Re: [logs] immutable bit

• Previous message: Tina Bird: "[logs] immutable bit"
• In reply to: Tina Bird: "[logs] immutable bit"
• Next in thread: Bernie Cosell: "Re: [logs] immutable bit"
• Next in thread: Brian Hatch: "Re: [logs] immutable bit"
• Reply: Bernie Cosell: "Re: [logs] immutable bit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Mar 15, 2002 at 05:25:44AM -0600, Tina Bird wrote:
> Is there a Solaris equivalent of Linux
> chattr, to set a file to "no delete" or
> "append only"?  A student asked yesterday
> and I didn't know, off the top of my head.
	I don't believe Solaris has these attributes yet, although
there is an Extended File Attributes project at Sun that is supposed
to be working on a extensible schema by which such attributes can be
added to the FS.  I know that Linux can do this via chattr and the BSDs
can do it via chflags; does anyone know if there are other equivalents
on any of the commercial OSes?
	Also, what are people's takes on using these mechanisms
on log files?  I tend to set append-only on them, although that requires
some mild kludgery to twiddle the attr before/after log rotation; I don't
know that it provides much extra security, however, given that the files
are already owned by root, and thus anyone who could tamper with them
could also twiddle turn off the append-only attr.  It would stop a script
kiddie whose rootkit wasn't smart enough to check for those attrs, yes,
but do people think it's worth the extra effort just for that?  (In a
similar vein, I also have the log rotation scripts make the rotated logs
immutable after compressing them, but I don't know how useful that is,
either.)
	I believe that even root can only change flags in single-
user mode on BSD, although I haven't actually tested that; if that's the
case, then I could see chflags being useful for ensuring log integrity.
Does anyone know if this is true?  (I suppose I could go check myself...
OK, I just did check, and yes, the sappnd/schg flags (on OpenBSD, at
least) can be turned on in multi-user mode, but once on can't be turned
off except in single-user mode.  (Well, technically, whenever securelevel
is 0 or -1, which usually means single-user mode.))  So, does anyone
know of a way to enable a restriction like this in Linux?

	-- Sweth.

-- 
Sweth Chandramouli ; <svcat_private>
President, Idiopathic Systems Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Brian Hatch: "Re: [logs] immutable bit"
• Previous message: Tina Bird: "[logs] immutable bit"
• In reply to: Tina Bird: "[logs] immutable bit"
• Next in thread: Bernie Cosell: "Re: [logs] immutable bit"
• Next in thread: Brian Hatch: "Re: [logs] immutable bit"
• Reply: Bernie Cosell: "Re: [logs] immutable bit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 15 2002 - 09:33:25 PST