johntmsp.screaming.net

• Next message: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Previous message: Sean Hunter: "Re: syslogd replacements"
• In reply to: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
• Next in thread: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Next in thread: Jim Breton: "syslogd replacements"
• Reply: John Flux: "Re: [RFC] environment sanitisation wrapper"
• Reply: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 31 May 2000, you wrote:
.....

> secure-syslog
> The major problem with syslog however is that tampering with log files is
> trivial (setting the log files append only with "chattr +a" helps, but if an
> attacker gains root, they can unset the attribute).

I was thinking how to slow down a cracker - assuming they have root - from
deleteing logs....
I could delete the chattr file - but then they could upload a new version or
just write it in c....
can I disable modification of the attributes at a kernel level?
I could for personal use just hook the call and look for specific files then
fail the call... - but much as I love kludging, thats otp ...

 --
Children are unpredictable. You never know what inconsistency they're
going to catch you in next.
                -- Franklin P. Jones

• Next message: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Previous message: Sean Hunter: "Re: syslogd replacements"
• In reply to: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
• Next in thread: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Next in thread: Jim Breton: "syslogd replacements"
• Reply: John Flux: "Re: [RFC] environment sanitisation wrapper"
• Reply: Chris Evans: "Re: [RFC] environment sanitisation wrapper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]