Educause Security Discussion mailing list archives
Re: security for Windows logoff scripts writing to log files
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 17 Jan 2008 16:09:15 -0700
I don't know of any way to allow a user/process to only append new data to the end of a file without some other layer in between. You can either modify the file or you can't, there isn't a granularity of append versus other modifications. You could log the event to either the local Windows event log or a remote syslog type server. Another approach would be an application/database pair that allowed a user to add rows, but not edit existing rows. Or, you could create new log files for each event, but that would add up quickly. Using the Windows event log or syslog approach would also address your concern about users being able to update the log outside of the script (to a degree anyway). Brad Judy
-----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Thursday, January 17, 2008 3:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security for Windows logoff scripts writing to log files I'm writing a vbscript logoff script to track time, computer, IP address, username, and other stuff for our Windows computers. Now I've got it configured so that the script (on the server) is open to everyone for reading, and the log file (again on the server) is open to writing for everyone. Before I put this into production, I would like to set it so that users can only update the log file while running the logoff script, and then can only append records at the end. Is there a way to set this up?
Current thread:
- security for Windows logoff scripts writing to log files Kevin Shalla (Jan 17)
- <Possible follow-ups>
- Re: security for Windows logoff scripts writing to log files Brad Judy (Jan 17)
- Re: security for Windows logoff scripts writing to log files Mike Phillips (Jan 18)
- Re: security for Windows logoff scripts writing to log files Themba Flowers (Jan 18)