Skip to content

Commit

Permalink
Clarify chattr +a effects
Browse files Browse the repository at this point in the history
  • Loading branch information
@pdecat
pdecat committed Sep 28, 2021
1 parent 8a6b4cd commit 1bdab99
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
5 changes: 3 additions & 2 deletions HARDENING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ measures.
- The default shell is **/bin/bash** and is locked in the **~/.profile** file (owner and group: root, mode: 0644), so a
non-root user can't change this.

- The default history file **~/.bash_history** is unwritable (**chattr +a**).
- The content of the default history file **~/.bash_history** cannot be tampered with (**chattr +a** mandates it can only
be opened in append mode for writing).

- The **HISTFILE** variable is in **readonly mode** (see **~/.profile**), so a non-root user can't change this

Expand All @@ -34,4 +35,4 @@ The following files are set up with the following permissions:
- **~/.ssh folder**: mode 0700
- **~/.ssh/authorized_keys**: mode 0600
- **~/.ssh/config**: mode 0600
- **~/.vimrc**: mode: 0600
- **~/.vimrc**: mode: 0600
4 changes: 2 additions & 2 deletions tasks/hardening.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
path: "~{{ item.key }}/.bash_history"
register: _users_history

- name: "hardening | ensure ~{{ item.key }}/.bash_history is NOT immutable"
- name: "hardening | ensure ~{{ item.key }}/.bash_history is NOT in append only mode"
file:
path: "~{{ item.key }}/.bash_history"
attr: -a
Expand All @@ -18,7 +18,7 @@
- _users_status == "unset" or
_users_status == "set_bash"

- name: "hardening | ensure ~{{ item.key }}/.bash_history is immutable"
- name: "hardening | ensure ~{{ item.key }}/.bash_history content cannot be tampered with"
file:
path: "~{{ item.key }}/.bash_history"
attr: a
Expand Down

0 comments on commit 1bdab99

Please sign in to comment.