Firewall Wizards mailing list archives
Re: More Syslog Questions
From: Chuck Swiger <chuck () codefab com>
Date: Mon, 19 Jul 2004 15:58:56 -0400
On Jul 19, 2004, at 9:10 AM, Nathaniel Hall wrote:
The only problem I have with chattr +a is that if an intruder gains access to the root account, they can change the attributes, change the log files, and the replace the append only attribute, making it appear that nothing wasdone to the log file.
If one could turn off append-only, it wouldn't be very useful, you're right. However, see "man 2 chflags":
The ``SF_IMMUTABLE'', ``SF_APPEND'', ``SF_NOUNLINK'', and ``SF_ARCHIVED'' flags may only be set or unset by the super-user. Attempts by the non- super-user to set the super-user only flags are silently ignored. These flags may be set at any time, but normally may only be unset when the
system is in single-user mode. (See init(8) for details.)
More specificly, they pay attention to the sysctl kern.securelevel:
The kernel runs with five different levels of security. Any
super-user
process can raise the security level, but no process can lower it.
The
security levels are:
-1 Permanently insecure mode - always run the system in level 0
mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be
turned off.
All devices may be read or written subject to their
permissions.
1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted file systems, /dev/mem, and
/dev/kmem may not be opened for writing; kernel modules (see
kld(4)) may not be loaded or unloaded.
2 Highly secure mode - same as secure mode, plus disks may not
be
opened for writing (except by mount(2)) whether mounted or
not.
This level precludes tampering with file systems by
unmounting
them, but also inhibits running newfs(8) while the system is
multi-
user.
[ ... ]
3 Network secure mode - same as highly secure mode, plus IP
packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be
changed and
dummynet(4) configuration cannot be adjusted.
If the security level is initially nonzero, then init leaves it
unchanged. Otherwise, init raises the level to 1 before going
multi-user
for the first time. Since the level cannot be reduced, it will be
at
least 1 for subsequent operation, even on return to single-user.
-----
The above doesn't stop someone who has console access from changing a
system in a sneaky way, if they're willing to reboot the system (tends
to be fairly noticable!), but it will do quite a bit to prevent someone
from changing the system remotely.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: More Syslog Questions, (continued)
- Re: More Syslog Questions Frank Knobbe (Jul 19)
- Re: More Syslog Questions Devdas Bhagat (Jul 19)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- Re: More Syslog Questions Brian Hatch (Jul 19)
- Re: More Syslog Questions Henning Brauer (Jul 20)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- More Syslog Questions Nathaniel Hall (Jul 19)
- Re: More Syslog Questions The Anarcat (Jul 19)
- Re: More Syslog Questions Bruce Smith (Jul 19)
- Re: More Syslog Questions Marcus J. Ranum (Jul 19)
- Re: More Syslog Questions Chuck Swiger (Jul 19)
- Re: More Syslog Questions Devdas Bhagat (Jul 19)
- Re: More Syslog Questions The Anarcat (Jul 19)
- Re: More Syslog Questions iarenaza (Jul 19)