Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to protect log files from root?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 581
Location: Germany

PostPosted: Sat Apr 07, 2018 9:04 am    Post subject: How to protect log files from root? Reply with quote

Hey there,

I am currently thinking about how to protect a system's log files even from root. By crawling Google, I found the following blog post: http://blog.siphos.be/2015/07/restricting-even-root-access-to-a-folder/

Thus, it is possible to use SELinux to prevent root from reading a directory. I assume, that it should be possible to grant root read access, but to prevent him from writing into the secured folder.
Could it be possible for root to take over the syslog user to be able to delete / manipulate log files?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5801

PostPosted: Sat Apr 07, 2018 9:18 am    Post subject: Reply with quote

I'm not sure if this is possible since most sysloggers run as root. If root can't write, chances are the loggers can't either.
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42564
Location: 56N 3W

PostPosted: Sat Apr 07, 2018 9:48 am    Post subject: Reply with quote

Jimini,

Anyone who has root can do anything. SELinux can delay things.

You need to log to a remote system, so that the logs are not even on the system whose logs you want to protect.
The remote system needs a different root password to the system you want to protect too.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6962

PostPosted: Sat Apr 07, 2018 11:23 am    Post subject: Reply with quote

put a post-it "do not delete anything in /var/log" on your sreen ;)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 581
Location: Germany

PostPosted: Sat Apr 07, 2018 3:43 pm    Post subject: Reply with quote

bunder wrote:
I'm not sure if this is possible since most sysloggers run as root. If root can't write, chances are the loggers can't either.

syslog-ng seems to be able to run as a different user: https://syslog-ng.com/wiki/syslog-ng-faq-non-root

NeddySeagoon wrote:
Jimini,
Anyone who has root can do anything. SELinux can delay things.

You need to log to a remote system, so that the logs are not even on the system whose logs you want to protect.
The remote system needs a different root password to the system you want to protect too.

Yes, of course these procedures would not lead to absolute security. But it would be at least a big step if I could document, when someone manipulates or deletes log files.
krinn wrote:
put a post-it "do not delete anything in /var/log" on your sreen ;)

:D
To be honest, I am only thinking of a situation, when a root user is not trustworthy anymore. Maybe a dedicated logging server with multi factor authentication and tenshi, which sends an email as soon as the connection to the logging client is interrupted?

Best regads,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3374

PostPosted: Sat Apr 07, 2018 9:35 pm    Post subject: Reply with quote

Or "chattr +a" your log files, then drop the capability to run the chattr command from the system bounding set. Once it's dropped only PID1 can restore it, and I don't believe systemd has added that function - yet. This also means that you'd have to reboot in order to rotate your logfiles. After rotating logs you'd want to "chattr +i" old logfiles.

chattr +a - append-only
chattr +i - immutable

Offhand, remote logging is easier. If you want to be paranoid about the remote logging, get to that system through a hub (or add an upstream tap) and add a "stealth logger" that has no other network presence detectable.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 202
Location: Switzerland

PostPosted: Mon Apr 09, 2018 7:42 am    Post subject: Reply with quote

Hi Jimini,
you could secure your logs with a cryptographic hash[1], so you can at least tell if someone modified the logs. The article is a good read, because it also explains other, additional approaches to secure your log files.


[1]https://security.stackexchange.com/questions/4320/techniques-for-ensuring-verifiability-of-event-log-files
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum