Find the answer to your Linux question:
Results 1 to 2 of 2
Hello forum reader, Is it possible for the root user (account) on the console of a Fedora Linux server to alternate any type of log file (pure ascii data), simply ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2012
    Posts
    1

    Is alternation of log files possible on a Linux console level?


    Hello forum reader,

    Is it possible for the root user (account) on the console of a Fedora Linux server to alternate any type of log file (pure ascii data), simply by adding and/or removing data in a certain log file?

    Can this be done without leaving any piece of evidence or not? Reason why I want to know this, because recently a certain log file was presented in a legal matter and I am not that familiar with Linux and therefore cannot find out if log files have been changed.

    Even worse, can the date and time of the log file be set to any time you prefer later on?

    Kind regards,

    Maurice

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,411
    Hi and welcome,

    Short version:
    - yes
    - With some preparation: yes
    - yes

    Long version:
    Traditionally, the root user is a) a trusted person or group and b) "allmighty" on the system.
    So root can set e.g. filetimes, access and modify files and data as he sees fit.

    If someone has access to the physical machine (or at least via ILO), then it is even simpler.
    Just boot the box with a livecd, mount the /var filesystem, modify the logfile, set the file timestamps and unmount /var again.
    As the system on the harddisc is not even active, it cannot stop or log that access.
    The mount action and file modifications are not completely untrackable, but would need some forensic knowledge to proceed.

    Now, there are methods for a running system of restricting these root rights (e.g. selinux) or add auditing
    or deploy a file integrity scanner or enforce, that a (log)file can only be appended to,
    or install a central, tamper safe remote logserver, etc, etc

    But these methods take time and increase maintenance.
    So one wouldnt go that road, unless there is reason to do so,
    e.g. SLAs with a customer or machines with high business impact data.

    You didnt specify the system at hand, not the usecase and environment.
    But my first guess would be, that this is a generic install.
    Last edited by Irithori; 10-03-2012 at 10:28 PM.
    You must always face the curtain with a bow.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •