Can someone explain this to me 914
 |
On Tue, 22 Feb 2005 11:00:48 +0000 (UTC), Rob S. Wolfram
No, it's not. Logging is intrinsic to the kernel and cannot be turned off. If you had physical access, you could shut down the machine, use something like a NTFSDOS boot disk or a Linux live CD to boot, edit the log, then reboot, but physical security is part of the whole common criteria evaluation. All bets are off if you have physical access to the machine.
On Wed, 23 Feb 2005 14:11:16 +0000 (UTC), Rob S. Wolfram No, it can't be disabled. That also means making everything else inetc immutable, or at least anything that might execute a program...
As you just pointed out, you can just as easily remove the attribute and delete it. You could also most likely bypbutt mv and directly edit the inode if you knew what you were doing. Further, using something like CAPLINUXIMMUTABLE is also circumventable since you can easily modify the configuration that sets this and force a reboot, then edit the logs and reconfigure.
Of course there are ways to fix that as well, but then you just get into a cat and mouse game of adding a different road block and finding ways to circumvent them.
When it boils down to it, whenever you have a capability that can be "turned off" someone can figure out how to turn it on again.
That's a function of the design of the environment. IMO it is a totally misdesigned environment...