Rafael Sadowski

New blog post: When Root Meets Immutable: OpenBSD chflags vs. Log Tampering

Started as curiosity about "dead" kernel code, ended up solving real-world log tampering problems. Sometimes the best security features are hiding in plain sight.

https://rsadowski.de/posts/2025/openbsd-immutable-system-logs/

#OpenBSD #InfoSec #BSD #Compliance

When Root Meets Immutable: OpenBSD chflags vs. Log Tampering

Rafael Sadowski

rsadowski.de
Jul 18 at 5:13amWeb
Show threadJan1d ago

@sizeofvoid Awesome read, thank you so much!

I think there is a little copy paste error in the 2nd paragraph which is essentially two times the same text.

Show threadRafael Sadowski1d ago
@js Thanks Jan for the feedback. Yes, I played with different versions and was puzzled.
Show threadStephen Borrill1d ago
@sizeofvoid Interesting, but it does mean you need to reboot to rotate logs and so need more space for live logs.
Show threadSimon Dassow23h ago
@sborrill @sizeofvoid Combined with regular updates that still seems manageable 😉
Show threadRafael Sadowski23h ago
@sborrill Yes this is the trade off
Show threadnathanael23h ago
@sizeofvoid I was just yesterday playing with chflags and I realised after «sysctl kern.securelevel» that I would need to restart the system to get rid of the files. I don't want to reboot, so there are some leftovers from that experiment now on my vps...
Show threadJérémy Lecour22h ago
@sizeofvoid Hi. This is very interesting. Thank you for the blog post.
I might have missed a thing though : is log rotation done only at boot time? If so, how about servers that stay up for long periods of time? Thanks.
Show threadJoel Carnat ♑ 🤪22h ago

@sizeofvoid great post, thanks!

Makes me think I’d rather setup a dedicated syslog server running not syslogd but something like syslog-ng to be able to create append-only daily/monthly log files without the need to reboot 🤔

Show threadJasper14h ago
@sizeofvoid can root edit rc.securelevel to delete or edit logs? Or should it be set to immutable as well?
Show threadRafael Sadowski13h ago

@jasper I would say it depends on whether you notice when your server has been rebooted. If this is the case, you don't need to set it. Because then you know that something is wrong and if the file has been modified, you know for sure.

The good thing and also the downside of this mechanism is that an attacker has to draw attention to himself via a reboot.