Subject: Re: PROPOSAL: File flags (LONG)
To: Andrew Brown <email@example.com>
From: Dr. Lex Wennmacher <wennmach@geo.Uni-Koeln.DE>
Date: 04/06/1999 12:43:09
On Sun, Apr 04, 1999 at 11:16:22PM -0400, Andrew Brown wrote:
> > Understood, but how does newsyslog work in this case?
> easy. it doesn't. you'd have to have newsyslog running out of rc at
> boot time. along with something to rescind the sappnd flag and put it
> back after newsyslog was done with those files.
> and you'd have to reboot regularly to deal with log files getting
> it's a trade-off, simply put.
Roll over of system logs and security simply don't go together. It's common
hacker practice to wait one week after the inital break-in until their traces
are automaticaly removed from the system logs.
Securing a system by file flags probably means running no newsyslog at all. You
probably will want to inspect the log files `by hand' before archiving and
removing them from disk.
It's clearly a trade-off. If it's too big a problem, things like remote system
logging come to mind.