Re: Is the technique described in this article do-able with

From: Crist J. Clark (cjc@FreeBSD.ORG)
Date: 02/11/02


Date: Sun, 10 Feb 2002 22:10:29 -0800
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: "f.johan.beisser" <jan@caustic.org>

On Sun, Feb 10, 2002 at 07:18:31PM -0800, f.johan.beisser wrote:
> On Sun, 10 Feb 2002, Bill Vermillion wrote:
>
> > Hardcopy is fairly hard to search with a text editor though :-)
>
> 2 copies. one electronic, so you can do a grep on it :)
>
> > If you worry about the logs being alterable - and you did suggest
> > logging to a second machine - then you have a real problem with
> > security I'd guess. You could always run chflags on the logging
> > machine to make the logs append only. Wouldn't that take care
> > of the problem of being alterable without having to use hardcopy?
>
> not really. you can change chflags on a live machine.

How do you do it when there is an elevated securelevel(8)?

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Is the technique described in this article do-able with
    ... >> logging to a second machine - then you have a real problem with ... You could always run chflags on the logging ... >> machine to make the logs append only. ... you can change chflags on a live machine. ...
    (FreeBSD-Security)
  • Re: Is the technique described in this article do-able with
    ... You could always run chflags on the logging ... going to alter the logs will be able to see the append only flag. ... logging to another machine that *only* listens to syslog, ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: two questions on syslog
    ... > - logging to single host from others on LAN (all I ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • SSH login delay
    ... to ssh and the actual logging in of the shell prompt? ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • Re: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p)
    ... > and on a per-rule base, ... the messages that this thread revolve around are generated by the ... But if you were to take an interest in improving ipfw's logging, ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)