Date: Thu, 10 Dec 1998 09:17:39 +0000 (GMT) From: Jay Tribick <netadmin@fastnet.co.uk> To: Mark Newton <newton@camtech.com.au> Cc: FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging Message-ID: <Pine.BSF.4.05.9812100906050.9677-100000@bofh.fast.net.uk> In-Reply-To: <199812100028.KAA21421@frenzy.ct>
next in thread | previous in thread | raw e-mail | index | archive | help
| > I've been looking for an append-only device for logging, which a remote | > hacker (with root access) can not erase or alter. Other than a | > line-printer, are there any such devices that actually work with Unix? | | Files fit the bill on FreeBSD. Set your securelevel to 2 and | apply the "sappnd" flag (using chflags) to any files you wish | to set as "append-only". Not even root can remove the append-only | flag unless first bringing the system to a lower security level, | which requires physical access to the console for single user mode | operation. True but if they have root then they can quite easily alter /etc/rc.local (or wherever your using to run sysctl) so that it doesn't alter the securelevel and then just reboot the machine. Their other option would be to launch something like sshd and then boot the system down to single user mode[1]. [1] probly won't work, haven't woken up yet.. Regards, Jay Tribick <netadmin@fastnet.co.uk> -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9812100906050.9677-100000>