[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Followup: Syslog

Quoting Micah Anderson <micah@riseup.net>:
> One additional tweak which falls into line with the security setups, that I
> think is a good idea is to made the log files in /var/log to be chattr +a
> (append only) so logfiles cannot be modified or removed altogether to cover
> up tracks. This isn't the the biggest security trick because all it does is
> make it if you don't know about chattr then you can't install a trojan. If
> you've got root then removing the immutability flags is trivial, but only if
> you know how to, or even know they exist. But it has kept the lower-level
> admins at a site I work at from modifying the logfiles, which is against
> policy.

Not every filesystem that Linux works with supports the append-only
flag. If append-only is attempted, it must be able to cope with this
absence. (I'm sure I'm not the only one that has /var/log symlinked
to /mnt/floppy ;)

Andrew Stribblehill <ads@debian.org>
Systems programmer, IT Service, University of Durham, England

Reply to: