Can someone explain this to me 912
Can someone explain this to me 914
On Tue, 22 Feb 2005 11:00:48 +0000 (UTC), Rob S. Wolfram No, it's not. Logging is intrinsic to the kernel and cannot be turned off...
On Sun, 20 Feb 2005 13:05:32 -0600, Lin┐nut
It's not a bad idea in most situations, but there are situations where it is. Logfiles, for instance. It's trivial to rename or delete a logfile, and so long as the log daemon keeps the file open, it will dutifully write it's output to the already open file, letting someone with the proper priviledges create a fictional logfile that doesn't contain tracks.
Part of the guildelines that NT was designed for was to prevent tampering with logfiles without leaving evidence of such tampering. While this wasn't part of the C2 guideline, I think it was part of the B1 or B2 guildelines that MS chose to add as well. I don't think this requirement was carried over to the Common Criteria though.
The idea is that even an administrator cannot alter a logfile or stop logging. They can delete a logfile, but then they have to explain why they deleted it to an auditor (buttuming your organization has strict logfile retention policies).
Can someone explain this to me 915
On Wed, 23 Feb 2005 14:11:16 +0000 (UTC), Rob S. Wolfram No, it can't be disabled. That also means making everything else inetc immutable, or at least...
Of course there are ways to create tamper proof logs in Linux as well, such as writing logs to a write-only device, but it's pretty trivial for a root user to stop the logging daemon or some other technique.
What it boils down to is that the design of NTFS was chosen to prevent altering of in-use files so it was impossible for logfiles to be altered. this has the side effect of also preventing alteration of non-log files as well. At least that's the reason given in "Inside the Windows Nt File System"
Can someone explain this to me 913
done by making logfiles append-only. Man chattr(1) and lcap(8). Nice of you to mention C2, B1 and B2...