←back to thread

When root meets immutable: OpenBSD chflags vs. log tampering

(rsadowski.de)
134 points todsacerdoti | 4 comments | 18 Jul 25 08:36 UTC | HN request time: 0.873s | source
1. louwrentius ◴[18 Jul 25 09:38 UTC] No.44602799[source]
If you want immutable logs, you log to an external log server. Anything else seems security theater to me.

That log server is properly firewalled/hardened so a hacked server can’t be used as a stepping stone to compromise the log server.

Maybe you even have access restrictions in place for the log server so people can’t wipe their own misdeeds (4-eyes principle).

This is how it’s been done for 35+ years, nothing special about this.

replies(2): >>44602933 #>>44603729 #
2. holowoodman ◴[18 Jul 25 09:58 UTC] No.44602933[source]
Yes, so much this. It used to be that important logs (filtered by severity and keywords) were even continuously live-printed by a line printer, so that there was always a current paper copy of the really important stuff for forensics.

See e.g. https://www.youtube.com/watch?v=FiEGoVzmyvs but dot-matrix was also used and at least a little less noisy.

replies(1): >>44604832 #
3. pjmlp ◴[18 Jul 25 11:59 UTC] No.44603729[source]
Exactly the right approach.
4. accrual ◴[18 Jul 25 14:10 UTC] No.44604832[source]
tsch! tsch! tsch! tsch! "Ah, someone is trying to login as root again"