Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Using File Attributes to Add Security to ZFS Files

In a ZFS file system, you can mark security-relevant files for special treatment. The file attributes can affect local files, NFS-mounted files, or CIFS-mounted files. The chmod(1) and ls(1) man pages describe how to set and list file attributes.

    File attributes that have security implications include the following:

  • appendonly attribute – Permits adding to the end of a file but prevents modifying existing contents. This attribute on a log file can prevent changes to log file entries. Requires the PRIV_FILE_FLAG_SET privilege on the process to set the attribute and all privileges to remove it.

  • immutable attribute – Prevents modifying or deleting the contents of a file. Also prevents changing file metadata except for access time updates. On a directory, this attribute prevents the deletion of the directory and its files. Requires the PRIV_FILE_FLAG_SET privilege on the process to set the attribute and all privileges to remove it.

    For an example, see Applying Immutability to a ZFS File.

  • nounlink attribute – Prevents deletion of critical files or directories. On a directory, this attribute prevents the deletion or renaming of files. This attribute can prevent the accidental deletion of files that are critical for an application. Requires the PRIV_FILE_FLAG_SET privilege on the process to set the attribute and all privileges to remove it.

  • sensitive attribute – Indicates that the file contains keying information, such as PINs or passwords. Sensitive files are not written to the audit record.

  • readonly attribute – Permits no content change to a CIFS-mounted file. The owner of the file can set or clear this attribute, or a user or group with the write_attributes permission can set or clear this attribute.

For more information, see Applying Special Attributes to ZFS Files.