> Once the system reaches normal security level, even root cannot tamper with these logs without rebooting into single-user mode
What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?
replies(2):
Certainly a full reboot leaves more tracks than no full reboot? So it's harder to hide?