File flags
In addition to basic file permissions, FreeBSD provides file flags that add another security level to file control. Depending on the security level, which is explained in the chapter Securelevel, file flags have different effects. Below are some common file flags that help secure your system. A complete list of file flags can be found in the respective manual.
sappnd: Files marked with this flag cannot be edited or deleted, but it is allowed to append the content. This is useful, for example, for log files that can grow in this way but cannot be deleted by an attacker to make their intrusion more difficult. Sappnd can only be set with root rights and cannot be removed with Securelevel 1 or higher.
uppnd: Like sappnd, but besides root, the file owner can also set and remove this flag. Useful to prevent accidental deletion or modification of a file.
schg: Files marked with this flag cannot be edited, deleted or moved to another location. Schg can only be set with root rights and cannot be removed with security level 1 or higher.
uchg: Like schg, but besides root, the file owner can also set and remove this flag.
Set file flags with the command chflags
, followed by the respective file flag and the file you want to protect: doas chflags sappnd /pfad/zu/datei
Delete file flags by placing a "no" in front of the file flag name: doas chflags nosappnd /pfad/zu/datei
One example of using file flags to make your system more secure is to protect your file system kernel from modification: doas chflags schg /boot/kernel/kernel
Note that the file flag must be cleared for system updates.
Use the -R
option to set the file flag redundantly for directories and files in the folder you specify. You cannot remove all of your log files with the following command, but you and the system can still attach logs doas chflags -R schg /var/log
If you cannot easily remove file flags, then the system may be in a higher security level. By default TwinCAT/BSD is in security level -1, which provides no additional security for the system and allows file flags to be changed. In higher security levels it is not possible to change file flags.