A side-car service that can run with Linux capability CAP_LINUX_IMMUTABLE
so that it can set your service's log files to append-only but not read, write to them, nor does it have the capability to remove the append-only setting once set.
This is intended for secure environments where you do not want an attacker to be able to erase log traces post-compromise of your service.
ext3/ext4 file systems have extended attributes (xattr) available on them. One cool one is the append-only attribute
e.g.
$ touch /tmp/foo.txt
$ chattr +a /tmp/foo.txt
$ setpriv --inh-caps=-linux_immutable --bounding-set=-linux_immutable bash
$ echo "blah" >> /tmp/foo.txt
you'll notice this works well but you cannot delete the text once written, only append to it
$ ./scripts/docker_run.sh golang:1.13.11-buster
root@f1f364477f41:/go# go test ./...
Here we build the service and the example client, we also drop the priviliges in the container
$ ./scripts/docker_run.sh golang:1.13.11-buster
root@25a0b3ae394a:/go# capsh --print | grep immutable # we have the capability here
root@25a0b3ae394a:/go# cd src/indelible/
root@25a0b3ae394a:/go/src/indelible# go build ./cmd/indelible
go: downloadin
...
root@25a0b3ae394a:/go/src/indelible# nohup ./indelible &
root@25a0b3ae394a:/go/src/indelible# cd examples/client/
root@25a0b3ae394a:/go/src/indelible# setpriv --no-new-privs --inh-caps=-linux_immutable --bounding-set=-linux_immutable bash
root@25a0b3ae394a:/go# capsh --print | grep immutable # we do not have the capability here
root@25a0b3ae394a:/go/src/indelible/examples/client# go build
go: downloading
...
root@25a0b3ae394a:/go/src/indelible/examples/client# ./client
Creating log file at /var/log/immutable.log
Requesting log file (/var/log/immutable.log) be marked append-only...
success
root@25a0b3ae394a:/go/src/indelible/examples/client# echo "test line" > /var/log/immutable.log
bash: /var/log/immutable.log: Operation not permitted
root@25a0b3ae394a:/go/src/indelible/examples/client# echo "test line" >> /var/log/immutable.log
root@25a0b3ae394a:/go/src/indelible/examples/client# cat /var/log/immutable.log
test line