chattr and append-only log files
Posted: Sat Jul 25, 2009 2:29 pm
Hi everyone,
Just got a quick question. I'd like to make my log files append-only. The main reason is so that they can't be overwritten but only appended to. For example, if the server was compromised, the logs couldn't easily be modified to cover the attackers' tracks.
The plan is to just use this command to set all logs to append-only mode:
chattr +a mylog.log
I've not seen all that much info about this. Is it widely done? Can anybody think of any pitfalls? The main one I guess is that the append flag can be unset --- but only by the root user... and if the attacker's got root access that's probably the least of the worries!
Thanks in advance if anyone can share any pointers,
Tom
Just got a quick question. I'd like to make my log files append-only. The main reason is so that they can't be overwritten but only appended to. For example, if the server was compromised, the logs couldn't easily be modified to cover the attackers' tracks.
The plan is to just use this command to set all logs to append-only mode:
chattr +a mylog.log
I've not seen all that much info about this. Is it widely done? Can anybody think of any pitfalls? The main one I guess is that the append flag can be unset --- but only by the root user... and if the attacker's got root access that's probably the least of the worries!
Thanks in advance if anyone can share any pointers,
Tom