfix) with ESMTP id D994B37B404
	for <security@FreeBSD.ORG>; Sun, 10 Feb 2002 19:18:35 -0800 (PST)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.11.6/8.11.6) with ESMTP id g1B3IVc60619;
	Sun, 10 Feb 2002 19:18:31 -0800 (PST)
	(envelope-from jan@caustic.org)
Date: Sun, 10 Feb 2002 19:18:31 -0800 (PST)
From: "f.johan.beisser" <jan@caustic.org>
X-X-Sender: jan@localhost
To: Bill Vermillion <bv@wjv.com>
Cc: security@FreeBSD.ORG
Subject: Re: Is the technique described in this article do-able with
In-Reply-To: <20020210231559.GA2136@wjv.com>
Message-ID: <20020210190958.B21734-100000@localhost>
X-Ignore: This statement isn't supposed to be read by you
X-TO-THE-FBI-CIA-AND-NSA: HI! HOW YA DOIN?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, 10 Feb 2002, Bill Vermillion wrote:

> Hardcopy is fairly hard to search with a text editor though :-)

2 copies. one electronic, so you can do a grep on it :)

> If you worry about the logs being alterable - and you did suggest
> logging to a second machine - then you have a real problem with
> security I'd guess.  You could always run chflags on the logging
> machine to make the logs append only.  Wouldn't that take care
> of the problem of being alterable without having to use hardcopy?

not really. you can change chflags on a live machine. any attacker that's
going to alter the logs will be able to see the append only flag. so,
really, it's not actually secure. against a scriptkiddie, though, this may
be effective.

logging to another machine that *only* listens to syslog, or is attached
to the serial port and only listens to the console log, and can't be
accessed from the network may be a solution. this is, as i said, outside
of "normal home usage", and generally only done at really paranoid places.


-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
    "John Ashcroft is really just the reanimated corpse
         of J. Edgar Hoover." -- Tim Triche


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message