chattr +i /etc/shadow can be good
Just a note, if you change the attributes on /etc/shadow to immutable "chattr +i /etc/shadow"
its not necessarly a bad thing.
If your host is a garden variety web server or router for example, you have added all the users you intend to add, then chattring /etc/shadow isnt that bad of an idea. If you wont be adding any new users that is.
basically if you have added all the users you intend to have on the box then sure, go ahead
and try it, you can only learn from any / all mistakes you make anyway, so its all good regardless. Plus someone said you can just change the attributes back...sure you can, but
every layer of security helps.
Also someone said you can just change the attributes back, their are a few problems with that statement.
1. some script kiddies wouldent figure out that /etc/shadow had the immutable bit set.
2. some generic "local and or remote root exploits" require writing to /etc/shadow, setting this bit can even stop some exploits.
3. if you (like i do) remove "chattr" and "lsattr" from the machine, then the users cant even check to see if the immutable bit has been set, if they figure out its been set, they have to download the package, install it, and then remove the attribute that way, alot of work for the average ./script kiddie.
point of the point - DEFENCE IN DEPTH, every little bit helps, as long as you know what your doing and you can find some common ground between security and usability.
p.s - try removing chattr and lasttr after your box is ready, it makes the script kiddies life harder, and thats always fun.
p.s.s - here's a better idea for chattr. Use it in conjunction with tripwire / md5sum to add further protection to your system binaries located in /bin /sbin/ etc.. and your system libraries as well.
chattr -R +i /bin/* /sbin/* /usr/bin/* /usr/sbin/* /lib/*
chattr -R -a /var/log/*