lids-faq.txt

关于LINUX安全内核的源代码

     Added a much simpler fix to the ``lidsadm compile problem''.
     Clarified the ``sealing the kernel'' question (hopefully).  Minor
     corrections.


  o  January 24th, 2001.  Version .06


  o  Removed ACL example from ``/etc/mtab mount'' question because
     /etc/mtab is recreated at system boot and each time a file system
     is unmounted.

  o  Added alternative fix to the ``lidsadm compile problem''.

  o  Minor corrections.


  o  January 22nd, 2001.  Version .05

     Minor additions to Basic System Setup sample configuration.  Added
     section on configuring e-mail alerts.


  o  January 19th, 2001.  Version .04

     Minor correction to ``lidsadm compile problem'' question.


  o  January 17th, 2001.  Version .03

     Added information about the new file ACL inheritance "-i" option in
     LIDS-0.9.12.  Also updated the configuration examples to use the
     "-i" option when required.  Other minor updates including
     information about lidsadm compile problems, enabling/disabling
     capabilities, and how to setup ACLs for a new program.


  o  January 15th, 2001.  Version .02

     Minor corrections.


  o  January 15th, 2001.  Version .01

     Initial release.





  2.  Installing LIDS

  2.1.  How do I apply the LIDS kernel patch?

  Xie has included instructions on how to patch the kernel in the LIDS
  download.  However, I will briefly cover  the necessary steps.  This
  example assumes your kernel sources are installed in /usr/src/linux.



  o  First you need to download the LIDS patch from
     www.lids.org/download.html.  Make sure you get the version that
     matches your kernel.

  o  Then, expand the tarball:


     $ tar zxvf lids-<lids_version>-<kernel_version>.tar.gz



  o  Apply the lids patch to the existing kernel sources:


     $ cd /usr/src/linux
     $ patch -p1 < /path/to/lids/patch/lids-<lids_version>-<kernel_version>.patch



  o  Then configure your kernel.  For an excellent source of information
     on recompiling your Linux kernel, see the Linux Kernel HOW-TO.

     There are several kernel configuration options for LIDS.  In order
     for LIDS to work, you must make sure the following options are
     enabled:

       [*]   Prompt for development and/or incomplete code/drivers
       [*]   Sysctl Support





  2.2.  How do I install the LIDS administration utility lidsadm?

  The source for the lidsadm utility is located in the directory
  containing your LIDS source and is called:

  lidsadm-<lids_version>



  (NOTE: If you are upgrading lidsadm, you should backup everything in
  the /etc/lids directory first!)



  To compile and install lidsadm, simply:

  $ make
  $ su -
  # make install




  from the lidsadm source directory. This will install lidsadm in the
  /sbin directory.  It will also create an /etc/lids directory and place
  a few default configuration files in it for you.

  If you wish to use the view option with lidsadm, replace the

  $ make



  with

  $ make VIEW=1




  2.3.  What next?

  Before you reboot into your LIDS enhanced kernel, you should configure
  your LIDS ACLs first.  Otherwise your system may be unusable when you
  reboot.  Configuring LIDS ACLs is covered ``later''.


  2.4.  When I try to compile lidsadm, gcc reports that lidstext.h
  doesn't exist.  How do I fix this problem?

  This happens on systems where /usr/include/linux is not a symbolic
  link to /usr/src/linux/include/linux.  The complete error message is:

   lidsadm.c:30: linux/lidsext.h: No such file or directory make: *** [lidsadm.o] Error 1



  To fix this problem, edit the Makefile in the lidsadm source directory
  and add -I/usr/src/linux/include to the CFLAGS option.

  At this point, you should be able to compile lidsadm normally.


  2.5.  When I upgraded  to LIDS version 0.9.14, 0.9.15, 1.0.6, or 1.0.7
  my system panics during reboot.  How do I fix it?

  The format of the /etc/lids/lids.conf file changed in these releases.
  You need to recreate the file using the new version of lidsadm.



  3.  lidsadm

  3.1.  What is lidsadm?

  lidsadm is the LIDS administration utility that you will use to
  configure LIDS to enhance your system security.


  3.2.  What options are available for lidsadm?

  To get a list of the available options, enter the following:

  # lidsadm -h



  This will return the following output:

  ./lidsadm v1.0.6 for LIDS project
          Huagang Xie<xie@gnuchina.org>
                  Philippe Biondi <philippe.biondi@webmotion.net>

  Usage: ./lidsadm -A [-s subject] -o object [-d] -j ACTION
         ./lidsadm -D [-s file] [-o file]
         ./lidsadm -Z
         ./lidsadm -U
         ./lidsadm -L
         ./lidsadm -P
         ./lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
         ./lidsadm -V
         ./lidsadm -h

  Commands:
         -A  To add an entry
         -D  To delete an entry
         -Z  To delete all entries
         -U  To update dev/inode numbers
         -L  To list all entries
         -P  To encrypt a password with RipeMD-160
         -S  To submit a password to switch some protections
         -I  To switch some protections without submitting password (sealing time)
         -V  To view current LIDS state (caps/flags)
         -h  To list this help

  subject:
          can be any program,must be file
  object:
          can be file,directory, or special device
          such as MEM,HD,NET,IO,HIDDEN,KILL
  ACTION:
          READ    read only
          APPEND  append only
          WRITE   writable
          GRANT   grant capability to subject
  TYPE:
              -d  the object is a EXEC Domain

