> >Which is essentially useless. The file can be set to be read only, with > >essentially the same result. If the attacker gets root they can unset the > >immutable flag and muck around with it. > > If you're running linux, download lcap and install it, you can then remove > root's abiltity to, among other things, unset the immuatble bit. Doing that > may help with ensuring the integrity of the database.
Which leads to reboots to modify configuration files and the like, not always a practical situation. Plus for tripwire/aide being forced to reboot the system anytime you want to do a software upgrade (and thus update the database) is also non optimal for most people. The append flag is really the only useful extended attribute in my opinion. Systems like LIDS make this a bit easier to manage, but are really only useful if you can lock down root's ability to modify LIDS settings from console, meaning you need physical access. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/