When Root Meets Immutable: OpenBSD chflags vs. Log Tampering

Contributed by Peter N. M. Hansteen on 2025-07-18 from the unmuted, immutable dept.

In a recent blog post When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, Rafael Sadowski (rsadowski@) takes a deep dive into an infrequently mentioned feature of our favorite operating system: file immutability and the chflags command. From the article:

" ... anyone who’s ever had to investigate a security incident knows the harsh reality: logs are only as trustworthy as their protection against post-incident tampering. An attacker who gains root access isn’t going to politely leave their tracks in the log files – unless they physically can’t alter them anymore."

Read the whole thing, When Root Meets Immutable: OpenBSD chflags vs. Log Tampering, over at Rafael's site!

Comments

By anon (anonymouse) on 2025-07-18 11:56

But then you need to make rc.securelevel itself immutable, and guard against having a kernel installed that ignores the flags (sure, immutable /bsd isn't too hard, but then you have a possibly-existing /bsd.upgrade to deal with, and it doesn't have to be an install kernel)

I took the view that the best way to meet this type of requirement is to log to a separate host, and lock that down as appropriate (either SSH open to a small set of users with fido+password 2fa, or turn off SSH if you're able to restrict it to physical access only).

Reply

Latest Articles

Fri, Jul 18
- 07:24 When Root Meets Immutable: OpenBSD chflags vs. Log Tampering (1)
Thu, Jul 17
- 10:33 stdio(3) change: FILE is now opaque (0)
- 06:19 Font caching no longer runs as root (0)
Fri, Jul 11
- 09:15 watch(1) utility added to -current (0)
Sat, Jul 05
- 08:17 KDE Plasma 6.4 has landed in OpenBSD (0)
- 08:13 Blink and you'll miss it! 4096 colours and flashing text on the console! (2)
- 08:08 Game of Trees Hub now taking signups for repository hosting (0)
Sat, Jun 28
- 05:57 Game of Trees 0.115 released (0)
Tue, Jun 24
- 07:48 Game of Trees 0.114 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]