OpenBSD's chflags: Achieving ISO 27001 Compliant Immutable Logs
2025-07-18
This article details how to leverage OpenBSD's `chflags` command with `sappnd` and `schg` flags to achieve immutable logging, fulfilling ISO 27001's log integrity requirements. While ISO 27001 doesn't explicitly demand immutability, its log protection stipulations effectively necessitate it. The author disables the `newsyslog` cron job, creates a log archive directory, and uses `chflags` to set append-only and immutable flags on log files, ensuring log integrity even if root access is compromised. A `/etc/rc.securelevel` script automates log rotation and flag management during boot, providing a robust and automated logging solution.
Development
Log Security