←back to thread

When root meets immutable: OpenBSD chflags vs. log tampering

(rsadowski.de)
134 points todsacerdoti | 3 comments | 18 Jul 25 08:36 UTC | HN request time: 0.451s | source
Show context
h43z ◴[18 Jul 25 09:13 UTC] No.44602682[source]
Do I understand that correctly that in order for logs to rotate you have to reboot?
replies(2): >>44603212 #>>44603379 #
1. jelder ◴[18 Jul 25 11:12 UTC] No.44603379[source]
My thoughts exactly. And couldn’t an attacker just fill the logging volume with uninteresting events to prevent certain other events from being recorded?
replies(2): >>44603656 #>>44603959 #
2. jorvi ◴[18 Jul 25 11:48 UTC] No.44603656[source]
Log filtering via severity / keywords prevents this, assuming the logs are regularly and properly checked.
3. gertrunde ◴[18 Jul 25 12:29 UTC] No.44603959[source]
That would be where something like auditd would come in, configured so that if the audit logs location runs low on space (or out of space), it will halt the system.

(Yes, quite harsh, but for some use cases it may be the right thing to do, i.e. to fail closed).