lids-faq.sgml

来自「关于LINUX安全内核的源代码」· SGML 代码 · 共 1,356 行 · 第 1/5 页

 lidsadm.c:30: linux/lidsext.h: No such file or directory make: *** [lidsadm.o] Error 1 
</verb>

To fix this problem, edit the Makefile in the lidsadm source directory and add <tt>-I/usr/src/linux/include</tt> to the CFLAGS option.

At this point, you should be able to compile lidsadm normally.  

<sect1> When I <em>upgraded</em> to LIDS version 0.9.14, 0.9.15, 1.0.6, or 1.0.7 my system panics during reboot.  How do I fix it?
<p>
The format of the <tt>/etc/lids/lids.conf</tt> file changed in these releases.  You need to recreate the file using the new version of lidsadm.

<!-- Section 3 -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

<sect> lidsadm

<sect1> What is lidsadm?
<p>
lidsadm is the LIDS administration utility that you will use to configure LIDS to enhance your system security.

<sect1> What options are available for lidsadm?
<p>
To get a list of the available options, enter the following:
<verb>
# lidsadm -h
</verb>

This will return the following output:

<verb>

./lidsadm v1.0.6 for LIDS project
        Huagang Xie<xie@gnuchina.org>
                Philippe Biondi <philippe.biondi@webmotion.net>

Usage: ./lidsadm -A [-s subject] -o object [-d] -j ACTION
       ./lidsadm -D [-s file] [-o file]
       ./lidsadm -Z
       ./lidsadm -U
       ./lidsadm -L
       ./lidsadm -P
       ./lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
       ./lidsadm -V
       ./lidsadm -h

Commands:
       -A  To add an entry
       -D  To delete an entry
       -Z  To delete all entries
       -U  To update dev/inode numbers
       -L  To list all entries
       -P  To encrypt a password with RipeMD-160
       -S  To submit a password to switch some protections
       -I  To switch some protections without submitting password (sealing time)
       -V  To view current LIDS state (caps/flags)
       -h  To list this help

subject:
        can be any program,must be file
object:
        can be file,directory, or special device
        such as MEM,HD,NET,IO,HIDDEN,KILL
ACTION:
        READ    read only
        APPEND  append only
        WRITE   writable
        GRANT   grant capability to subject
TYPE:
            -d  the object is a EXEC Domain

Available capabilities:
           CAP_CHOWN chown(2)/chgrp(2)
    CAP_DAC_OVERRIDE DAC access
 CAP_DAC_READ_SEARCH DAC read
          CAP_FOWNER owner ID not equal user ID
          CAP_FSETID effective user ID not equal owner ID
            CAP_KILL real/effective ID not equal process ID
          CAP_SETGID setgid(2)
          CAP_SETUID set*uid(2)
         CAP_SETPCAP transfer capability
 CAP_LINUX_IMMUTABLE immutable and append file attributes
CAP_NET_BIND_SERVICE binding to ports below 1024
   CAP_NET_BROADCAST broadcasting/listening to multicast
       CAP_NET_ADMIN interface/firewall/routing changes
         CAP_NET_RAW raw sockets
        CAP_IPC_LOCK locking of shared memory segments
       CAP_IPC_OWNER IPC ownership checks
      CAP_SYS_MODULE insertion and removal of kernel modules
       CAP_SYS_RAWIO ioperm(2)/iopl(2) access
      CAP_SYS_CHROOT chroot(2)
      CAP_SYS_PTRACE ptrace(2)
       CAP_SYS_PACCT configuration of process accounting
       CAP_SYS_ADMIN tons of admin stuff
        CAP_SYS_BOOT reboot(2)
        CAP_SYS_NICE nice(2)
    CAP_SYS_RESOURCE setting resource limits
        CAP_SYS_TIME setting system time
  CAP_SYS_TTY_CONFIG tty configuration
          CAP_HIDDEN Hidden process
       CAP_INIT_KILL Kill init children

Available flags:
         LIDS_GLOBAL LIDS itself

         RELOAD_CONF reload config. file and inode/dev of special programs
                LIDS (de)activate LIDS locally (the shell & childs)

</verb>

<sect1> Gee, thanks.  What are all these options?
<p>
lidsadm has a syntax similar to <htmlurl url="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html" name="IPCHAINS">.  Some of the command line switches are the same.

<itemize>
<item> <tt> -A </tt> = Add a rule.
<item> <tt> -D </tt> = Delete a rule.
<item> <tt> -L </tt> = List all existing rules.
<item> <tt> -h </tt> = lidsadm help.
<item> <tt> -Z </tt> = Delete all existing rules.
<item> <tt> -U </tt> = Update the device/inode numbers of all files.
<item> <tt> -P </tt> = Create/update the LIDS password.
<item> <tt> -V </tt> = View current LIDS state (capabilities/flags).
<item> <tt> -S </tt> = Make changes to your LIDS enabled system (requires LIDS password set by option "-P").
<item> <tt> -s </tt> = Specifies a subject file.
<item> <tt> -o </tt> = Specifies an object file.
<item> <tt> -j </tt> = Specifies a target.
<item> <tt> -I </tt> = Seals the kernel.  Used at the end of the startup process.
<item> <tt> -i </tt> = Specifies that children of the subject will inherit this
file ACL or capability (NOTE: "-i" options isn't listed above).
</itemize>

<p> lidsadm also uses "TARGETS" similar to ipchains.  The following targets are allowed:

<itemize>
<item> <tt> READ        - </tt> Set access permissions to read only.
<item> <tt> APPEND      - </tt> Set access permissions to append only (includes read access).
<item> <tt> WRITE       - </tt> Set access permissions to read/write.
<item> <tt> DENY        - </tt> Deny access to this object.
<item> <tt> IGNORE      - </tt> Ignore any permissions set on this object.
<item> <tt> GRANT       - </tt> Grant the specified capability to the subject.
</itemize>

NOTE: The first five TARGETS apply to file ACLs, and the last TARGET only applies to capabilities.

