Re: Cracked boxes - schg and sappnd usage?

[Scott Francis <darkuncle@darkuncle.net>]

On Wed, Aug 28, 2002 at 06:34:20AM -0500, eric@gruver.net said:
> I'm curious about how much people set the system immutable
> flag (schg) on critical files to help keep intruders from
> being able to install a root kit.
>
> I've used them some, but probably not enough.
>
> For those who set the system immutable flag, on which files
> do you typically set the immutable flag?
>
> How about the system append-only flag (sappnd)?

I've thought for some time now that the append-only flag would be an
excellent addition to almost every logfile; the only issue I've seen is on
systems with massive logs (high-traffic webservers, etc.), but then, disk
space tends to be fairly cheap. One could also set a cron job to gzip the
file in question, 'chflags nosappnd filename', 'cat /dev/null > filename',
'chflags sappnd filename' and avoid the disk space issue altogether ...

As for the immutable flag, well ... on a system where users are added
infrequently, that flag can be probably added to most of /etc without causing
too much trouble. It becomes more of an issue on binaries and libraries,
depending on how often you upgrade/patch. One of my friends went so far as to
mount / read-only, which achieved much of the same effect as a mass schg, and
was easier to manage.

YMMV.
--
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

[demime 0.98d removed an attachment of type application/pgp-signature]