void <v...@f-m.fm> writes: > In order to accomplish what I'd like, I understand that I'd need to set +schg > on the individual logs, then set the securelevel afterwards and reboot.
If you set the log file +schg, it can't be written to at all. That's obviously not what you want. If you set it +sappnd, it can be written to, and newsyslog will be able to rotate it; an attacker with superuser privileges will also be able to replace it with a doctored file. There is no way to allow one without the other. The usual solution is to log to a remote machine. DES -- Dag-Erling Smørgrav - d...@freebsd.org
