When root meets immutable: OpenBSD chflags vs. log tampering

ISO 27001 is like that careful lawyer who never says exactly what they mean – it tells you what needs to be achieved, not how to do it. When it comes to logging, this is particularly telling: Control A.12.4.2 simply states that “logging information and logging facilities shall be protected against tampering and unauthorized access.” Period. How? That’s your problem to solve.

↫ Rafael Sadowski

It turns out OpenBSD has a few relatively simple tools to make logs immutable, in a way that not even root can delete or modify them, or change any of the logging schedules. Reading through the blog post, you don’t even need a ton of intricate knowledge to set this up, thanks mostly to just how much innate sense OpenBSD tends to make, and how excellent the documentation is.

I have no need for this level of security, but if you do, you can set this up in a few minutes.

11 Comments

  1. 2025-07-18 6:01 pm
  2. 2025-07-18 8:10 pm
  3. 2025-07-19 10:53 am
    • 2025-07-19 11:25 am
      • 2025-07-19 12:23 pm
        • 2025-07-20 10:51 am
          • 2025-07-20 1:27 pm
          • 2025-07-20 8:11 pm
          • 2025-07-21 12:29 am
    • 2025-07-19 11:41 am
  4. 2025-07-19 12:31 pm

Leave a Reply