  Available capabilities:
             CAP_CHOWN chown(2)/chgrp(2)
      CAP_DAC_OVERRIDE DAC access
   CAP_DAC_READ_SEARCH DAC read
            CAP_FOWNER owner ID not equal user ID
            CAP_FSETID effective user ID not equal owner ID
              CAP_KILL real/effective ID not equal process ID
            CAP_SETGID setgid(2)
            CAP_SETUID set*uid(2)
           CAP_SETPCAP transfer capability
   CAP_LINUX_IMMUTABLE immutable and append file attributes
  CAP_NET_BIND_SERVICE binding to ports below 1024
     CAP_NET_BROADCAST broadcasting/listening to multicast
         CAP_NET_ADMIN interface/firewall/routing changes
           CAP_NET_RAW raw sockets
          CAP_IPC_LOCK locking of shared memory segments
         CAP_IPC_OWNER IPC ownership checks
        CAP_SYS_MODULE insertion and removal of kernel modules
         CAP_SYS_RAWIO ioperm(2)/iopl(2) access
        CAP_SYS_CHROOT chroot(2)
        CAP_SYS_PTRACE ptrace(2)
         CAP_SYS_PACCT configuration of process accounting
         CAP_SYS_ADMIN tons of admin stuff
          CAP_SYS_BOOT reboot(2)
          CAP_SYS_NICE nice(2)
      CAP_SYS_RESOURCE setting resource limits
          CAP_SYS_TIME setting system time
    CAP_SYS_TTY_CONFIG tty configuration
            CAP_HIDDEN Hidden process
         CAP_INIT_KILL Kill init children

  Available flags:
           LIDS_GLOBAL LIDS itself

           RELOAD_CONF reload config. file and inode/dev of special programs
                  LIDS (de)activate LIDS locally (the shell & childs)




  3.3.  Gee, thanks.  What are all these options?

  lidsadm has a syntax similar to IPCHAINS.  Some of the command line
  switches are the same.


  o   -A  = Add a rule.

  o   -D  = Delete a rule.

  o   -L  = List all existing rules.

  o   -h  = lidsadm help.

  o   -Z  = Delete all existing rules.

  o   -U  = Update the device/inode numbers of all files.

  o   -P  = Create/update the LIDS password.

  o   -V  = View current LIDS state (capabilities/flags).

  o   -S  = Make changes to your LIDS enabled system (requires LIDS
     password set by option "-P").

  o   -s  = Specifies a subject file.

  o   -o  = Specifies an object file.

  o   -j  = Specifies a target.

  o   -I  = Seals the kernel.  Used at the end of the startup process.

  o   -i  = Specifies that children of the subject will inherit this
     file ACL or capability (NOTE: "-i" options isn't listed above).


  lidsadm also uses "TARGETS" similar to ipchains.  The following
  targets are allowed:


  o   READ        -  Set access permissions to read only.

  o   APPEND      -  Set access permissions to append only (includes
     read access).

  o   WRITE       -  Set access permissions to read/write.

  o   DENY        -  Deny access to this object.

  o   IGNORE      -  Ignore any permissions set on this object.


  o   GRANT       -  Grant the specified capability to the subject.

  NOTE: The first five TARGETS apply to file ACLs, and the last TARGET
  only applies to capabilities.



  4.  LIDS Administration

  4.1.  How do I set my LIDS password?

  Before you reboot into your LIDS enhanced kernel, enter the following
  at the command prompt:

  # lidsadm -P



  You will then be prompted for a LIDS password:

  MAKE
  enter password:
  Verifying enter password:



  This will write your RipeMD-160 encrypted password to the
  /etc/lids/lids.pw  file.


  4.2.  How do I change my LIDS password once it is set?

  You must first create a ``LIDS free session''.  Then set your password
  using the "-P" option just like you did ``the first time'' (you will
  not be prompted for your current password).  After resetting your LIDS
  password, you must tell LIDS to ``reload its configuration files''.


  4.3.  What is a LIDS free session and how do I create one?

  A LIDS free session (LFS) is a terminal session that is not restricted
  by LIDS.  This option is available so you can administer your system
  without having to reboot into a non-LIDS kernel.  In order for this to
  work, you must have selected this option when you compiled your LIDS
  enhanced kernel:

    [*] Allow switching LIDS protections


  To create an LFS, enter the following at the prompt:


  # lidsadm -S -- -LIDS



  You will then be prompted for your LIDS password.  This terminal is
  now LIDS free.  It will remain LIDS free until you:


  o  Enable LIDS again (lidsadm -S -- +LIDS).

  o  Log out of the terminal.

  You can only have one LFS active at any one time.  Even though
  lidsadm -S -- -LIDS  will not fail if entered on another terminal, you
  can have only one LFS.


  4.4.  I created a LIDS free session, but LIDS still appears to be
  active!  What's wrong?

  This can happen if you create an LFS on a virtual console and then
  switch to another virtual console and try to administer your machine.
  To clear it up, try enabling LIDS and then disabling it again
  (entering passwords when prompted):


  # lidsadm -S -- +LIDS
  # lidsadm -S -- -LIDS




  4.5.  How do I tell LIDS to reload its configuration files?

  In order for LIDS to be able to reload its configuration files, you
  must enable this option when you configure your LIDS enhanced kernel:

    [*]  Allow switching LIDS protections
    (3)    Number of attempts to submit password
    (30)     Time to wait after a fail (seconds)
    [ ]    Allow remote users to switch LIDS protections
    [ ]    Allow any program to switch LIDS protections
    [*]    Allow reloading config. file   <----------------------------