logoalt Hacker News

comexyesterday at 9:04 AM2 repliesview on HN

> Once the system reaches normal security level, even root cannot tamper with these logs without rebooting into single-user mode

What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?

Replies

kstrauseryesterday at 9:49 AM

Make that file immutable so that you can only edit it in single-user mode.

This is definitely one of those “security vs convenience” situations where you can easily shoot yourself in the foot, but it’s great to have the option when you need it.

show 1 reply
TacticalCoderyesterday at 9:15 AM

> What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?

Certainly a full reboot leaves more tracks than no full reboot? So it's harder to hide?