next up previous contents
Next: Allow remote users to Up: Options description Previous: Try not to flood   Contents

Allow switching LIDS protections

If you say Yes here, you will enable the possibility to switch LIDS flags/capabilities on and off. Saying no increases security, but your system become really hard to administrate as you must reboot and be on console to change any protected thing.

The mecanism is the following : lidsadm reads the current capabilities/flags, updates them according to your command line, asks you a password, and feeds LIDS with all that. If the password is OK, the capabilities/flags are updated, a security alert is raised to log the changes.

To make LIDS recognize your password, you must give it its RipeMD-160 fingerprint. It can be computed by lidsadm (See chapter 4). This fingerprint is considered as very difficult to break, and it is likely that even if someone gets access to your kernel binary, he won't get your password.

you can configure the number of attempts that will be allowed before the switching capability is disabled, and the time it will be disabled. Each missed attempt to give the password is logged, whatever value you specified for the number of attempt.

The lower the number of attempts is and the higher the timeout is, the more secure the system will be.


next up previous contents
Next: Allow remote users to Up: Options description Previous: Try not to flood   Contents
Biondi Philippe 2000-02-24