lids-faq-7.html

关于LINUX安全内核的源代码

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE> LIDS FAQ: Sample Configurations</TITLE>
 <LINK HREF="LIDS-FAQ-8.html" REL=next>
 <LINK HREF="LIDS-FAQ-6.html" REL=previous>
 <LINK HREF="LIDS-FAQ.html#toc7" REL=contents>
</HEAD>
<BODY>
<A HREF="LIDS-FAQ-8.html">Next</A>
<A HREF="LIDS-FAQ-6.html">Previous</A>
<A HREF="LIDS-FAQ.html#toc7">Contents</A>
<HR>
<H2><A NAME="s7">7. Sample Configurations</A></H2>

<H2><A NAME="basic-system-setup-config"></A> <A NAME="ss7.1">7.1 Basic System Setup</A>
</H2>

<P> The following is a sample configuration for basic system setup.
<PRE>
# Protect System Binaries
#
/sbin/lidsadm -A -o /sbin                               -j READ
/sbin/lidsadm -A -o /bin                                -j READ

# Protect all of /usr and /usr/local
# (This assumes /usr/local is on a separate file system).
#
/sbin/lidsadm -A -o /usr                                -j READ
/sbin/lidsadm -A -o /usr/local                          -j READ

# Protect the System Libraries
#(/usr/lib is protected above since /usr/lib generally isn't
# on a separate file system than /usr)
#
/sbin/lidsadm -A -o /lib                                -j READ

# Protect /opt
#
/sbin/lidsadm -A -o /opt                                -j READ

# Protect System Configuration files
#
/sbin/lidsadm -A -o /etc                                -j READ
/sbin/lidsadm -A -o /usr/local/etc                      -j READ
/sbin/lidsadm -A -o /etc/shadow                         -j DENY
/sbin/lidsadm -A -o /etc/lilo.conf                      -j DENY

# Enable system authentication
#
/sbin/lidsadm -A -s /bin/login -o /etc/shadow           -j READ
/sbin/lidsadm -A -s /usr/bin/vlock -o /etc/shadow       -j READ
/sbin/lidsadm -A -s /bin/su -o /etc/shadow              -j READ
/sbin/lidsadm -A -s /bin/su \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /bin/su \
                 -o CAP_SETGID                          -j GRANT

# Protect the boot partition
#
/sbin/lidsadm -A -o /boot                               -j READ

# Protect root's home dir, but allow bash history
#
/sbin/lidsadm -A -o /root                               -j READ
/sbin/lidsadm -A -s /bin/bash -o /root/.bash_history    -j WRITE

# Protect system logs
#
/sbin/lidsadm -A -o /var/log                            -j APPEND
/sbin/lidsadm -A -s /bin/login -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /bin/login -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
                 -o /var/log/wtmp -i 1                  -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
                 -o /var/log/lastlog -i 1               -j WRITE

# Startup
#
/sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime       -j WRITE


# Shutdown
#
/sbin/lidsadm -A -s /sbin/init -o CAP_INIT_KILL         -j GRANT
/sbin/lidsadm -A -s /sbin/init -o CAP_KILL              -j GRANT

# Give the following init script the proper privileges to kill processes and
# unmount the file systems.  However, anyone who can execute these scripts
# by themselves can effectively kill your processes.  It's better than
# the alternative, however.
#
# Any ideas on how to get around this are welcome!
#
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_INIT_KILL -i 1                  -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_KILL -i 1                       -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_NET_ADMIN -i 1                  -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_SYS_ADMIN -i 1                  -j GRANT

# Other
#
/sbin/lidsadm -A -s /sbin/update -o CAP_SYS_ADMIN       -j GRANT
</PRE>
<P>
<P>
<H2><A NAME="apache-config"></A> <A NAME="ss7.2">7.2 Apache</A>
</H2>

<P>This sample configuration assumes Apache was installed in <CODE>/usr/local/apache</CODE> with a log directory of <CODE>/var/log/httpd</CODE> and a configuration directory of <CODE>/etc/httpd</CODE>.  You can adjust the paths in the ACLs to match your own configuration.  With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443).
<PRE>
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o CAP_SETGID                          -j GRANT

# Config files
/sbin/lidsadm -A -o /etc/httpd                          -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /etc/httpd                          -j READ

# Server Root
/sbin/lidsadm -A -o /usr/local/apache                   -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /usr/local/apache                   -j READ

# Log Files
/sbin/lidsadm -A -o /var/log/httpd                      -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /var/log/httpd                      -j APPEND
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /usr/local/apache/logs              -j WRITE
</PRE>
<P>
<H2><A NAME="qmail-config"></A> <A NAME="ss7.3">7.3 qmail</A>
</H2>

<P>These ACLs were written for a qmail setup that was installed according to Dave Sill's <EM>
<A HREF="http://Web.InfoAve.Net/~dsill/lwq.html">Life with qmail</A>.</EM>  With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.
<P>
<PRE>
# setup
/sbin/lidsadm -A -o /var/qmail                          -j READ
/sbin/lidsadm -A -s /usr/local/bin/multilog \
                 -o /var/log/qmail                      -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/svc \
                 -o /var/qmail/supervise                -j WRITE

# queue access
#
/sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-send \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \
                 -o /var/qmail/queue                    -j WRITE

# Access to local mail boxes
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_SETGID                          -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_DAC_OVERRIDE                    -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_DAC_READ_SEARCH                 -j GRANT


# Remote delivery
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
                 -o CAP_NET_BIND_SERVICE -i -1          -j GRANT

# supervise

/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-smtpd/supervise     -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-send/supervise      -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-send/log/supervise  -j WRITE
</PRE>
<P>
<H2><A NAME="dnscache-and-tinydns-config"></A> <A NAME="ss7.4">7.4 dnscache &amp; tinydns (djbdns)</A>
</H2>

<P>The following ACLs were written for a djbdns setup based on Jeremy Rauch's <EM>Installing djbdns (DNScache) for Name Service</EM> parts 
<A HREF="http://www.securityfocus.com/focus/sun/articles/dnscache.html">1</A> &amp; 
<A HREF="http://www.securityfocus.com/focus/sun/articles/dnscache2.html">2</A>.  With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.
<PRE>
# dnscache
#
/sbin/lidsadm -A -o /var/dnscache                        -j READ
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/dnscache/supervise     -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/dnscache/log/supervise -j WRITE