The chattr command changes file-system attributes on Ext2 and Ext3 filesystems. N.B. These are a distinct attributes from the standard Unix permissions, e.g., "drwxr-x---". The lsattr command lists file attributes. Only root can change file attributes, i.e., use chattr.
Attributes which can be used for security-related purposes include i — immutable and a — append-only.
See man page for details.
prompt> ls -l -rw-r--r-- 1 isd users 27 Jan 12 10:51 cow -rw-r--r-- 1 isd users 48 Jan 12 10:54 pig -rw-r--r-- 1 isd users 5 Jan 12 10:51 sheep
prompt> chattr +a pig prompt> chattr +i cow prompt> lsattr -----a------------ ./pig ----i------------- ./cow ------------------ ./sheep ------------------ ./duck
prompt> echo "swill" >> pig prompt> ls -l -rw-r--r-- 1 isd users 27 Jan 12 10:51 cow -rw-r--r-- 1 isd users 54 Jan 12 10:54 pig -rw-r--r-- 1 isd users 5 Jan 12 10:51 sheep prompt> echo "grass" >> cow bash: cow: permission denied
To help prevent removal of evidence of intrusion from system logs, make them append-only:
prompt> chattr +iR /var/log
N.B. Your log-rotation script must be able to handle Ext2/3 filesystem
attributes (e.g., remove i, rotate, re-apply i).
For example,
cd /chroot_squid
chattr -R +i bin dev etc lib usr
chattr -R +a var/log
| ...previous | cont's... |