Re: aide or tripwire

From: Philipp Schulte (pschulte@uni-duisburg.de)
Date: 12/21/01


Date: Fri, 21 Dec 2001 15:28:22 +0100
From: Philipp Schulte <pschulte@uni-duisburg.de>
To: focus-linux@securityfocus.com

bugtraq@seifried.org wrote:

> > Or you could just set the file(s) immuteable flag with 'chattr -i', and
> > the file cannot be changed or deleted.
>
> Which is essentially useless. The file can be set to be read only, with
> essentially the same result. If the attacker gets root they can unset the
> immutable flag and muck around with it. The immutable attribute is
> essentially pointless for files owned by root unless you want to prevent
> accidental changes (manual edits, or stupid config programs/etc).

No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
can give an additional layer of security. One can't simply "chattr -i"
if the specific capability has been removed.
Phil



Relevant Pages

  • Re: aide or tripwire
    ... > Or you could just set the fileimmuteable flag with 'chattr -i', ... Which is essentially useless. ... If the attacker gets root they can unset the ... immutable flag and muck around with it. ...
    (Focus-Linux)
  • Re: My Debian box cant connect Internet
    ... > It's very odd that you can't change this file as root. ... > know of that would cause this is if the immutable flag is set. ... > Changing the immutable flag is done with the chattr command. ...
    (Debian-User)
  • Re: My Debian box cant connect Internet
    ... It's very odd that you can't change this file as root. ... As you don't see an "i" that means the immutable flag is not set, ... Changing the immutable flag is done with the chattr command. ...
    (Debian-User)
  • Re: Root cant delete files
    ... > using the mode +i even root can't change didly on a system. ... that has immutable flag set), so one should mark it for removal in the ... /etc/lids/lids.cap file when using LIDS. ...
    (Focus-Linux)
  • Re: Root access
    ... > immutable flag. ... Setup sudo to allow users to chattr, in some places, this should ... prevent everyone from accidently deleting a file, of course root ...
    (comp.os.linux.security)