From owner-freebsd-security  Thu Dec 10 11:19:15 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA02479
          for freebsd-security-outgoing; Thu, 10 Dec 1998 11:19:15 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from RWSystems.net (commie.rwsystems.net [209.197.192.99])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02473
          for <FREEBSD-SECURITY@FreeBSD.ORG>; Thu, 10 Dec 1998 11:19:11 -0800 (PST)
          (envelope-from jwyatt@rwsystr.RWSystems.net)
Received: from rwsystr.RWSystems.net([209.197.192.108]) (1820 bytes) by RWSystems.net
	via sendmail with P:smtp/R:inet_hosts/T:smtp
	(sender: <jwyatt@rwsystr.RWSystems.net>) 
	id <m0zoBVo-0003zxC@RWSystems.net>
	for <FREEBSD-SECURITY@FreeBSD.ORG>; Thu, 10 Dec 1998 13:12:32 -0600 (CST)
	(Smail-3.2.0.101 1997-Dec-17 #1 built 1998-Jul-31)
Date: Thu, 10 Dec 1998 13:12:21 -0600 (CST)
From: James Wyatt <jwyatt@rwsystr.RWSystems.net>
To: Mark Newton <newton@camtech.com.au>
cc: Jim Yuill <jjyuill@eos.ncsu.edu>, FREEBSD-SECURITY@FreeBSD.ORG
Subject: Re: append-only devices for logging
In-Reply-To: <199812100028.KAA21421@frenzy.ct>
Message-ID: <Pine.LNX.3.91.981210125145.24133C-100000@rwsystr.RWSystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> Jim Yuill wrote:
> I've been looking for an append-only device for logging, which a remote
> hacker (with root access) can not erase or alter.  Other than a
> line-printer, are there any such devices that actually work with Unix?  

On Thu, 10 Dec 1998, Mark Newton wrote:
> Files fit the bill on FreeBSD.  Set your securelevel to 2 and
> apply the "sappnd" flag (using chflags) to any files you wish
> to set as "append-only".  Not even root can remove the append-only
> flag unless first bringing the system to a lower security level,
> which requires physical access to the console for single user mode
> operation.

For the truly paranoid: How many of you audit your system scripts on
reboot? If I wanted to erase my tracks (and thought you might not know I
was there or wanted to hide how long I'd been there), I could tamper with
scripts to kill logs next bringup. <PLUG>Tripwire(tm) is nearly perfect
for watching rc.* changes and such.</PLUG> Many of us just take the 
machine down, go '-s', blindly run our single-user-mode-admin-scripts, 
and go multiuser.

This does have better logging bandwidth than serial/parallel port 
logging, though. (^_^) Jy@

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message