When root meets immutable: OpenBSD chflags vs. log tampering

(rsadowski.de)

134 points todsacerdoti | 1 comments | 18 Jul 25 08:36 UTC | HN request time: 0s | source

Show context

comex ◴[18 Jul 25 09:04 UTC] No.44602647[source]▶

> Once the system reaches normal security level, even root cannot tamper with these logs without rebooting into single-user mode

What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?

replies(2): >>44602691 #>>44602869 #

kstrauser ◴[18 Jul 25 09:49 UTC] No.44602869[source]▶

>>44602647 #

Make that file immutable so that you can only edit it in single-user mode.

This is definitely one of those “security vs convenience” situations where you can easily shoot yourself in the foot, but it’s great to have the option when you need it.

replies(1): >>44603934 #

1. dgl ◴[18 Jul 25 12:25 UTC] No.44603934[source]▶

>>44602869 #

Except it is sourced from /etc/rc, and that’s a shell script which obviously depends on the shell and some other pieces. If you want an immutable base you kind of need to make the whole (base) system immutable (and that is possibly best designed as such to start with).

I don’t think this is “security vs convenience”, I’d more argue it’s possible to think you’ve made this secure but you’ve missed something and haven’t configured it to be as secure as you think. An approach like others have suggested with remote logging is at least easier to reason about.

↑