On Mon, 4 Nov 2002, Larry Scritchfield wrote:
> When the log files are rotated, what happens to the old files?
They are (usually) renamed, e.g. squid.log becomes squid.log.1 and so
forth.
> Are they deleted, in the same sense as rm'ing them?
Depends on what your log scripts choose to do. Usually, they're just
renamed.
> If I REALLY want to keep log files which have been rotated out from
> being recovered, how would I do that?
Depending on your filesystem semantics, shred may work for you. However, a
lot of modern filesystems don't support overwrite-in-place, so my guess is
that this will be insufficient.
You may want to consider other options, such as logging to a tmpfs
filesystem, an encrypted loopback device, or a separate partition so that
you can shred the whole device rather than on a per-file basis.
Data remainence is a common security problem, so my $0.02 is that if you
don't really *need* the logs, don't log in the first place. Shredding a
device or logging to a tmpfs partition should be sufficient to prevent
casual reconstruction, but won't guarantee complete security against a
determined attacker with both physical access and expensive diagnostic
equipment.
> But there is no "file" in the case of log files that have been rotated -
> the filename(s) are in use again.
The filename is less important than you might think. In Unix, programs
don't write to files, they write to handles and descriptors. You can
rename a file (e.g. your syslog) while it's being written, and syslogd
will continue writing to the renamed file without interruption. However,
when syslogd closes the descriptor on HUP, the old filename will be
recreated with a new descriptor. This is how logrotate and other utilities
rename old logs and create new ones without downtime.
--
"Whenever I feel blue, I start breathing again."
- Unknown
_______________________________________________
RLUG mailing list
[EMAIL PROTECTED]
http://www.rlug.org/mailman/listinfo/rlug
