Situation: Sometimes it’s very imperative to protect the Logs or some other files in a Linux server from being manipulated. For example, "DHCP log", which is vital for any Internet service provider to trace the leased IP during investigation. The question is, how to protect these logs when no one is 100% trustworthy in an organization including the system admin team who has full root access :)
Linux comes out with a solution called File attributes, by which irrespective of ownership on a file, you can still protect it from manipulation and deletion. All you need is just 2 commands:
lsattr – for listing the file attributes
chattr – for changing the file attributes
It is explained with an example here:
[root@server01 opt]# cat > testfile # Creating a file name “testfile”
Some contents
[root@server01 opt]# cat testfile # Displaying its contents
Some contents
[root@server01 opt]# lsattr testfile # Listing the file attributes (its blank)
------------- testfile
[root@server01 opt]# chattr +a testfile # Changing the file attribute to APPEND ONLY mode (using +a option) which takes care of undelete option as well.
[root@server01 opt]# lsattr testfile # Shows the file has Append only attribute set.
-----a------- testfile
[root@server01 opt]# echo "Additional text" > testfile # Now am trying to overwrite the file contents but it is NOT allowing.
-bash: testfile: Operation not permitted
[root@server01 opt]# echo "Additional text" >> testfile # But Appending the file content works
[root@server01 opt]# cat testfile
Some contents
Additional text
[root@server01 opt]#
[root@server01 opt]# rm testfile # Trying to delete the file but it doesn’t allow.
rm: remove regular file `testfile'? y
rm: cannot remove `testfile': Operation not permitted
[root@server01 opt]# chattr -a testfile # Removing the file attribute value by using –a option.
[root@server01 opt]# lsattr testfile # File attributes gone
------------- testfile
[root@server01 opt]# echo "Additional text" > testfile # Now am able to overwrite the file.
[root@server01 opt]# cat testfile
Additional text
[root@server01 opt]# rm testfile # And am able to delete it as well
rm: remove regular file `testfile'? y
[root@server01 opt]#
Next question is , how to prevent changing the file attribute like I did using “–a” option above. Linux comes with solution for that as well. By using a tool called LCAP, we can remove the capability of root user from changing the file attributes. That capability can be revoked only upon reverting back the kernel changes and reboot the server, which is indeed not an easy task.
No comments:
Post a Comment