当 Root 遇到不可变：OpenBSD chflags 与日志篡改

Why ISO 27001 Demands Immutable Logs: ISO 27001 only states that logging information and facilities should be protected against tampering and unauthorized access but doesn't specify how. Logs are only as trustworthy as their protection against post-incident tampering. In OpenBSD, the SF_APPEND and SF_IMMUTABLE flags in the kernel source can be used to make logs immutable. These flags became relevant when a client asked about ISO 27001 compliance. Immutability is not just a nice-to-have but a forensic necessity as logs are often the only evidence in security incidents.
OpenBSD’s Default Logging: OpenBSD has a straightforward logging configuration with a clean separation of concerns. Different types of system events go to different log files. Newsyslog runs as a root cron job every hour to rotate logs, but this creates opportunities for attackers to modify or interfere with the logs.
Understanding chflags: System-Level Immutability: OpenBSD's chflags command provides fine-grained control over file attributes. The sappnd flag is for active log files and the schg flag is for archived logs. Even root can't remove these flags except in insecure mode. OpenBSD provides /etc/rc.securelevel to automate flag management during the boot process.
Complete Setup: Immutable Logging Implementation:
- Disable the hourly newsyslog cron job.
- Create a log archive directory and move existing rotated logs and make them immutable.
- Set the append-only flag on active logs.
- Create the securelevel script to manage immutable files during boot. This script rotates logs into the archive directory and makes them immutable again. Once the system reaches normal security level, even root cannot tamper with these logs without rebooting into single-user mode.
Conclusion: This implementation provides filesystem-level log protection using OpenBSD's built-in security features and satisfies ISO 27001 requirements. It can be applied to other BSD systems as well and may inspire solutions in other operating systems.