From owner-freebsd-security  Thu Dec 10 10:48:53 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA28640
          for freebsd-security-outgoing; Thu, 10 Dec 1998 10:48:53 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA28634
          for <FREEBSD-SECURITY@FreeBSD.ORG>; Thu, 10 Dec 1998 10:48:47 -0800 (PST)
          (envelope-from jwyatt@rwsystr.RWSystems.net)
Received: from rwsystr.RWSystems.net([209.197.192.108]) (1708 bytes) by RWSystems.net
	via sendmail with P:smtp/R:inet_hosts/T:smtp
	(sender: <jwyatt@rwsystr.RWSystems.net>) 
	id <m0zoAtx-0003zyC@RWSystems.net>
	for <FREEBSD-SECURITY@FreeBSD.ORG>; Thu, 10 Dec 1998 12:33:25 -0600 (CST)
	(Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31)
Date: Thu, 10 Dec 1998 12:33:20 -0600 (CST)
From: James Wyatt <jwyatt@rwsystr.RWSystems.net>
To: Jim Yuill <jjyuill@eos.ncsu.edu>
cc: FREEBSD-SECURITY@FreeBSD.ORG
Subject: Re: append-only devices for logging
In-Reply-To: <3.0.5.32.19981209185323.0093dc90@pop-in.ncsu.edu>
Message-ID: <Pine.LNX.3.91.981210122506.24133A-100000@rwsystr.RWSystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 9 Dec 1998, Jim Yuill wrote:
> I've been looking for an append-only device for logging, which a remote
> hacker (with root access) can not erase or alter.  Other than a
> line-printer, are there any such devices that actually work with Unix?  
> 
> >From what I understand, a write-once CD has restricted writing capability
> that would make it unsuitable for logging.  

We've configured a machine (at another customer's site) to write logs to 
a serial port that a second machine sucks-up and writes to a hard drive. 
It was just running ProComm+ for DOS in ASCII-file-download mode. Since 
it was DOS, remote logins were not an issue.

Nowadays I would likely use a stripped-down FreeBSD box and cat (or
minicom) the serial port to a file. It *could* be configured with a small
web server (no CGI) to write the files to HTML-space for remote reading, 
but disallow *any* other remote access.

I've also done something similar with PBX SMDR output to a LAN drive for 
a custom (homebrew you get paid for 8{) call-accounting package. Hope 
this helps someone - Jy@ (jwyatt@rwsystems.net)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message