Re: [fw-wiz] More Syslog Questions
From: Chuck Swiger (chuck_at_codefab.com)
Date: 07/19/04
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
- In reply to: Nathaniel Hall: "[fw-wiz] More Syslog Questions"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] More Syslog Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Nathaniel Hall" <halln@otc.edu> Date: Mon, 19 Jul 2004 15:58:56 -0400
On Jul 19, 2004, at 9:10 AM, Nathaniel Hall wrote:
> The only problem I have with chattr +a is that if an intruder gains
> access
> to the root account, they can change the attributes, change the log
> files,
> and the replace the append only attribute, making it appear that
> nothing was
> done to the log file.
If one could turn off append-only, it wouldn't be very useful, you're
right. However, see "man 2 chflags":
The ``SF_IMMUTABLE'', ``SF_APPEND'', ``SF_NOUNLINK'', and
``SF_ARCHIVED''
flags may only be set or unset by the super-user. Attempts by the
non-
super-user to set the super-user only flags are silently ignored.
These
flags may be set at any time, but normally may only be unset when
the
system is in single-user mode. (See init(8) for details.)
More specificly, they pay attention to the sysctl kern.securelevel:
The kernel runs with five different levels of security. Any
super-user
process can raise the security level, but no process can lower it.
The
security levels are:
-1 Permanently insecure mode - always run the system in level 0
mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be
turned off.
All devices may be read or written subject to their
permissions.
1 Secure mode - the system immutable and system append-only
flags may
not be turned off; disks for mounted file systems, /dev/mem,
and
/dev/kmem may not be opened for writing; kernel modules (see
kld(4)) may not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not
be
opened for writing (except by mount(2)) whether mounted or
not.
This level precludes tampering with file systems by
unmounting
them, but also inhibits running newfs(8) while the system is
multi-
user.
[ ... ]
3 Network secure mode - same as highly secure mode, plus IP
packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be
changed and
dummynet(4) configuration cannot be adjusted.
If the security level is initially nonzero, then init leaves it
unchanged. Otherwise, init raises the level to 1 before going
multi-user
for the first time. Since the level cannot be reduced, it will be
at
least 1 for subsequent operation, even on return to single-user.
-----
The above doesn't stop someone who has console access from changing a
system in a sneaky way, if they're willing to reboot the system (tends
to be fairly noticable!), but it will do quite a bit to prevent someone
from changing the system remotely.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
- In reply to: Nathaniel Hall: "[fw-wiz] More Syslog Questions"
- Next in thread: Devdas Bhagat: "Re: [fw-wiz] More Syslog Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
