Subject: Re: PROPOSAL: File flags (LONG)
To: Michael Richardson <>
From: Andrew Brown <>
List: tech-security
Date: 04/04/1999 23:16:22
>>>>>> "Lex" == Lex Wennmacher <wennmach@geo.Uni-Koeln.DE> writes:
>    Lex> A hacker managed to break in into your system and even
>    Lex> managed to become root.  As a first step, he tries to cover
>    Lex> up his traces by changing the system log files
>    Lex> /var/log/authlog, /var/log/lastlog, and /var/log/wtmp. No
>    Lex> chance, the are sappnd.
>  Understood, but how does newsyslog work in this case?

easy.  it doesn't.  you'd have to have newsyslog running out of rc at
boot time.  along with something to rescind the sappnd flag and put it
back after newsyslog was done with those files.

and you'd have to reboot regularly to deal with log files getting

it's a trade-off, simply put.

|-----< "CODE WARRIOR" >-----|             * "ah!  i see you have the internet (Andrew Brown)                that goes *ping*!"       * "information is power -- share the wealth."