飘零的代码 piao2010 ’s blog

When Figure 6-1 summarizes the flags, their meanings, and their usual usage.[Hack #58] shows how to create your own file integrity checking program that will alert you if any of your binaries or other important files are changed. An additional layer of protection is to use chflags to prevent those files from being changed in the first place. Usually, the schg

• /usr/bin, which contains user programs

• /usr/sbin, which contains system programs

• /etc, which contains system configurations

Again, evaluate your particular scenario before implementing this flag. The protection provided by this flag usually far outweighs the inconvenience. The only time the contents of /usr/bin or /usr/sbin should change is when you upgrade the operating system or rebuild your world. Doing that requires a reboot anyway, so dropping to single-user mode to unset schg shouldn’t be a problem.

How often do you change your configuration files in /etc? If you typically configure a system only when it is installed and rarely make changes afterward, protect your configurations with schg. However, keep in mind that a rare configuration change may require you to drop all connections in order to implement it. Also, if you need to add more users to your system, remember to remove that flag from /etc/passwd, /etc/master.passwd, and /etc/group first.

Things are a bit more problematic for a system running installed applications. Most ports install their binaries into /usr/local/bin or /usr/X11R6/bin. If you set the schg flag on those directories, you won’t be able to patch or upgrade those binaries unless you temporarily unset the flag. You’ll have to balance your need to keep your server up and running with the protection you gain from the schg flag and how often you have to patch a particular binary.

6.4.6 Controlling Backups

The last two arch and nodump, affect backups. The arch flag.

Similarly, when using dump to back up an entire filesystem, the superuser can specify which portions of that filesystem will not be included by setting the nodump flag.

6.4.7 See Also

• man securelevel

• man -a chflags (to view all manpages that match chflags, not just the

• man newsyslog

相关日志

• 定制FreeBSD内核 (0)
• 基于Postfix+sasl+courier-imap+courier-authlib+clamav+slockd+amavisd邮件系统配置安装笔记(一) (3)
• 入侵检测系统IDS（FreeBSD:Snort） (0)
• 从抓包到嗅探 (0)
• 下一代的入侵检测关键技术分析 (0)

Tags: BSD

This entry was posted on 星期二, 3月 17th, 2009 at 19:11 and is filed under FreeBSD, 搬家之前. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.