In the event of an intrusion, an attacker will more than likely leave signs of his actions in various system logs. Thus, valuable audit trail that should be well protected.

Without reliable logs, it can be very difficult to figure out how the attacker got in, or where the attack came from. This information is crucial in analyzing the break in incident.

However, if the break-in attempt is successful and the intruder gains root privileges, what’s to stop him from removing the traces of his misbehavior?

This is where file attributes come in to save the day. Both Linux and the BSDs have the ability to assign extra attributes to files and directories.

This is different from the standard Unix permissions scheme in that the attributes set on a file apply universally to all users of the system. One useful attribute for protecting log files is append-only.

When this attribute is set, the file cannot be deleted, and only writes are allowed to append to the end of the file.

To set the append-only flag under Linux, run this command:

UNIX> chattr +a filename
See how the +a attribute works by creating a file and setting its append-only attribute:
UNIX> touch /var/log/logfile
UNIX> echo "append-only not set" > /var/log/logfile
UNIX> chattr +a /var/log/logfile
UNIX> echo "append-only set" > /var/log/logfile
bash: /var/log/logfile: Operation not permitted

The second write attempt failed, since it would overwrite the file. However, appending to the end of the file is still permitted:

UNIX> echo "appending to file" >> /var/log/logfile
UNIX> cat /var/log/logfile
append-only not set
appending to file

Obviously, an intruder who has gained root privileges could realize that file attributes are being used and just remove the append-only flag from the logs by running chattr -a. To prevent this, you’ll need to disable the ability to remove the append-only attribute. To accomplish this under Linux, use its capabilities mechanism.