Hi everyone,
Just got a quick question. I'd like to make my log files append-only. The main reason is so that they can't be overwritten but only appended to. For example, if the server was compromised, the logs couldn't easily be modified to cover the attackers' tracks.
The plan is to just use this command to set all logs to append-only mode:
chattr +a mylog.log
I've not seen all that much info about this. Is it widely done? Can anybody think of any pitfalls? The main one I guess is that the append flag can be unset --- but only by the root user... and if the attacker's got root access that's probably the least of the worries!
Thanks in advance if anyone can share any pointers,
Tom
chattr and append-only log files
-
tomkerswill
- Forum User
- Posts: 40
- Joined: Mon Mar 26, 2007 9:47 am
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: chattr and append-only log files
It could break your logrotation scripts, which also trigger restarts. You'd just need to modify them to remove the attribute, rotate, and then re-add it.
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4155
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: chattr and append-only log files
If you want to protect your logs just use the RBAC in ASL to lock down the logs so that even root can't modify them. You can then setup an RBAC policy to allow logrotate to move the files.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone