Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Oct 2012
Is alternation of log files possible on a Linux console level?
Is it possible for the root user (account) on the console of a Fedora Linux server to alternate any type of log file (pure ascii data), simply by adding and/or removing data in a certain log file?
Can this be done without leaving any piece of evidence or not? Reason why I want to know this, because recently a certain log file was presented in a legal matter and I am not that familiar with Linux and therefore cannot find out if log files have been changed.
Even worse, can the date and time of the log file be set to any time you prefer later on?
Hi and welcome,
- With some preparation: yes
Traditionally, the root user is a) a trusted person or group and b) "allmighty" on the system.
So root can set e.g. filetimes, access and modify files and data as he sees fit.
If someone has access to the physical machine (or at least via ILO), then it is even simpler.
Just boot the box with a livecd, mount the /var filesystem, modify the logfile, set the file timestamps and unmount /var again.
As the system on the harddisc is not even active, it cannot stop or log that access.
The mount action and file modifications are not completely untrackable, but would need some forensic knowledge to proceed.
Now, there are methods for a running system of restricting these root rights (e.g. selinux) or add auditing
or deploy a file integrity scanner or enforce, that a (log)file can only be appended to,
or install a central, tamper safe remote logserver, etc, etc
But these methods take time and increase maintenance.
So one wouldnt go that road, unless there is reason to do so,
e.g. SLAs with a customer or machines with high business impact data.
You didnt specify the system at hand, not the usecase and environment.
But my first guess would be, that this is a generic install.
Last edited by Irithori; 10-03-2012 at 10:28 PM.You must always face the curtain with a bow.