Securing log rotation
daniel.mcnamara at webone.com.au
Sun Aug 12 17:41:42 EST 2001
On Fri, 10 Aug 2001, Daniel McNamara wrote:
> > I've decided to get a little paranoid and start adding a few extra
> > measures to my server. What I want to do is use the chattr command to
> > all currently active log files the "a" settings to allow append only and
> > old logs to be given the "i" setting to help prevent overwriting.
> This is rather pointless imho. If someone has write access to the
> directory or the files, they can use chattr themselves anyway. If someone
> breaks in and gets root, its easy enough for them to do it as it is for
> them to delete the logfiles without the chattr command.
True but it's mainly to prevent this script kiddies who tend not to know
more commands than ls, mv and cp from running scripts that may remove traces
of whatever they have done. It's more or less to increase my chances of
being able to do forensics not so much for total protection. In the case of
the"i" and "a" attributes the man pages for chattr clearly states that only
the superuser may set them not ordinary users.
More information about the linux