Re: Followup: Syslog
from the secret journal of Micah Anderson (email@example.com):
> One additional tweak which falls into line with the security setups, that I
> think is a good idea is to made the log files in /var/log to be chattr +a
> (append only) so logfiles cannot be modified or removed altogether to cover
> up tracks. This isn't the the biggest security trick because all it does is
> make it if you don't know about chattr then you can't install a trojan. If
> you've got root then removing the immutability flags is trivial, but only if
> you know how to, or even know they exist. But it has kept the lower-level
> admins at a site I work at from modifying the logfiles, which is against
That's exactly right, append-only mode is useless.
This is only mean for situations where non-root users must be able to write
to a file, but not modify it. If syslog is running as root, there is zero
point to this excersize. And as someone else pointed out, not every linux
filesystem (or possibly even the hurd's implimentation of ext2) supports
Just because a feature exists, doesn't mean that it should be used.