From owner-freebsd-security  Wed Dec  9 18:55:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA13376
          for freebsd-security-outgoing; Wed, 9 Dec 1998 18:55:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA13361
          for <FREEBSD-SECURITY@FreeBSD.ORG>; Wed, 9 Dec 1998 18:55:26 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id VAA15151;
	Wed, 9 Dec 1998 21:54:21 -0500 (EST)
Date: Wed, 9 Dec 1998 21:54:21 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: Mark Newton <newton@camtech.com.au>
cc: Jim Yuill <jjyuill@eos.ncsu.edu>, FREEBSD-SECURITY@FreeBSD.ORG
Subject: Re: append-only devices for logging
In-Reply-To: <199812100028.KAA21421@frenzy.ct>
Message-ID: <Pine.BSF.3.96.981209215052.15123A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 10 Dec 1998, Mark Newton wrote:

>  > I've been looking for an append-only device for logging, which a remote
>  > hacker (with root access) can not erase or alter.  Other than a
>  > line-printer, are there any such devices that actually work with Unix?  
> 
> Files fit the bill on FreeBSD.  Set your securelevel to 2 and
> apply the "sappnd" flag (using chflags) to any files you wish
> to set as "append-only".  Not even root can remove the append-only
> flag unless first bringing the system to a lower security level,
> which requires physical access to the console for single user mode
> operation.

You should note, however, that to get this to be literally the case, you
need to protect many other files against modification (such as boot
scripts, etc).  There has been extensive discussion in the archives, and
the Jan's how-to probably has good information.  I discuss a few details
on my (temporarily neglected) hardening project page.  Take a look around
the FreeBSD security page for details. 

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
SafePort Network Services             http://www.safeport.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message