Secure storage of BSM audit files?

From: Anupam (
Date: 03/02/02

From: "Anupam" <>
To: <>
Date: Sat, 2 Mar 2002 11:16:19 -0500

I know I am being paranoid :-), being new to security, I am guess I am
allowed this liberty.

Question to the list:
Is there any way of 'safely' storing audit files on a remote-server?

I know this question is not very well formed. Let me explain with the
example. If one uses a syslog server, the data on syslog server becomes an
append-only file-system. This basically ensures that the only way the data
on this server can be erased is, if the syslog server is compromised.

Kludgy solution:
- Pull audit files at regular intervals of time onto a more secure server,
and store the files by time-stamps. This way some sort of snap-shot is

Refined questions:
- Is there a similar way to set-up a effectively append-only file system on
a remote server?
- I hear (might be wrong) that BSD supports append-only file systems, is
there something equivalent for Solaris (maybe via NFS)?
- Is there a way of doing this via NFS?
- Is there something better than the kludgy solution - automated
time-stamped file-pulls at regular intervals of time?

Even RTFM type posts are appreciated. I will summarize this post.


- Anupam