Re: More Syslog Questions

[Devdas Bhagat <devdas () dvb homelinux org>]

On 13/07/04 15:10 -0500, Nathaniel Hall wrote:
> Since someone asked a question about syslog, I thought I would add a couple
> of my own.
> I am in the process of setting up a centralized syslog server running RedHat
> AS3.  Currently, I am using syslog as our daemon, but have heard there are
> other, better solutions.  What do you suggest?

I know of syslog-ng and metalog as alternatives.

> Mr. Ranum, you spoke to my co-worker at Usenix on this topic, would you mind
> posting your response to this:
>
> In an effort to make the log server as secure as possible, I would like to
> find a way to use an append only file system.  Unfortunately, if this is
> done, logs cannot be rotated using logrotate so the server must be taken
> down to single user mode to rotate the logs, causing the loss of many log
> entries.
On Linux, the chattr command on ext2/3 filesystems is useful. From man
chattr
       A file with the `a' attribute set  can  only  be  open  in
       append  mode for writing.  Only the superuser or a process
       pessessing the CAP_LINUX_IMMUTABLE capability can  set  or
       clear this attribute.

chattr +a file to set it
chattr -a to unset it

No reboots required. This is not really useful if the remote attacker
gains root privileges, but it might work in your case.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards