Results 1 to 8 of 8
  1. #1

    chattr on a CentOS server

    Just wondering if there is a list / guide on what files should be set to either chattr +i or chattr +a ?

    You could go a little 'crazy' and chattr +i all your major binaries......however my only issue with this is that yum updates will fail until you manually chattr -i and update.

    Any suggestions on what to / what not to chattr +i or chattr +a ?

  2. #2
    Join Date
    Oct 2009
    Location
    India
    Posts
    85
    Hi
    chattr COMMAND:
    chattr command is used to change the file attributes. This is an admin command. Root user only can change the file attributes/Process.

    SYNTAX:
    The Syntax is
    Code:
       chattr [options] filename
    OPTIONS:

    +i : Make the file as Read-Only.
    -i : Remove the Read-Only.
    +a : Can't open file for writing.
    -a : Open file for writing.
    +S : The changes in the file are written synchronously on the disk.


    You can check the link http://linux.about.com/od/commands/l/blcmdl1_chattr.htm for more details.
    Ramshad..!##

  3. #3
    Hi thanks. I know what it does. Just wondering what files would benefit from a chattr +i or chattr +a setting.

  4. #4
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by egsi View Post
    Hi thanks. I know what it does. Just wondering what files would benefit from a chattr +i or chattr +a setting.
    It's slightly useful as an "onion-layer" in a high-security environment, when used in conjunction with securelevels.

    The idea being that you set the "append only" (+a) flag on logfiles, and someone can't tamper with them - all they can do is add more stuff to them.

    The basic idea is that with securelevel raised, you can't remove these flags. You can't lower securelevel without a reboot, and a good operator should bloody well notice an unexpected reboot. Of course, this breaks log-rotation scripts so you'll want to have a really, really big /var/log and/or schedule weekly reboots and run your rotations then.

    By the same token, immutable (+i) is good for system binaries, kernel, things which won't change much. You set them +i and raise the securelevel, and then you know they can't be tampered with if someone roots the box.

    Again, the downside is any legitimate reason to modify these files is going to take a reboot - you'll probably want to run your system updates in single-user mode to get any real security out of it, which brings forward it's own set of problems and caveats.

    On the whole, I don't personally think it's worth it. I'm not sure, but I believe I saw an article a while ago showing attacks on this whole mechanism, undermining it's effectiveness - and it makes being a good admin a pain in the butt.

    If you use immutable or append-only without raising securelevel, it has one teeny tiny use: It'll break "canned-ownage" scripts, and give clueless script kiddies a workout (but don't expect it to keep out a determined, educated attacker), if you change the flags on certain files and remember to change them back before you want to modify them.
    I used to run the oldest commercial Mumble host.

  5. #5
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,348
    Fwaggle hit the nail on the head - the ultimate answer is it can help, but by no means is it a bulletproof solution (also securelevel is *bsd based I believe, but the same ideas could be applied with say SELinux/MAC).

    I personally use chattr on things I want to not get overwritten / changed as it'll spit back a nice error / remind me. Beyond that I don't consider it much of a security mechanism.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Let's Encrypt Sponsor.

  6. #6
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by CodyRo View Post
    Fwaggle hit the nail on the head - the ultimate answer is it can help, but by no means is it a bulletproof solution (also securelevel is *bsd based I believe, but the same ideas could be applied with say SELinux/MAC).
    You know I almost wrote something to that effect, but I wasn't sure so I left it out. You can tell I don't use Linux much eh?

    I personally use chattr on things I want to not get overwritten / changed as it'll spit back a nice error / remind me. Beyond that I don't consider it much of a security mechanism.
    Right - much like mounting something noexec, it's more useful for preventing you from shooting yourself in the foot, than it is for security purposes.
    I used to run the oldest commercial Mumble host.

  7. #7
    Quote Originally Posted by egsi View Post
    Hi thanks. I know what it does. Just wondering what files would benefit from a chattr +i or chattr +a setting.
    You can mostly use it to chattr configuration file for example exim.conf where you can have your own settings and don't want a cPanel update overwrite them.

    There is no need to chattr server binaries.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  8. #8
    Thanks guys for the replies. Although I'm not quite clued up on securelevel that chattr explanation was helpful.

    Good point about the log rotations too. I was thinking about using the +a option for my logfiles but then wondered how it would affect log rotation.

    Reason it came up was because I had a security audit (and fix) done recently and they chattrd +i some files (/etc/profile and a few others). As a result a few updates failed and this was the reason.

    Might just use it on a few binaries to keep script kiddies deterred.

Similar Threads

  1. Replies: 2
    Last Post: 06-12-2009, 11:31 PM
  2. CentOS Server Help.
    By junglist119 in forum Dedicated Server
    Replies: 6
    Last Post: 05-04-2009, 10:40 AM
  3. Exim fails / chattr errors
    By PattiB in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-03-2007, 07:39 AM
  4. chattr: Inappropriate ioctl for device
    By j2O in forum Hosting Security and Technology
    Replies: 0
    Last Post: 01-30-2004, 08:29 AM
  5. What to chattr?
    By host4profit in forum Hosting Security and Technology
    Replies: 0
    Last Post: 12-26-2003, 06:09 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •