📄 lids-faq.txt
字号:
6.1. Which kernel configuration options do I need to select in order to send security alerts through the network? [*] Send security alerts through network [ ] Hide klids kernel thread (3) Number of connection tries before giving up (30) Sleep time after a failed connection (16) Message queue size [*] Use generic mailer pseudo-script The first option enables the use of security alerts. The second option allows you to hide the process that sends the alerts. Until you have your mail notification working, it is recommended that you leave this option disabled because it will also prevents error messages from being logged. The last option tells LIDS to use the generic mailer script provided with LIDS to send any alert messages to your mail server. This is currently the only option. 6.2. Where do I specify the mail server information and e-mail address to send the LIDS alerts to? All information required for sending security alerts must be configured in the /etc/lids/lids.net file. A description of each option is provided in the configuration file itself. When specifying an e-mail address, be sure not to leave any leading or trailing spaces around the e-mail address. This may cause problems with delivery. For example, the following two MAIL_TO examples won't work: "MAIL_TO= steve@clublinux.org" "MAIL_TO=steve@clublinux.org " NOTE: The double quotes are used only to show you the trailing space. They should not be included in your configuration. After making changes to the /etc/lids/lids.net file, you must tell LIDS to ``reload'' it's configuration files. 6.3. LIDS can't seem to deliver alerts to my qmail SMTP server. Is there a fix for this? Yes. For LIDS versions 0.9.12 and older, a patch is required in order to make LIDS e-mail alerts work with a qmail SMTP mail server. The patch can be found here: http://www.egroups.com/message/lids/1896. 7. Sample Configurations 7.1. Basic System Setup The following is a sample configuration for basic system setup. # Protect System Binaries # /sbin/lidsadm -A -o /sbin -j READ /sbin/lidsadm -A -o /bin -j READ # Protect all of /usr and /usr/local # (This assumes /usr/local is on a separate file system). # /sbin/lidsadm -A -o /usr -j READ /sbin/lidsadm -A -o /usr/local -j READ # Protect the System Libraries #(/usr/lib is protected above since /usr/lib generally isn't # on a separate file system than /usr) # /sbin/lidsadm -A -o /lib -j READ # Protect /opt # /sbin/lidsadm -A -o /opt -j READ # Protect System Configuration files # /sbin/lidsadm -A -o /etc -j READ /sbin/lidsadm -A -o /usr/local/etc -j READ /sbin/lidsadm -A -o /etc/shadow -j DENY /sbin/lidsadm -A -o /etc/lilo.conf -j DENY # Enable system authentication # /sbin/lidsadm -A -s /bin/login -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/bin/vlock -o /etc/shadow -j READ /sbin/lidsadm -A -s /bin/su -o /etc/shadow -j READ /sbin/lidsadm -A -s /bin/su \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /bin/su \ -o CAP_SETGID -j GRANT # Protect the boot partition # /sbin/lidsadm -A -o /boot -j READ # Protect root's home dir, but allow bash history # /sbin/lidsadm -A -o /root -j READ /sbin/lidsadm -A -s /bin/bash -o /root/.bash_history -j WRITE # Protect system logs # /sbin/lidsadm -A -o /var/log -j APPEND /sbin/lidsadm -A -s /bin/login -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /bin/login -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/wtmp -i 1 -j WRITE /sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/lastlog -i 1 -j WRITE # Startup # /sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime -j WRITE # Shutdown # /sbin/lidsadm -A -s /sbin/init -o CAP_INIT_KILL -j GRANT /sbin/lidsadm -A -s /sbin/init -o CAP_KILL -j GRANT # Give the following init script the proper privileges to kill processes and # unmount the file systems. However, anyone who can execute these scripts # by themselves can effectively kill your processes. It's better than # the alternative, however. # # Any ideas on how to get around this are welcome! # /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_INIT_KILL -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_KILL -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_NET_ADMIN -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_SYS_ADMIN -i 1 -j GRANT # Other # /sbin/lidsadm -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT 7.2. Apache This sample configuration assumes Apache was installed in /usr/local/apache with a log directory of /var/log/httpd and a configuration directory of /etc/httpd. You can adjust the paths in the ACLs to match your own configuration. With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443). /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETGID -j GRANT # Config files /sbin/lidsadm -A -o /etc/httpd -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /etc/httpd -j READ # Server Root /sbin/lidsadm -A -o /usr/local/apache -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache -j READ # Log Files /sbin/lidsadm -A -o /var/log/httpd -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /var/log/httpd -j APPEND /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache/logs -j WRITE 7.3. qmail These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25. # setup /sbin/lidsadm -A -o /var/qmail -j READ /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/log/qmail -j WRITE /sbin/lidsadm -A -s /usr/local/bin/svc \ -o /var/qmail/supervise -j WRITE # queue access # /sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-send \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \ -o /var/qmail/queue -j WRITE # Access to local mail boxes /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETGID -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_READ_SEARCH -j GRANT # Remote delivery /sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT # supervise /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/log/supervise -j WRITE 7.4. dnscache & tinydns (djbdns) The following ACLs were written for a djbdns setup based on Jeremy Rauch's Installing djbdns (DNScache) for Name Service parts 1 & 2. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53. # dnscache # /sbin/lidsadm -A -o /var/dnscache -j READ /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/dnscache/log/main -j WRITE # tinydns # /bin/echo "tinydns" /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/tinydns/log/main -j WRITE 7.5. Courier-imap The following ACLs assume courier-imap was installed into /usr/local/courier-imap. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143. /sbin/lidsadm -A -o /usr/local/courier-imap -j DENY /sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \ -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \ -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o /usr/local/courier-imap -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETUID -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETGID -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_OVERRIDE -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_READ_SEARCH -i 3 -j GRANT 7.6. MySQL The following ACLs assume MySQL was installed into /usr/local/mysql. /sbin/lidsadm -A -o /usr/local/mysql/var -j APPEND /sbin/lidsadm -A -o /usr/local/mysql -j DENY /sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql -j READ /sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql/var -j WRITE 7.7. OpenSSH The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability. /sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -j READ /sbin/lidsadm -A -o /etc/ssh/sshd_config -j DENY /sbin/lidsadm -A -o /etc/ssh/ssh_host_key -j DENY /sbin/lidsadm -A -o /etc/ssh/ssh_host_dsa_key -j DENY /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/sshd_config -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_key -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_dsa_key -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETGID -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_FOWNER -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_CHOWN -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_NET_BIND_SERVICE -j GRANT 7.8. OpenLDAP (slapd) The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability. /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o /usr/local/ldapdb -j WRITE /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_NET_BIND_SERVICE -j GRANT /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_INIT_KILL -j GRANT /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_SYS_MODULE -j GRANT 7.9. Port Sentry The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability. Depending on what you want portsentry to do, you may or may not need all of the following ACLs. /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /usr/local/psionic/portsentry -j WRITE /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /var/log -j WRITE /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o CAP_NET_BIND_SERVICE ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -