📄 lids-faq.sgml
字号:
/sbin/lidsadm -A -s /bin/su \ -o CAP_SETGID -j GRANT# Protect the boot partition#/sbin/lidsadm -A -o /boot -j READ# Protect root's home dir, but allow bash history#/sbin/lidsadm -A -o /root -j READ/sbin/lidsadm -A -s /bin/bash -o /root/.bash_history -j WRITE# Protect system logs#/sbin/lidsadm -A -o /var/log -j APPEND/sbin/lidsadm -A -s /bin/login -o /var/log/wtmp -j WRITE/sbin/lidsadm -A -s /bin/login -o /var/log/lastlog -j WRITE/sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp -j WRITE/sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog -j WRITE/sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp -j WRITE/sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog -j WRITE/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/wtmp -i 1 -j WRITE/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/lastlog -i 1 -j WRITE# Startup#/sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime -j WRITE# Shutdown#/sbin/lidsadm -A -s /sbin/init -o CAP_INIT_KILL -j GRANT/sbin/lidsadm -A -s /sbin/init -o CAP_KILL -j GRANT# Give the following init script the proper privileges to kill processes and# unmount the file systems. However, anyone who can execute these scripts# by themselves can effectively kill your processes. It's better than# the alternative, however.## Any ideas on how to get around this are welcome!#/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_INIT_KILL -i 1 -j GRANT/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_KILL -i 1 -j GRANT/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_NET_ADMIN -i 1 -j GRANT/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_SYS_ADMIN -i 1 -j GRANT# Other#/sbin/lidsadm -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT</verb><sect1> Apache<label id="apache-config"><p>This sample configuration assumes Apache was installed in <tt>/usr/local/apache</tt> with a log directory of <tt>/var/log/httpd</tt> and a configuration directory of <tt>/etc/httpd</tt>. You can adjust the paths in the ACLs to match your own configuration. With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443).<verb>/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETUID -j GRANT/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETGID -j GRANT# Config files/sbin/lidsadm -A -o /etc/httpd -j DENY/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /etc/httpd -j READ# Server Root/sbin/lidsadm -A -o /usr/local/apache -j DENY/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache -j READ# Log Files/sbin/lidsadm -A -o /var/log/httpd -j DENY/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /var/log/httpd -j APPEND/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache/logs -j WRITE</verb><sect1> qmail<label id="qmail-config"><p>These ACLs were written for a qmail setup that was installed according to Dave Sill's <em><htmlurl url="http://Web.InfoAve.Net/~dsill/lwq.html" name="Life with qmail">.</em> With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.<verb># setup/sbin/lidsadm -A -o /var/qmail -j READ/sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/log/qmail -j WRITE/sbin/lidsadm -A -s /usr/local/bin/svc \ -o /var/qmail/supervise -j WRITE# queue access#/sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-send \ -o /var/qmail/queue -j WRITE/sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \ -o /var/qmail/queue -j WRITE# Access to local mail boxes/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETUID -j GRANT/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETGID -j GRANT/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_OVERRIDE -j GRANT/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_READ_SEARCH -j GRANT# Remote delivery/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT# supervise/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/log/supervise -j WRITE</verb><sect1> dnscache & tinydns (djbdns)<label id="dnscache-and-tinydns-config"><p>The following ACLs were written for a djbdns setup based on Jeremy Rauch's <em>Installing djbdns (DNScache) for Name Service</em> parts <htmlurl url="http://www.securityfocus.com/focus/sun/articles/dnscache.html" name="1"> & <htmlurl url="http://www.securityfocus.com/focus/sun/articles/dnscache2.html" name="2">. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.<verb># dnscache#/sbin/lidsadm -A -o /var/dnscache -j READ/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/log/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/dnscache/log/main -j WRITE# tinydns#/bin/echo "tinydns"/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/log/supervise -j WRITE/sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/tinydns/log/main -j WRITE</verb><sect1> Courier-imap<label id="courier-imap-config"<p>The following ACLs assume courier-imap was installed into <tt>/usr/local/courier-imap</tt>. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.<verb>/sbin/lidsadm -A -o /usr/local/courier-imap -j DENY/sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \ -o /etc/shadow -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \ -o /etc/shadow -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o /usr/local/courier-imap -j READ/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETUID -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETGID -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_OVERRIDE -i 3 -j GRANT/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_READ_SEARCH -i 3 -j GRANT</verb><sect1> MySQL<label id="mysql-config"><p>The following ACLs assume MySQL was installed into <tt>/usr/local/mysql</tt>. <verb>/sbin/lidsadm -A -o /usr/local/mysql/var -j APPEND/sbin/lidsadm -A -o /usr/local/mysql -j DENY/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql -j READ/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql/var -j WRITE</verb><sect1> OpenSSH<label id="openssh-config"><p>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.<verb>/sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -j READ/sbin/lidsadm -A -o /etc/ssh/sshd_config -j DENY/sbin/lidsadm -A -o /etc/ssh/ssh_host_key -j DENY/sbin/lidsadm -A -o /etc/ssh/ssh_host_dsa_key -j DENY/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/sshd_config -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_key -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_dsa_key -j READ/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/wtmp -j WRITE/sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/lastlog -j WRITE/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETUID -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETGID -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_FOWNER -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_CHOWN -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_DAC_OVERRIDE -j GRANT/sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_NET_BIND_SERVICE -j GRANT</verb><sect1> OpenLDAP (slapd)<label id="openldap-config"><p>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability.<verb>/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o /usr/local/ldapdb -j WRITE/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_NET_BIND_SERVICE -j GRANT/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_INIT_KILL -j GRANT/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_SYS_MODULE -j GRANT</verb><sect1> Port Sentry<label id="portsentry-config"><p>The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability. Depending on what you want portsentry to do, you may or may not need all of the following ACLs.<verb>/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -