Re: aide or tripwire

From: Philipp Schulte (
Date: 12/21/01

Date: Fri, 21 Dec 2001 15:28:22 +0100
From: Philipp Schulte <>
To: wrote:

> > Or you could just set the file(s) immuteable flag with 'chattr -i', and
> > the file cannot be changed or deleted.
> Which is essentially useless. The file can be set to be read only, with
> essentially the same result. If the attacker gets root they can unset the
> immutable flag and muck around with it. The immutable attribute is
> essentially pointless for files owned by root unless you want to prevent
> accidental changes (manual edits, or stupid config programs/etc).

No, using the kernel capabilities (
can give an additional layer of security. One can't simply "chattr -i"
if the specific capability has been removed.