The
chattr command can be used to set the immutable bit on a critical file
(or directory with the -R option) if it happens to be present on the linux
second extended file system (ext2).
Using
the chattr command, if the immutable bit (i) on a particular file is set,
then the file is prevented from any kind of modification even by the root.
This includes but is not restricted to altering the contents, changing
ownership etc (Reading the file would however update the access time in
the inode block).
This is a useful command and certain files that should not be altered
in regular course (most configuration files) could have this bit set to
prevent accidental modification. However, if the attacker has been able
to obtain root access, then the i bit can be removed in a similar way.
Only the root can reset this bit.
For instance,
$ touch
./foofile
# chattr +i ./foofile
# lsattr
./foofile
-rw------- 1 balagi balagi 0 Aug 19 03:10 ./foofile
# chmod
755 ./foofile
chmod: changing permissions of `./foofile': Operation
not permitted
Employ
the chattr command to change attributes of the following files:
# chattr
+i /etc/passwd
# chattr +i /etc/shadow
# chattr +i /etc/group
# chattr +i /etc/gshadow
# chattr +i /etc/services
Find files modified
in the last three days
# find
/ -mtime 3 -o -ctime 3
Find files modified
in the last two minutes
# find
/ -cmin -2
Find files owned by
user (uid : 502)
# find
/ -user 502 -ls
Find files containing
text “TEXT”
# find
/ -name “*” -exec grep -H TEXT {} \;
REFERENCE