LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chattr +i to all files on my box? (https://www.linuxquestions.org/questions/linux-security-4/chattr-i-to-all-files-on-my-box-11269/)

ForumKid 01-07-2002 07:18 AM
chattr +i to all files on my box?
 
Is this a bad idea to do to my mail server. I know that i cannot chattr +i /var, but i think i should be able to do all other dir's. SHould i just be doing it to .conf files.

I read in a security book that its good to chattr +i files. Im just not so sure on which files.

Thanks

Mik 01-07-2002 10:14 AM
Basically that's up to you. Any files which won't or shouldn't be modified when the system is running can be immutable. But that depends on how often you change things on it. If you do it to all your executables and libraries you will have to reset the bits each time you install something new which can be a pain if you do this often.

unSpawn 01-07-2002 10:57 AM
Basically The Linux File Standard (formerly FSSTND) regards system binary dirs /bin, /sbin, /usr/bin and /usr/sbin as places where *not* to put stuff local to your machine, so these are safe to chattr IMO, same goes for /boot, /dev, /lib, /misc, /opt, /root and /home. Exceptions are /etc and /usr, because /usr contains a tmpdir but you could loose that as well, /etc shouldn't be chattr'ed -R, it contains some files that maintain state for mounting, time, passwd and group.
Dirs that shouldnt be chatter'ed are /lost+found (fsck saves retrievable nodes in) /mnt, /proc, /var and /tmp.
Alternatively you could separate "/" to another partition and mount it -o ro and make /tmp and /var/tmp a ramdisk (this is what they do with say one-floppy distro's and cd bootable images).

I "chattr +iu" a lot of config files, and use a shellscript to backup, un/reset the bits when editing, never had any probs with it.

Also, if you won't use a kernelpatch like LIDS or GRSecurity which can handle Linux' /proc properties like CAP_LINUX_IMMUTABLE (/proc/sys/kernel/cap-bound), you could install "lcap" which can remove the ability on startup to use the immutable bit. Now even root can't unset with chattr, only a reboot, or a reboot to level 1 breaks out of this. Kinda neat.

d3funct 01-07-2002 10:58 AM
If you do this to all your logfiles they will not update, and you will not be able to debug problems (even the logfiles not updating problem) because the system won't be able to tell you about them because it can't write to the logs. This is good for files like .rhosts and the like but I wouldn't do it to system files like /etc/passwd or /etc/shadow or you won't be able to change your passwords.


All times are GMT -5. The time now is 08:40 AM.