Bots will do what bots can do. One could make their home directory tmpfs that gets populated by a root startup script, or make home read-only and work with code in a tmpfs mount, or make the files it is dorking with immutable. Enable auditd rules that log when something is trying to write into your dotfiles. For that matter I would enable auditd rules that log every single thing a bot is doing. Those with good custom auditd rules will be the first to catch the bots doing something shady. There are many sites with examples on how to use auditd. I happen to like the writing style that archlinux creates. [1] I would be especially uncomfortable having a bot on my machine if ssh multiplexing is enabled as the bot could bypass MFA into production without anyone noticing but that's a topic for another day.
Another useful tool for monitoring changes and detecting shenanigans is OSSEC [2] but it does require some tuning to minimize noise.
Some would discourage the use of chattr +i as it can create confusion later on when debugging something. Its just a stop-gap until proper guard rails and monitoring are in place.
sudo chattr +i ~/.bashrc ~/.bash_prof* ~/.bash_logout ~/.vimrc
lsattr -a
This is obviously only useful if sudo is not passwordless or the bot could undo it.
Bender•1h ago
Another useful tool for monitoring changes and detecting shenanigans is OSSEC [2] but it does require some tuning to minimize noise.
Some would discourage the use of chattr +i as it can create confusion later on when debugging something. Its just a stop-gap until proper guard rails and monitoring are in place.
This is obviously only useful if sudo is not passwordless or the bot could undo it.[1] - https://wiki.archlinux.org/title/Audit_framework
[2] - https://www.ossec.net/