Sunday, May 23, 2010

Setting the Immutable bit by chattr

SkyHi @ Sunday, May 23, 2010

chattr command can be used to set the immutable bit on a critical file
(or directory with the -R option) if it happens to be present on the linux
second extended file system (ext2).

the chattr command, if the immutable bit (i) on a particular file is set,
then the file is prevented from any kind of modification even by the root.
This includes but is not restricted to altering the contents, changing
ownership etc (Reading the file would however update the access time in
the inode block).

This is a useful command and certain files that should not be altered
in regular course (most configuration files) could have this bit set to
prevent accidental modification. However, if the attacker has been able
to obtain root access, then the i bit can be removed in a similar way.
Only the root can reset this bit.

For instance,

$ touch

# chattr +i ./foofile

# lsattr

-rw------- 1 balagi balagi 0 Aug 19 03:10 ./foofile

# chmod
755 ./foofile

chmod: changing permissions of `./foofile': Operation
not permitted

the chattr command to change attributes of the following files:

# chattr
+i /etc/passwd

# chattr +i /etc/shadow

# chattr +i /etc/group

# chattr +i /etc/gshadow

# chattr +i /etc/services

Detecting file changes

Find files modified
in the last three days

# find
/ -mtime 3 -o -ctime 3

Find files modified
in the last two minutes

# find
/ -cmin -2

Find files owned by
user (uid : 502)

# find
/ -user 502 -ls

Find files containing
text “TEXT”

# find
/ -name “*” -exec grep -H TEXT {} \;