Re: aide or tripwire

From: Philipp Schulte (pschulte@uni-duisburg.de)
Date: 12/21/01


Date: Fri, 21 Dec 2001 15:28:22 +0100
From: Philipp Schulte <pschulte@uni-duisburg.de>
To: focus-linux@securityfocus.com

bugtraq@seifried.org wrote:

> > Or you could just set the file(s) immuteable flag with 'chattr -i', and
> > the file cannot be changed or deleted.
>
> Which is essentially useless. The file can be set to be read only, with
> essentially the same result. If the attacker gets root they can unset the
> immutable flag and muck around with it. The immutable attribute is
> essentially pointless for files owned by root unless you want to prevent
> accidental changes (manual edits, or stupid config programs/etc).

No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/)
can give an additional layer of security. One can't simply "chattr -i"
if the specific capability has been removed.
Phil