Basically The Linux File Standard (formerly FSSTND) regards system binary dirs /bin, /sbin, /usr/bin and /usr/sbin as places where *not* to put stuff local to your machine, so these are safe to chattr IMO, same goes for /boot, /dev, /lib, /misc, /opt, /root and /home. Exceptions are /etc and /usr, because /usr contains a tmpdir but you could loose that as well, /etc shouldn't be chattr'ed -R, it contains some files that maintain state for mounting, time, passwd and group.
Dirs that shouldnt be chatter'ed are /lost+found (fsck saves retrievable nodes in) /mnt, /proc, /var and /tmp.
Alternatively you could separate "/" to another partition and mount it -o ro and make /tmp and /var/tmp a ramdisk (this is what they do with say one-floppy distro's and cd bootable images).
I "chattr +iu" a lot of config files, and use a shellscript to backup, un/reset the bits when editing, never had any probs with it.
Also, if you won't use a kernelpatch like LIDS or GRSecurity which can handle Linux' /proc properties like CAP_LINUX_IMMUTABLE (/proc/sys/kernel/cap-bound), you could install "lcap" which can remove the ability on startup to use the immutable bit. Now even root can't unset with chattr, only a reboot, or a reboot to level 1 breaks out of this. Kinda neat.
|