Next:
Contents
Contents
LIDS-Howto
Philippe Biondi (philippe.biondi@webmotion.com)
Contents
What is LIDS
Compile lidsadm
install lidsadm
Get a RipeMD-160 encrypted password
Patch a kernel
Configure the kernel
Options description
Security alert when execing unprotected programs before sealing
Do not execute unprotected programs before sealing LIDS
Enable init children lock feature
Try not to flood logs
Allow switching LIDS protections
Allow remote users to switch LIDS protections
Allow any program to switch LIDS protections
Allow reloading config. file
Hide some known processes
Invisibility is inherited
Allow some known processes to access /dev/mem (xfree, etc.)
Allow some known processes to access raw disk devices
Allow some known processes to access io ports
Allow some known processes to unmount devices (for UPSed systems)
Unmounting capability is inherited
Allow some known processes to kill init children
Killing capability is inherited
Filling pathes fields
Howto install with an UPS
Compile the kernel and install it
Secure some files
With
lidsadm
With
chattr
Files updated at startup
Prepare the LIDS sealing
Capabilities
The
CAP_CHOWN
capability
The
CAP_DAC_OVERRIDE
capability
The
CAP_DAC_READ_SEARCH
capability
The
CAP_FOWNER
capability
The
CAP_FSETID
capability
The
CAP_FS_MASK
capability
The
CAP_KILL
capability
The
CAP_SETGID
capability
The
CAP_SETUID
capability
The
CAP_SETPCAP
capability
The
CAP_LINUX_IMMUTABLE
capability
The
CAP_NET_BIND_SERVICE
capability
The
CAP_NET_BROADCAST
capability
The
CAP_NET_ADMIN
capability
The
CAP_NET_RAW
capability
The
CAP_IPC_LOCK
capability
The
CAP_IPC_OWNER
capability
The
CAP_SYS_MODULE
capability
The
CAP_SYS_RAWIO
capability
The
CAP_SYS_CHROOT
capability
The
CAP_SYS_PTRACE
capability
The
CAP_SYS_PACCT
capability
The
CAP_SYS_ADMIN
capability
The
CAP_SYS_BOOT
capability
The
CAP_SYS_NICE
capability
The
CAP_SYS_RESOURCE
capability
The
CAP_SYS_TIME
capability
The
CAP_SYS_TTY_CONFIG
capability
Choose the capabilities you want to remove
Put the seal command
How to be sure the boot is secured
Rebooting the system
Working with LIDS
Example : switching LIDS
Example : net admin.
Example : daemon managing
Example : files managing
About this document ...
Biondi Philippe 2000-02-24
