Securing Linux: Part 1
The following command "chattr" helps you go a step further than the "chmod"
command, which allows you to only change the files ownership rights and nothing
further. Using the "chattr" command, root can specify files and directories to
be "immutable" and "read-only". These implement restricted access to the files
and prevent tampering around with the actual system files or replacement with
any other alternate ones.
bash# chattr +i /sbin/lets_rock <-- The immutable bit
bash# chattr +a /var/log/messages <-- The append only bit
Take for example the second flag mentioned above, "+a". This allows root to set
the append only bit for /var/log/messages and prevents it from unwanted
At this point of time, it is suggested you lay your hands on a PDF document
available at www.linuxsecurity.com called "Quick Reference Card.pdf". It is an
Adobe Acrobat document (PDF format) and quite informative about the basic
security measures a system administrator should take.
Most of us are familiar with the boot loader that comes along with most Linux
distributions, LILO. Until sometime ago, most Linux distributions had
vulnerability as follows. Anyone with physical access to your machine could
reboot it and at the LILO prompt say 'linux single' to get to a root shell
without being prompted for a password.
LILO: linux single <-- The LILO boot prompt
Red Hat 6.2 works this way but other distributions, like SuSE, verifies the root
user by asking for a password before providing the user with a shell.
You can remedy this situation by getting LILO to always ask for a password if
any command line parameters are passed to it while bootup.
To make the following changes to your /etc/lilo.conf file, su to root, open the
lilo.conf file in your favorite text editor and make the following changes.
image = /boot/vmlinuz-2.2.17
label = Linux
password = your-password <--
You'll need to append the last two lines to your /etc/lilo.conf file. Add a
password of your choice and re-run lilo.
There is a lot more but for now check out the following links.