chattr +option filename
- +i: Makes a file immutable: even root can't alter it. This is useful to protect against accidentally altering particularly important files.
- +a: Sets files such that they can only be appended to, not overwritten. If you set this for your logfiles, if an attacker gets access to the machine, they can't rewrite the logs to hide the breakin. Two things to bear in mind:
- An attacker with full root access could simply use the -a flag to remove this protection. Look into the lcap utility to remove the capability to make this change from the kernel (after which it will take a reboot to restore it).
- Setting this attribute will break log rotation. It's a tradeoff between that slight inconvenience and the advantages of much better audit.
- -S (note capitalization): The file equivalent of setting mount -o sync for a directory. Instead of holding the data in a buffer and writing to disk asynchronously (which improves performance but slightly increases the risk of data corruption), the write happens immediately when the change is made. On a per-file basis the performance hit is minor, so this may be useful, again, for particularly important files.
The -R flag will set these attributes recursively (chattr -R +i /directory). You can also see the attributes set for a particular file by using lsattr filename.