append mode on log files - Security

This is a discussion on append mode on log files - Security ; Hi I was just wondering if using chattr and lcap to protect log files from being overwritten etc does any good? Any person who gets a root access can do whatever he wants, including removng the limitations. A person who ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: append mode on log files

  1. append mode on log files

    Hi

    I was just wondering if using chattr and lcap to protect log files from
    being overwritten etc does any good?

    Any person who gets a root access can do whatever he wants, including
    removng the limitations. A person who does not have root access will not
    be able to do this in any case. So I am having a little trouble seeing
    the advantage.

    regards

    tommy

  2. Re: append mode on log files

    On Sun, 19 Oct 2008, in the Usenet newsgroups comp.security.unix and
    comp.os.linux.security, in article <48fb414a$1@news.broadpark.no>, Tommy
    Halsbrekk wrote:

    >I was just wondering if using chattr and lcap to protect log files from
    >being overwritten etc does any good?


    [compton ~]$ whatis chattr lsattr lcap
    chattr (1) - change file attributes on a Linux second extended file system
    lsattr (1) - list file attributes on a Linux second extended file system
    lcap (8) - remove Linux kernel capabilities
    [compton ~]$

    One presumes you are referring to the +a attribute (append only) in
    chattr. This only works in e2fs and e3fs filesystems.

    >Any person who gets a root access can do whatever he wants, including
    >removng the limitations. A person who does not have root access will not
    >be able to do this in any case. So I am having a little trouble seeing
    >the advantage.


    Search for SELinux - or, as you are posting to comp.security.unix as
    well, look also for the "Trusted" versions of IRIX or Solaris and so
    on. These add access control, which is another hoop to jump through.

    If an untrusted person has root, you are screwed pretty much no matter
    what you do. ACL (Access Control Lists) can make it more difficult,
    and there is always the fun idea of remote or hard copy logging:

    ---------------------
    > The best solution I've ever heard of was directing your log output,
    > especially if you have an IDS, to a line printer. That way they are
    > unable to erase logs unless they have physical access to the
    > printer/machine. Pretty hard to erase a paper trail.


    Brilliant, and pretty cheap too...

    old dot matrix printer $15
    continuous paper stock $5
    look on script kiddie's
    face when they discover
    the logs are symlinked
    to /dev/lp0 priceless
    ---------------------

    Old guy

  3. Re: append mode on log files

    In article <48fb414a$1@news.broadpark.no>,
    Tommy Halsbrekk wrote:

    > Hi
    >
    > I was just wondering if using chattr and lcap to protect log files from
    > being overwritten etc does any good?
    >
    > Any person who gets a root access can do whatever he wants, including
    > removng the limitations. A person who does not have root access will not
    > be able to do this in any case. So I am having a little trouble seeing
    > the advantage.


    They're useful for preventing unintended corruption of files.

    --
    Barry Margolin, barmar@alum.mit.edu
    Arlington, MA
    *** PLEASE post questions in newsgroups, not directly to me ***
    *** PLEASE don't copy me on replies, I'll read them in the group ***

  4. Re: append mode on log files

    Tommy Halsbrekk wrote:

    > Hi
    >
    > I was just wondering if using chattr and lcap to protect log files
    > from being overwritten etc does any good?
    >
    > Any person who gets a root access can do whatever he wants, including
    > removng the limitations. A person who does not have root access will
    > not be able to do this in any case. So I am having a little trouble
    > seeing the advantage.
    >
    > regards
    >
    > tommy


    It can, especially if you don't have a good amount of communication
    within a company, where an admin might make a change and another might
    not know and modifies a file to "fix" what they think is a problem.
    It's primarily a good way to set some restrictions for non root users,
    and maybe prevent other programs, people or log rotation software from
    wiping the logs, for example. Logs aren't usually something I'd see
    people set the file attributes for, but I could see some reasons.
    Mainly, it would be to prevent other things from modifying/updating
    files without you specifically doing it or allowing it, or to make
    people "think" before acting (again, usually config files, etc. and not
    so much log files, but the same logic can apply).
    --
    Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
    Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
    and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
    Industry's most experienced staff! -- Web Hosting With Muscle!

+ Reply to Thread