> No, using the kernel capabilities (http://pw1.netcom.com/~spoon/lcap/) > can give an additional layer of security. One can't simply "chattr -i" > if the specific capability has been removed. > Phil
a) the attacker can mount a new filesystem overtop (see other post) b) you must reboot to make configuration changes, which will get very stale very quick unless you use something like LIDS, lock it down so root can modify things from the console only, but then you need physical access/kvm to make changes (not al;ways possible). c) the attacker can reset the attrib with lcap, and then remove the immute flag, etc. Once an attacker gets root it's almost imposible on a Linux (or most any modern UNIX system) to stop them, unless you make significant changes (like using NSA SELinux, or PitBull LX). An attacker running as root can insert modules, patch the kernel running in memory, etc. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
