1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

File Attributes

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

In addition to the normal modes of read, write and execute and even in addition to the special modes of Setuid, Setgid and Sticky Bit, some file systems support file attributes sometimes called extended attributes. The most commonly used file systems on Linux systems support file attributes, the ext series of file system supported, for example, ext2, ext3 and ext4 all have support. Also XFS has support The B-tree file system, ReiserFS and JFS have support as well. For those of you who work in HPC or high performance computing environments, OCFS2, OrangeFS and Lustre all have extended attributes support. Even some file systems designed to be used on embedded systems, such as SquashFS and FSF2 have extended attributes support. Let's talk about the two attributes that you all use most often. The first one is the i or immutable attribute. When a file has this attribute, it is immutable, meaning that it can't be modified. A file where the i attribute can not be deleted, renamed, upended to, truncated, or even hard linked to. Use this attribute on a file when you want to ensure that it cannot be deleted by accident, even root can not delete a file with the immutable attributes set. The attribute has to be removed before the file can be deleted. A file with the a or append only attribute can only be opened in append mode for writing. The existing contents of the file cannot be altered or removed. This also means a file with the a attribute can not be deleted. I recommend using this setting on log files, this could potentially some attackers from covering their tracks. For an example, if an attacker gains access to a system account like a web server account they could remove the log entries from the web server logs that might hide their tracks unless this append only attribute was set. Only root can set or remove these attributes, so as long as the attacker is not root or doesn't know about file attributes, they provide an extra layer of protection. There are several other file attributes but not all file attributes are supported on all file systems. To find out what attributes are supported for your file system, refer to the documentation or built-in man pages. When a file that has the s attribute is deleted, its blocks are supposed to be filled with zeros and written back to the disc. However, if you're using ext4 or XFS, for example this will not happen when the file is deleted because those file systems do not support that particular attribute. Okay, so, how do we view and set these file attributes? Well, to view file attributes, use the lsattr or L-S-A-T-T-R command followed by the file or directory you want to examine. The lsattr command we'll list the attributes or flags set on a given file just like the ls command uses dashes to represent that a permission is not set, lsattr uses a dash to represent that an attribute is not set. In this first example, the etc/motd file doesn't have any attributes set, so the output from lsattr is made up entirely of dashes. In this second example, the var/log messages file has the a attribute set, which we know is the append only attribute. The lowercase a will always appear in that position if it's set. I wouldn't spend any time learning what each and every one of those fields represents like you do with ls output. You can always look up the attribute in the C-H-A-T-T-R man page. So that brings us to setting or clearing attributes and to do that, use the C-H-A-T-T-R command. To add or set an attribute, run chattr followed by the plus sign followed by the attribute or attributes you wish to set. To remove or clear an attribute run chattr followed by the minus sign, followed by the attribute or attributes you wish to remove. If you want to explicitly set the attributes to be only what you specify, run chattr followed by the equal sign, followed by the attribute or attributes. If there are any existing attributes that weren't specified following the equal sign, they will be cleared. So to clear all attributes run chattr, space, equals and then the path to the file or directory, since no attributes were specified they will all be cleared. This example shows that the var/log messages file doesn't initially have any file attributes set on it. We run the chattr +a/var/log/message command to add the append only attribute. And we check to see that it got applied by running lsattr. If we want to clearly a flag, then we run chattr -a followed by the path to the file. This example shows that the a attribute was set. Then the chattr -a command was executed and the final lsattr output shows that the attribute was indeed removed. Let's use the chattr command in combination with the equal sign. Here we use the lsattr command to show that no attributes are set on the /etc/ host file. Next we run chattr =is /etc/hosts. The next lsattr command shows that both the immutable and secure delete attributes were set. This is meant to be an example on how they use this command, but remember your file system probably doesn't support secure delete. To remove all attributes on a file, you can run chattr = without specifying any attributes and then a path to the file. This will clear all the attributes as the example on your screen demonstrates.

About the Author