Re: securelevel 1

void <void@f-m.fm> writes:
> In order to accomplish what I'd like, I understand that I'd need to set +schg
> on the individual logs, then set the securelevel afterwards and reboot.

If you set the log file +schg, it can't be written to at all.  That's
obviously not what you want.

If you set it +sappnd, it can be written to, and newsyslog will be able
to rotate it; an attacker with superuser privileges will also be able to
replace it with a doctored file.

There is no way to allow one without the other.  The usual solution is
to log to a remote machine.

DES
-- 
Dag-Erling Smørgrav - des@FreeBSD.org