Unix Log File Tampering

This is a very complicated subject to comprehensively answer. The only way to be entirely sure is to be able to (essentially) system-call trace every single process running on the system at all times.

Remember that users don't change files - processes running on behalf of those users change files. In a traditional Unix system, the root user is assumed to have absolute authority to have any of his processes change a file. Without keeping detailed trace data of what read() and write() system calls were made by each and every process, how do you know which ones were "authentic" and which ones were not?

This is one of the gaps that SELinux and other similar security layers attempt to close. SELinux makes it possible for additional controls to be placed around certain system operations -- even for the root user. A properly configured selinux policy can make it much harder for someone to tamper with logfiles by restricting what processes can write to those logfiles, regardless of what user is running the process.

That said, though, even at its current state, SELinux is not able to fully withstand the attack of a complicit root user. See http://marc.info/?l=selinux&m=105458123321234&w=2 for comments from an NSA representative regarding how much of root's capabilities have to be taken away in order to make it substantially harder for the root user to subvert the system.

mw's answer of the operating system auditing facilities is a good one - the audit subsystem could give you "commercially reasonable best effort" assurance that you knew about each time a log file was changed.

But at some point you have to just stop and trust your sysadmin to not subvert the systems you've hired her/him to manage for you.

fschange tells you what the change that occured was, including deletes and modifications. If you use the 'fullevent=true' option, you can even compare before and after to see how the file looked, and how it lo oks now.