| View previous topic :: View next topic |
| Author |
Message |
Tommy Halsbrekk
Guest
|
 Posted: Sun Oct 19, 2008 7:16 pm Post subject: append mode on log files |
 |
|
Hi
I was just wondering if using chattr and lcap to protect log files from
being overwritten etc does any good?
Any person who gets a root access can do whatever he wants, including
removng the limitations. A person who does not have root access will not
be able to do this in any case. So I am having a little trouble seeing
the advantage.
regards
tommy |
|
| |
|
 Back to top |
Moe Trin
Guest
|
| Posted: Sun Oct 19, 2008 9:48 pm Post subject: Re: append mode on log files |
|
|
On Sun, 19 Oct 2008, in the Usenet newsgroups comp.security.unix and
comp.os.linux.security, in article <48fb414a$1@news.broadpark.no>, Tommy
Halsbrekk wrote:
| Quote: | I was just wondering if using chattr and lcap to protect log files from
being overwritten etc does any good?
|
[compton ~]$ whatis chattr lsattr lcap
chattr (1) - change file attributes on a Linux second extended file system
lsattr (1) - list file attributes on a Linux second extended file system
lcap ( - remove Linux kernel capabilities
[compton ~]$
One presumes you are referring to the +a attribute (append only) in
chattr. This only works in e2fs and e3fs filesystems.
| Quote: | Any person who gets a root access can do whatever he wants, including
removng the limitations. A person who does not have root access will not
be able to do this in any case. So I am having a little trouble seeing
the advantage.
|
Search for SELinux - or, as you are posting to comp.security.unix as
well, look also for the "Trusted" versions of IRIX or Solaris and so
on. These add access control, which is another hoop to jump through.
If an untrusted person has root, you are screwed pretty much no matter
what you do. ACL (Access Control Lists) can make it more difficult,
and there is always the fun idea of remote or hard copy logging:
---------------------
| Quote: | The best solution I've ever heard of was directing your log output,
especially if you have an IDS, to a line printer. That way they are
unable to erase logs unless they have physical access to the
printer/machine. Pretty hard to erase a paper trail.
|
Brilliant, and pretty cheap too...
old dot matrix printer $15
continuous paper stock $5
look on script kiddie's
face when they discover
the logs are symlinked
to /dev/lp0 priceless
---------------------
Old guy |
|
| |
|
| Back to top |
Barry Margolin
Guest
|
| Posted: Mon Oct 20, 2008 7:44 am Post subject: Re: append mode on log files |
|
|
In article <48fb414a$1@news.broadpark.no>,
Tommy Halsbrekk <tommy@dummy.no> wrote:
| Quote: | Hi
I was just wondering if using chattr and lcap to protect log files from
being overwritten etc does any good?
Any person who gets a root access can do whatever he wants, including
removng the limitations. A person who does not have root access will not
be able to do this in any case. So I am having a little trouble seeing
the advantage.
|
They're useful for preventing unintended corruption of files.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| |
|
| Back to top |
Tim Greer
Guest
|
| Posted: Mon Oct 20, 2008 7:57 am Post subject: Re: append mode on log files |
|
|
Tommy Halsbrekk wrote:
| Quote: | Hi
I was just wondering if using chattr and lcap to protect log files
from being overwritten etc does any good?
Any person who gets a root access can do whatever he wants, including
removng the limitations. A person who does not have root access will
not be able to do this in any case. So I am having a little trouble
seeing the advantage.
regards
tommy
|
It can, especially if you don't have a good amount of communication
within a company, where an admin might make a change and another might
not know and modifies a file to "fix" what they think is a problem.
It's primarily a good way to set some restrictions for non root users,
and maybe prevent other programs, people or log rotation software from
wiping the logs, for example. Logs aren't usually something I'd see
people set the file attributes for, but I could see some reasons.
Mainly, it would be to prevent other things from modifying/updating
files without you specifically doing it or allowing it, or to make
people "think" before acting (again, usually config files, etc. and not
so much log files, but the same logic can apply).
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle! |
|
| |
|
| Back to top |
|
