re: reboot looses configurations
On Sun, 2006-29-10 at 06:26 -0500, Jude DaShiell wrote:
> hmmm, have you tried chattr +i on a list of the offending files once all
> configurations are set correctly? There's a trick I'll do on my next
> debian installation in which you get the lcap utility aptitude install
> lcap and you set chattr +a on log files you don't want tampered and chattr
> +i on valuable binaries including lcap itself. Then say in /etc/rc.local
> put a couple lcap lines: lcap CAP_LINUX_IMMUTABLE lcap CAP_SYS_MODULE
> After that, chattr +i /etc/rc.local then reboot your system. See if you
> can modify /etc/rc.local. If not the trick was successful. What it's
> supposed to do if it works is provide plenty of hacker frustration and
> keep you with an undamaged system.
Interesting. I'll keep this in mind for use with my ids.
I think my problem is more related to scripts however.
Any idea what scripts are at fault?