next up previous contents
Next: How to be sure Up: Prepare the LIDS sealing Previous: Choose the capabilities you   Contents

Put the seal command

You must put this command so that it is executed at startup, as soon as possible, just after the last thing that must be done before sealing.

You may put it in a rc script (rc.local, /etc/init.d/lids, /etc/rc.d/init.d/lids, etc.) depending upon your distribution and the way you administrate your system.

The command is, for example :

lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \
              -CAP_SYS_PTRACE -CAP_NET_ADMIN \
              +LOCK_INIT_CHILDREN
You can also add the +RELOAD_CONF (see 6.2).

You must be sure you have protected each program executed during startup before LIDS is sealed, as someone could replace it by a program of his own and do evil things before capabilities are disallowed. (see 9.4).



Biondi Philippe 2000-02-24