Can someone explain this to me 912

On Sun, 20 Feb 2005 13:05:32 -0600, Lin¿nut

It's not a bad idea in most situations, but there are situations where it is. Logfiles, for instance. It's trivial to rename or delete a logfile, and so long as the log daemon keeps the file open, it will dutifully write it's output to the already open file, letting someone with the proper priviledges create a fictional logfile that doesn't contain tracks.

Part of the guildelines that NT was designed for was to prevent tampering with logfiles without leaving evidence of such tampering. While this wasn't part of the C2 guideline, I think it was part of the B1 or B2 guildelines that MS chose to add as well. I don't think this requirement was carried over to the Common Criteria though.

The idea is that even an administrator cannot alter a logfile or stop logging. They can delete a logfile, but then they have to explain why they deleted it to an auditor (buttuming your organization has strict logfile retention policies).

Of course there are ways to create tamper proof logs in Linux as well, such as writing logs to a write-only device, but it's pretty trivial for a root user to stop the logging daemon or some other technique.

What it boils down to is that the design of NTFS was chosen to prevent altering of in-use files so it was impossible for logfiles to be altered. this has the side effect of also preventing alteration of non-log files as well. At least that's the reason given in "Inside the Windows Nt File System"