Securing system logs

[click]

Hi all,

The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)

What i did:

Channel important logs to custom directory:

--- syslog.conf

*.crit        /var/log/critical/critical.log
*.emerg       /var/log/critical/critical.log
*.err         /var/log/critical/critical.log
*.warning     /var/log/critical/critical.log
security.*                            /var/log/critical/security.log

Append

chmod o= /var/log/critical
chflags sappnd /var/log/critical
chflags sappnd /var/log/critical/*

And rise the kern security to 1

kern.securelevel: 1

The problem is that now the syslog dosen`t want to write to this log(which is unusual since he is running as root?)
Thanks a lot for your effort

 

[click]

Little more information:

root@wolfdale/var/log/critical# echo "test" > critical.log
critical.log: Operation not permitted.
root@wolfdale/var/log/critical# echo "test" >> critical.log 
root@wolfdale/var/log/critical# grep test critical.log

Tested on other machine but with messages itself - it is working, also tested with owner root:wheel and permissions 777 on both directory and files - no luck

 

[graudeejs]

yesterday I did chflags on my logs as well
It seams I have same problem....

 

[click]

Yup I got it, if you do this on UFS it is working fine in my case one of the machines is ZFS based and it is not working on ZFS Maybe someone else could confirm?

 

[graudeejs]

ye, I'm using zfs
Well, I can create zvolume and format it with ufs as temp workaround

 

[graudeejs]

aaaaaaaaaa

zfs is copy on write FS... maybe that's why sappned isn't working as expected.

 

[graudeejs]

create zvol formated, as ufs set sappend,sunlink flags....
syslogd worked

 

[anomie]

The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)

In that case, also consider raising the hurdle substantially by using a central logging host.

 

[SirDice]

The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)

If you don't trust your users don't give them root access. Normal users cannot delete or otherwise modify anything in /var/log/.

Even better, as anomie already mentioned, would be to use a remote syslog server.

 

[graudeejs]

If you don't trust your users don't give them root access. Normal users cannot delete or otherwise modify anything in /var/log/.

Even better, as anomie already mentioned, would be to use a remote syslog server.

Even on remove logging system it is good to have logs, that are very hard to delete, Won't you agree?

 

[SirDice]

Even on remove logging system it is good to have logs, that are very hard to delete, Won't you agree?

Access to that server should be severely limited and heavily audited. Ideally those logs should be written to WORM (Write-Once-Read-Many) media.

 

[click]

Yes, the central log facility combined with WORMs ( ) is much secure than the thing I`m doing - those logs are sent to remote server by e-mail not by the syslog itself. I do trust my users - only I have root access but if someone somehow gain those rights why not make his life harder not much of a security than a paranoia . Thank you for your comments and I hope some day ZFS will be fully implemented in fbsd especially after the fall of opensolaris.