> > Of course, if the cracker has gotten root, they can chattr it right > > back. In fact, the first thing I'd do as an attacker is to find all > > chattr'd files on the filesystem since they're probably important. > > I seem to recall a few years back reading about a utility that sets the > kernel such that attributes can not be further modified until the box is > rebooted. Can anyone confirm, hopefully with a pointer?
IIRC, the ext2/ext3 code checks for CAP_LINUX_IMMUTABLE before allowing
changes to immutable and append only flags. So if you remove this from
your capability bounding set you are probably fine. On 2.4 kernels
you'd need to remove CAP_SYS_MODULE too, s.t. root can't re-enable
CAP_LINUX_IMMUTABLE.
Usually if I need to have immutable files, I go the whole way and
patch the kernel to use a hardened security module[1]. Besides, chattr
doesn't work on non ext2/ext3 filesystems, and I have reiserfs on
many systems.
[1] LIDS, Grsecurity, yada yada yada.
--
Brian Hatch "I thought the purpose of filing
Systems and these reports was to provide
Security Engineer accurate intelligence."
www.hackinglinuxexposed.com "Vir, intelligence has nothing to
do with politics."
Every message PGP signed
msg00592/pgp00000.pgp
Description: PGP signature
