Re: Followup: Syslog

To: debian-devel@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Followup: Syslog
From: Andrew Stribblehill <a.d.stribblehill@durham.ac.uk>
Date: Wed, 18 Apr 2001 13:57:33 +0100
Message-id: <[🔎] 20010418135733.X3712@womble.dur.ac.uk>
Mail-followup-to: debian-devel@lists.debian.org, debian-security@lists.debian.org
In-reply-to: <[🔎] 20010413154002.P14998@riseup.net>; from micah@riseup.net on Fri, Apr 13, 2001 at 03:40:02PM -0700
References: <[🔎] 01041400083606.00484@silence> <[🔎] 20010413154002.P14998@riseup.net>

Quoting Micah Anderson <micah@riseup.net>:
> One additional tweak which falls into line with the security setups, that I
> think is a good idea is to made the log files in /var/log to be chattr +a
> (append only) so logfiles cannot be modified or removed altogether to cover
> up tracks. This isn't the the biggest security trick because all it does is
> make it if you don't know about chattr then you can't install a trojan. If
> you've got root then removing the immutability flags is trivial, but only if
> you know how to, or even know they exist. But it has kept the lower-level
> admins at a site I work at from modifying the logfiles, which is against
> policy.

Not every filesystem that Linux works with supports the append-only
flag. If append-only is attempted, it must be able to cope with this
absence. (I'm sure I'm not the only one that has /var/log symlinked
to /mnt/floppy ;)

-- 
Andrew Stribblehill <ads@debian.org>
Systems programmer, IT Service, University of Durham, England

Reply to:

Follow-Ups:
- Re: Followup: Syslog
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

References:
- Followup: Syslog
  - From: Kenneth Vestergaard Schmidt <kenneth@bitnisse.dk>
- Re: Followup: Syslog
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: syslog
Next by Date: Re: ITP: laptop-netconf -- a network detection and configuration program
Previous by thread: Re: Followup: Syslog
Next by thread: Re: Followup: Syslog
Index(es):
- Date
- Thread