On 02/19/2020 12:51 PM, Dave Howorth wrote:
On Wed, 19 Feb 2020 11:38:25 -0800 Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 2/19/20 1:50 AM, Carlos E. R. wrote:
From a security stand point, should you allow editing of log files? I thought that was one way how people hid their intrusions If that is the issue, syslog* also allows binary formats like database and surely signing.
Then there is the method of sending the logs to an inaccessible machine. This reminds me of a requirement that two people are required to remove/alter security logs. I can't think of a way to do this using standard operating systems. Two root accounts, where both must be logged on to do anything? Anyone heard of such a thing? Make two copies of the logs and store one copy where one person can alter it and the other copy where the other person can alter it. Then diff the copies before trusting either. Might be best to have three copies :)
That's an excellent idea! syslog-ng could be used to send logs to two different log servers in real time. But another problem might be auditd, which doesn't use syslog to the best of my knowledge. Maybe a script or two piping to "logger" to write to syslog? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org