Securing log rotation

Shaw, Dale Dale.Shaw at
Thu Aug 16 13:04:30 EST 2001

Does Linux have an equivalent to BSD's kernel security levels? From the
OpenBSD init(8) manpage;


     The kernel runs with four different levels of security.  Any super-user
     process can raise the security level, but only init can lower it.
     rity levels are defined as follows:

     -1    Permanently insecure mode - always run system in level 0 mode.

     0     Insecure mode - immutable and append-only flags may be changed.
           All devices may be read or written subject to their permissions.

     1     Secure mode - system immutable and append-only flags may not be
           turned off; disks for mounted filesystems, /dev/mem, and
           are read-only.

     2     Highly secure mode - same as secure mode, plus disks are always
           read-only whether mounted or not and the settimeofday(2) system
           call can only advance the time.  This level precludes tampering
           with filesystems by unmounting them, but also inhibits running
           newfs(8) while the system is multi-user.  Because the clock
           be set back in time, malicious users who have gained root privi-
           leges are unable to change a file's ctime.

     Normally, the system runs in level 0 mode while single-user and in
     1 mode while multi-user.  If the level 2 mode is desired while running
     multi-user, it can be set in the startup script /etc/rc.securelevel. If
     it is desired to run the system in level 0 mode while multi-user, the
     ministrator must build a kernel with ``option INSECURE'' in the config


> -----Original Message-----
> From: Daniel McNamara [mailto:daniel.mcnamara at]
> Sent: Friday, August 10, 2001 8:03 PM
> To: Canberra Linux User Group
> Subject: Securing log rotation
> Hey there guys,
> I've decided to get a little paranoid and start adding a few 
> extra security
> measures to my server. What I want to do is use the chattr 
> command to give
> all currently active log files the "a" settings to allow 
> append only and all
> old logs to be given the "i" setting to help prevent overwriting. The
> problem I'm having is figuring how to configure me 
> /etc/logrotate.conf file
> so that the new file is given the "a" setting, the newly 
> rotated log the "i"
> setting and on the oldest log file usually the 5th to remove 
> the "i" setting
> and delete that file.
> Anyone out there attempted this before? Or know how the hell 
> I could achieve
> this?
> Cheers
> Daniel

More information about the linux mailing list