From nobody Tue Oct 24 17:45:40 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFKGZ72Hbz4yJYx for ; Tue, 24 Oct 2023 17:45:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SFKGZ4cFrz3PsP for ; Tue, 24 Oct 2023 17:45:42 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4001a.ext.cloudfilter.net ([10.228.9.142]) by cmsmtp with ESMTPS id vKwsqjEBvB0n0vLTKqiptu; Tue, 24 Oct 2023 17:45:42 +0000 Received: from spqr.komquats.com ([70.66.152.170]) by cmsmtp with ESMTPSA id vLTIqyWBogVhvvLTJqnFqf; Tue, 24 Oct 2023 17:45:41 +0000 X-Authority-Analysis: v=2.4 cv=TPtW9npa c=1 sm=1 tr=0 ts=653802c5 a=y8EK/9tc/U6QY+pUhnbtgQ==:117 a=y8EK/9tc/U6QY+pUhnbtgQ==:17 a=kj9zAlcOel0A:10 a=bhdUkHdE2iEA:10 a=ZLGELXoPAAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=1W4s-hDeFvQHHv5ihzwA:9 a=CjuIK1q_8ugA:10 a=CFiPc5v16LZhaT-MVE1c:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 3FD782FC; Tue, 24 Oct 2023 10:45:40 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 1936912D; Tue, 24 Oct 2023 10:45:40 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: void cc: freebsd-security@freebsd.org Subject: Re: securelevel 1 In-reply-to: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> Comments: In-reply-to void message dated "Tue, 24 Oct 2023 17:33:22 -0000." List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 24 Oct 2023 10:45:40 -0700 Message-Id: <20231024174540.1936912D@slippy.cwsent.com> X-CMAE-Envelope: MS4xfC2LRHJ3u+mOpVn8wtYbEbhTPXQ9yGQtLWG+FOQQaMiy2TROePHLJcYdvTjk8gNjRawllBbN3YxjzlhZ+U+BC2dnQTXE8hOUhRepZPHt9MymiJ96hWYW mpZlE397wVm53+/lZ/qwtt9DLcOdG0hA/DqaEOoMe1umC0wx8BJoJxOtxbMNGwrMBZQZ4hfPA2QAS3CG1QxxcPWN3mgXyqeEIhHLBuQgDjIyr6CoTPgrkLlX X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4SFKGZ4cFrz3PsP In message <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>, void writes : > On Tue, 24 Oct 2023, at 11:31, Miroslav Lachman wrote: > > > root@neon ~/ # find -s -x / -flags +schg,sappnd > > /.sujournal > > /lib/libc.so.7 > > /lib/libcrypt.so.5 > > /lib/libthr.so.3 > > /libexec/ld-elf.so.1 > > /libexec/ld-elf32.so.1 > > /sbin/init > > /usr/bin/chpass > > /usr/bin/crontab > > /usr/bin/login > > /usr/bin/opieinfo > > /usr/bin/opiepasswd > > /usr/bin/passwd > > /usr/bin/su > > /usr/lib/librt.so.1 > > /usr/lib32/libc.so.7 > > /usr/lib32/libcrypt.so.5 > > /usr/lib32/librt.so.1 > > /usr/lib32/libthr.so.3 > > /var/empty > > > > Log files are not protected. > > Thanks for explaining. > > The reason for setting the securelevel to 1 would be so that the log files ca > n't > be modified/deleted. So I'm glad you explained that because I didn't twig > the securelevel only disallows changing flags and the log files weren't prote > cted. > > In order to accomplish what I'd like, I understand that I'd need to set +schg > on the individual logs, then set the securelevel afterwards and reboot. > > But if this is done, it seems there's no way (at least directly) for the log > file to be rotated? > What a lot of large enterprises do is send logs off machine. A *.* log to @IP or an agent does the same thing. The remote logging server also has software to allow one to search the logs for a machine or multiple machines allowing one to correlate messages across the network. For server admins logging into each server individually, correlating logs can be time consuming and a little challenging as one must keep a lot of information in mind when working with multiple machines. But with logs sent to a single server a person can use software designed to correlate logs. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0