my problem is that to the best of my knowledge (and I do hope I am wrong and corrected here) this can not be done on the kernel level in RHEL/Fedora, I can chattr a log append only but any root user can take the flag off, clean up the stuff in the log they don't want seen and re-chattr the file.
I know on BSD variants you can set this on an OS level, thus to subvert the logs you would need to reboot, change the setting, do your dirty work, reboot again turn the setting back etc... basically VERY trackable given the fact that the box needs to be rebooted a few time..
I really want to avoid having to run a BSD variant. but if that is what I need to do to get the functionality I will.
I am sure that others have come up with this problem with regards to security compliance. what are you guys doing.
If there is no 2.4 kernel solution, is there a 2.6/selinux solution to my problem? that would not allow anyone (even root) to do anything but append to logs?
Thank you in advance for the advice.
