From owner-freebsd-security  Thu Dec 10 14:19:00 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA27885
          for freebsd-security-outgoing; Thu, 10 Dec 1998 14:19:00 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mx2.dmz.fedex.com (mx2.dmz.fedex.com [199.81.194.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27835
          for <FREEBSD-SECURITY@freebsd.org>; Thu, 10 Dec 1998 14:18:53 -0800 (PST)
          (envelope-from wam@mohawk.dpd.fedex.com)
Received: from mx2.zmd.fedex.com (sendmail@mx2.zmd.fedex.com [199.82.159.11])
	by mx2.dmz.fedex.com (8.9.1/8.9.1) with ESMTP id QAA14420
	for <FREEBSD-SECURITY@freebsd.org>; Thu, 10 Dec 1998 16:18:45 -0600 (CST)
Received: from s07.sa.fedex.com (root@s07.sa.fedex.com [199.81.124.17])
	by mx2.zmd.fedex.com (8.9.1/8.9.1) with ESMTP id QAA11905
	for <FREEBSD-SECURITY@freebsd.org>; Thu, 10 Dec 1998 16:18:44 -0600 (CST)
Received: from mohawk.dpd.fedex.com (mohawk.dpd.fedex.com [199.81.74.121])
	by s07.sa.fedex.com (8.9.1/8.9.1) with SMTP id QAA09114;
	Thu, 10 Dec 1998 16:18:43 -0600 (CST)
Message-Id: <199812102218.QAA09114@s07.sa.fedex.com>
To: James Wyatt <jwyatt@rwsystr.rwsystems.net>
cc: Jim Yuill <jjyuill@eos.ncsu.edu>, FREEBSD-SECURITY@FreeBSD.ORG,
        ksb@sa.fedex.com
Subject: Re: append-only devices for logging 
Date: Thu, 10 Dec 1998 16:18:43 -0600
From: William McVey <wam@sa.fedex.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I've been looking for an append-only device for logging, which a remote
> hacker (with root access) can not erase or alter.  Other than a
> line-printer, are there any such devices that actually work with Unix?  

I highly recommend syslogging to a serial device connected to 
seperate machine running the console server package available at:
	ftp://ftp.physics.purdue.edu/pub/pundits/conserver-7.4.tgz

(There is a precompiled version of this application in the PORTS
collection; however, it is outdated).  The conserver package can
be configured to do lots of stuff.  It is typically used to manage
serial interfaces for "headless" console access to a Unix box, but
if the conserver is connected to a host which is logging to its
serial device, you get what you want.    The conserver logs all
input it sees to logfiles local to the conserver (which wouldn't
be available to the machine being monitored).

 -- William

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message