From owner-freebsd-security@FreeBSD.ORG Mon Jul 12 23:41:22 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5B011065673 for ; Mon, 12 Jul 2010 23:41:22 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (tarsier.geekcn.org [IPv6:2001:470:a803::1]) by mx1.freebsd.org (Postfix) with ESMTP id 849CF8FC17 for ; Mon, 12 Jul 2010 23:41:22 +0000 (UTC) Received: from mail.geekcn.org (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id 201B4A5C26B; Tue, 13 Jul 2010 07:41:21 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by mail.geekcn.org (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with LMTP id Wki8PVTPwTXy; Tue, 13 Jul 2010 07:41:12 +0800 (CST) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id 349EEA5C228; Tue, 13 Jul 2010 07:41:10 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=GP2SvPptYARSxOSZc3QcXj0OzQ1kFunyp+1M390Y8V1OSvy6MiPkPtJvc45sIjKHj IbEXp+AHEghMNOYFs59/A== Message-ID: <4C3BA811.1000108@delphij.net> Date: Mon, 12 Jul 2010 16:41:05 -0700 From: Xin LI Organization: The Geek China Organization User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100629 Thunderbird/3.0.5 ThunderBrowse/3.3 MIME-Version: 1.0 To: Fernan Aguero References: In-Reply-To: X-Enigmail-Version: 1.0.1 OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: disable (new)syslog rotation and raise securelevel ... possible? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 23:41:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010/07/12 11:04, Fernan Aguero wrote: > Hi, > > I'd like to harden my FreeBSD installation, and thus would like to, e.g. > > i) chflags sappnd /var/log/* > ii) raise the securelevel of the system > > Is this possible? I've read elsewhere that newsyslog would not work in > such a system ... what are the possible workarounds? > > I wouldn't bother taking the system down once a week or every other > week, and manually lowering the securelevel, running newsyslog, etc. > Is there a guide somewhere on how to go about this? Speaking for your question, disabling newsyslog can be done by removing the corresponding line in your /etc/crontab. However, the use of system flags is usually dangerous, I don't really consider them as very useful mechanisms for hardening your installation. Logging remotely to a dedicated and secured central logging server could be a better (as long as you have control to your internal network) alternative, since the attacker has to take down two systems, rather than one, in order to erase their foot prints. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (FreeBSD) iQEcBAEBCAAGBQJMO6gRAAoJEATO+BI/yjfByF8IAI4qPKWNJhMqgs/QAk609FTV CTTy96jBi+jUWMq8pek8G8fI1TYV2B2wOhPm8qrq5HSyqdNs+NeSS1WVLhynCu7F xK9ewsa+XBeZlASIbA2fqCT4oktASMAlD7XgMlMqbAo2nhMzyngHL+nqD6UZoC/n IomRwK30W1VTGU1YnY0pMvH5nGrK7+hBqniivwNSijy02zLzjA9mwwH+sTzcDLX9 gucpoDCdmlZcQIWHUWEHFFRoZH9VDlm1UHMmwCSZzy6QEWGiPk4nFH9+EfxMPozU seWZfrHrw1EwGaqizKDSnlMb6eVFhUWmz2hVAZqxol8Yu6JyXBAsgRXvLWI8kME= =5taC -----END PGP SIGNATURE-----