From owner-freebsd-security  Thu Dec 10 01:53:38 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA29863
          for freebsd-security-outgoing; Thu, 10 Dec 1998 01:53:38 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA29848
          for <security@freebsd.org>; Thu, 10 Dec 1998 01:53:32 -0800 (PST)
          (envelope-from netadmin@fastnet.co.uk)
Received: from lart.org.uk (netadmin@lart.org.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA01450;
	Thu, 10 Dec 1998 09:53:20 GMT
Date: Thu, 10 Dec 1998 09:53:19 +0000 (GMT)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: "Jan B. Koum " <jkb@best.com>
cc: security@FreeBSD.ORG
Subject: Re: append-only devices for logging
In-Reply-To: <19981210014711.A3541@best.com>
Message-ID: <Pine.BSF.4.05.9812100951220.9677-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| > |  > I've been looking for an append-only device for logging, which a remote
| > |  > hacker (with root access) can not erase or alter.  Other than a
| > |  > line-printer, are there any such devices that actually work with Unix?  
| > | 
| > | <snip>
| > | which requires physical access to the console for single user mode
| > | operation.
| > 
| > True but if they have root then they can quite easily alter /etc/rc.local
| > (or wherever your using to run sysctl) so that it doesn't alter the
| > securelevel and then just reboot the machine. Their other option would be
| > to launch something like sshd and then boot the system down to single user
| > mode[1].
| > 
| > [1] probly won't work, haven't woken up yet..

| 	Well.. one should in theory notice their security critical
| 	box reboot and do some further investigation...

So your security standpoint is "Oh, look.. the uptime's only a couple of
hours"[1] ? :)

[1] doesn't apply to NT sysadmins ;)

Regards,

Jay Tribick <netadmin@fastnet.co.uk>
--
[| Network Admin | FastNet International | http://fast.net.uk/ |]
[| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |]
[|   +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk   |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message