sysklogd priv seperation

Archaic archaic at linuxfromscratch.org
Sun Jan 23 12:21:01 PST 2005


On Sun, Jan 23, 2005 at 01:30:48PM -0600, Heiko Zuerker wrote:
> >
> I don't see a problem running logrotate as root, since it is only 
> executed 'on demand' by cron.

All programs that do not *have* to be run as root should not be run as
root.

> The 2 only ways to prevent tampering with the logs are
> 1) making sure the logs can not be change (hence chattr)
> 2) usage of a separate log host (but this is only managable by companies)

3) Protect your box from being rooted. Once rooted, all bets are off. If
the files are immutable, how are you going to write logs to them?

Also, what is hard about running a log server on another box?

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs




More information about the hlfs-dev mailing list