Todd Graham Lewis <lists @
>If a hacker gains root on your firewall, haven't you, uhh, already lost?
Maybe .. but the fact that even then he cannot modify your logs or run
totally free through the system means:
1. The damage he can do is not unlimited. In fact, if he lands root
(in a chroot'ed jail, especially) in an environment that is really
restricted with immutable, append-only, no-suid, nodev, &c. types
of restrictions, he could be very limited in what he could do.
Especially after your next reboot if he *cannot* change your
configurations while in multi-user mode.
2. Assuming he can get root, you'd probably like to know about it.
Tamper-proof log could mean the difference between a one-time
incident and an ongoing penetration about which you remain