Re: Followup: Syslog

To: debian-devel@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Followup: Syslog
From: jake@capecodvacation.com (Jacob Kuntz)
Date: Wed, 18 Apr 2001 10:50:23 -0400
Message-id: <[🔎] 20010418105023.A21437@capecodvacation.com>
In-reply-to: <[🔎] 20010413154002.P14998@riseup.net>; from micah@riseup.net on Fri, Apr 13, 2001 at 03:40:02PM -0700
References: <[🔎] 01041400083606.00484@silence> <[🔎] 20010413154002.P14998@riseup.net>

from the secret journal of Micah Anderson (micah@riseup.net):
> One additional tweak which falls into line with the security setups, that I
> think is a good idea is to made the log files in /var/log to be chattr +a
> (append only) so logfiles cannot be modified or removed altogether to cover
> up tracks. This isn't the the biggest security trick because all it does is
> make it if you don't know about chattr then you can't install a trojan. If
> you've got root then removing the immutability flags is trivial, but only if
> you know how to, or even know they exist. But it has kept the lower-level
> admins at a site I work at from modifying the logfiles, which is against
> policy.

That's exactly right, append-only mode is useless.

This is only mean for situations where non-root users must be able to write
to a file, but not modify it. If syslog is running as root, there is zero
point to this excersize. And as someone else pointed out, not every linux
filesystem (or possibly even the hurd's implimentation of ext2) supports
this.

Just because a feature exists, doesn't mean that it should be used.

-- 
Jacob Kuntz
jake@capecodvacation.com
http://underworld.net/~jake

Reply to:

References:
- Followup: Syslog
  - From: Kenneth Vestergaard Schmidt <kenneth@bitnisse.dk>
- Re: Followup: Syslog
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: unstable
Next by Date: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Previous by thread: Re: Followup: Syslog
Next by thread: Re: Followup: Syslog
Index(es):
- Date
- Thread