<!-- Section 4 -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

<sect> LIDS Administration

<sect1> How do I set my LIDS password?
<label id="Set-Password">
<p>
Before you reboot into your LIDS enhanced kernel, enter the following at the command prompt:
<verb>
# lidsadm -P
</verb>
<p>
You will then be prompted for a LIDS password:
<verb>
MAKE
enter password:
Verifying enter password:
</verb>
<p>
This will write your RipeMD-160 encrypted password to the <tt> /etc/lids/lids.pw </tt> file.

<sect1> How do I change my LIDS password once it is set?
<p>
You must first create a <ref id="LFS" name="LIDS free session">.  Then set your password using the "-P" option just like you did <ref id="Set-Password" name="the first time"> (you will not be prompted for your current password).  After resetting your LIDS password, you must tell LIDS to <ref id="Reload" name="reload its configuration files">.

<sect1> What is a LIDS free session and how do I create one?
<label id="LFS">
<p>
A LIDS free session (LFS) is a terminal session that is not restricted by LIDS.  This option is available so you can administer your system without having to reboot into a non-LIDS kernel.  In order for this to work, you must have selected this option when you compiled your LIDS enhanced kernel:
<verb>
  [*] Allow switching LIDS protections
</verb>
To create an LFS, enter the following at the prompt:

<verb>
# lidsadm -S -- -LIDS
</verb>

You will then be prompted for your LIDS password.  This terminal is now LIDS free.  It will remain LIDS free until you:

<itemize>
<item> Enable LIDS again <tt>(lidsadm -S -- +LIDS)</tt>.
<item> Log out of the terminal.
</itemize>

You can only have one LFS active at any one time.  Even though <tt> lidsadm -S -- -LIDS </tt> will not fail if entered on another terminal, you can have only one LFS.

<sect1> I created a LIDS free session, but LIDS still appears to be active!  What's wrong?
<p>
This can happen if you create an LFS on a virtual console and then switch to another virtual console and try to administer your machine.  To clear it up, try enabling LIDS and then disabling it again (entering passwords when prompted):

<verb>
# lidsadm -S -- +LIDS
# lidsadm -S -- -LIDS
</verb>

<sect1> How do I tell LIDS to reload its configuration files?
<label id="Reload">

<p>
In order for LIDS to be able to reload its configuration files, you must enable this option when you configure your LIDS enhanced kernel:
<verb>
  [*]  Allow switching LIDS protections
  (3)    Number of attempts to submit password
  (30)     Time to wait after a fail (seconds)
  [ ]    Allow remote users to switch LIDS protections
  [ ]    Allow any program to switch LIDS protections
  [*]    Allow reloading config. file   <----------------------------
</verb>

NOTE: You must allow switching LIDS protections in order to enable reloading of configuration files.

From an LFS (or with LIDS_GLOBAL disabled), execute the following command to instruct LIDS to reload its configuration files:
<verb>
# lidsadm -S -- +RELOAD_CONF
</verb>
<p>
This will reload the following configuration files:
<itemize>
<item> <tt> /etc/lids/lids.conf  - </tt> LIDS ACL configuration file.
<item> <tt> /etc/lids/lids.cap   - </tt> LIDS capabilities file.
<item> <tt> /etc/lids/lids.pw    - </tt> LIDS password file.
<item> <tt> /etc/lids/lids.net   - </tt> LIDS mail alert configuration file.
</itemize>

<sect1> Help!!! My system is totally unusable! What do I do?
<label id="unusable-system">
<p>
You can reboot into a non-LIDS enhanced kernel, or boot into your LIDS enhanced kernel with LIDS disabled to try and patch things up.  To boot with LIDS disabled, specify <tt> security=0 </tt> at the lilo prompt.  For example, if your LIDS enhanced kernel is called <tt> lids-kernel </tt> you would enter the following at the lilo prompt:

<verb>
lilo: lids-kernel security=0
</verb>

That's the easy part.  The difficult part is getting your LIDS enabled system to shutdown.  You may not be able to shutdown successfully depending on your LIDS configuration.

<bf> WARNING: </bf>  Rebooting your LIDS enabled system when it is not properly configured can cause file system corruption and/or loss of data!!

<sect1> I've updated/moved a system binary.  How do I tell LIDS that the file changed/moved?
<label id="update-inodes">
<p>
Whenever the device that a file resides on, or a file's inode number changes, you must update your <tt> /etc/lids/lids.conf </tt> file with the proper information.  Fortunately, Xie has provided us with an option just for this occasion:

<verb>
# lidsadm -U
</verb>

You must then <ref id="Reload" name="reload the configuration files">.

<sect1> OK, without rebooting, how do I completely disable LIDS?
<p>
Besides using an LFS, LIDS can be turned off globally.  This will only work if you compiled the option into your kernel.
<verb>
# lidsadm -S -- -LIDS_GLOBAL
</verb>

When <tt> LIDS_GLOBAL </tt> is disabled, your system will operate like a "normal" Linux system.  To re-enable LIDS globally, perform the opposite:

<verb>
#lidsadm -S -- +LIDS_GLOBAL
</verb>

NOTE: This will not affect your LFS if you currently have one enabled.

<sect1> What does it mean to "seal the kernel"?
<label id="sealing-the-kernel">
<p>