# Securing system logs



## click (Aug 10, 2010)

Hi all,

The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)

What i did:

Channel important logs to custom directory:

--- syslog.conf

```
*.crit        /var/log/critical/critical.log
*.emerg       /var/log/critical/critical.log
*.err         /var/log/critical/critical.log
*.warning     /var/log/critical/critical.log
security.*                            /var/log/critical/security.log
```

Append 

```
chmod o= /var/log/critical
chflags sappnd /var/log/critical
chflags sappnd /var/log/critical/*
```

And rise the kern security to 1

```
kern.securelevel: 1
```

The problem is that now the syslog dosen`t want to write to this log(which is unusual since he is running as root?)
Thanks a lot for your effort


----------



## click (Aug 10, 2010)

Little more information:


```
root@wolfdale/var/log/critical# echo "test" > critical.log
critical.log: Operation not permitted.
root@wolfdale/var/log/critical# echo "test" >> critical.log 
root@wolfdale/var/log/critical# grep test critical.log
```

Tested on other machine but with messages itself - it is working, also tested with owner root:wheel and permissions 777 on both directory and files - no luck


----------



## graudeejs (Aug 10, 2010)

yesterday I did chflags on my logs as well
It seams I have same problem....


----------



## click (Aug 10, 2010)

Yup I got it, if you do this on UFS it is working fine in my case one of the machines is ZFS based and it is not working on ZFS  Maybe someone else could confirm?


----------



## graudeejs (Aug 10, 2010)

ye, I'm using zfs 
Well, I can create zvolume and format it with ufs as temp workaround


----------



## graudeejs (Aug 10, 2010)

aaaaaaaaaa

zfs is copy on write FS... maybe that's why *sappned* isn't working as expected.


----------



## graudeejs (Aug 10, 2010)

create zvol formated, as ufs set *sappend,sunlink* flags....
syslogd worked


----------



## anomie (Aug 10, 2010)

click said:
			
		

> The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)



In that case, also consider raising the hurdle substantially by using a central logging host.


----------



## SirDice (Aug 10, 2010)

click said:
			
		

> The issue is that i`ve tried to secure system logs in a way that no one could delete them(i don`t need them rotated either)


If you don't trust your users don't give them root access. Normal users cannot delete or otherwise modify anything in /var/log/.

Even better, as anomie already mentioned, would be to use a remote syslog server.


----------



## graudeejs (Aug 10, 2010)

SirDice said:
			
		

> If you don't trust your users don't give them root access. Normal users cannot delete or otherwise modify anything in /var/log/.
> 
> Even better, as anomie already mentioned, would be to use a remote syslog server.



Even on remove logging system it is good to have logs, that are very hard to delete, Won't you agree?


----------



## SirDice (Aug 10, 2010)

killasmurf86 said:
			
		

> Even on remove logging system it is good to have logs, that are very hard to delete, Won't you agree?



Access to that server should be severely limited and heavily audited. Ideally those logs should be written to WORM (Write-Once-Read-Many) media.


----------



## click (Aug 10, 2010)

Yes, the central log facility combined with WORMs ( ) is much secure than the thing I`m doing - those logs are sent to remote server by e-mail not by the syslog itself. I do trust my users - only I have root access  but if someone somehow gain those rights why not make his life harder  not much of a security than a paranoia . Thank you for your comments and I hope some day ZFS will be fully implemented in fbsd especially after the fall of opensolaris.


----------

