On Sun, Apr 04, 1999 at 11:16:22PM -0400, Andrew Brown wrote:
> >  Understood, but how does newsyslog work in this case?
>
> easy.  it doesn't.  you'd have to have newsyslog running out of rc at
> boot time.  along with something to rescind the sappnd flag and put it
> back after newsyslog was done with those files.
>
> and you'd have to reboot regularly to deal with log files getting
> large.
>
> it's a trade-off, simply put.

Roll over of system logs and security simply don't go together. It's common
hacker practice to wait one week after the inital break-in until their traces
are automaticaly removed from the system logs.

Securing a system by file flags probably means running no newsyslog at all. You
probably will want to inspect the log files `by hand' before archiving and
removing them from disk.

It's clearly a trade-off. If it's too big a problem, things like remote system
logging come to mind.

--Lex