lids-faq-3.html

关于LINUX安全内核的源代码

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE> LIDS FAQ: lidsadm</TITLE>
 <LINK HREF="LIDS-FAQ-4.html" REL=next>
 <LINK HREF="LIDS-FAQ-2.html" REL=previous>
 <LINK HREF="LIDS-FAQ.html#toc3" REL=contents>
</HEAD>
<BODY>
<A HREF="LIDS-FAQ-4.html">Next</A>
<A HREF="LIDS-FAQ-2.html">Previous</A>
<A HREF="LIDS-FAQ.html#toc3">Contents</A>
<HR>
<H2><A NAME="s3">3. lidsadm</A></H2>

<H2><A NAME="ss3.1">3.1 What is lidsadm?</A>
</H2>

<P>lidsadm is the LIDS administration utility that you will use to configure LIDS to enhance your system security.
<P>
<H2><A NAME="ss3.2">3.2 What options are available for lidsadm?</A>
</H2>

<P>To get a list of the available options, enter the following:
<PRE>
# lidsadm -h
</PRE>
<P>This will return the following output:
<P>
<PRE>

./lidsadm v1.0.6 for LIDS project
        Huagang Xie&lt;xie@gnuchina.org>
                Philippe Biondi &lt;philippe.biondi@webmotion.net>

Usage: ./lidsadm -A [-s subject] -o object [-d] -j ACTION
       ./lidsadm -D [-s file] [-o file]
       ./lidsadm -Z
       ./lidsadm -U
       ./lidsadm -L
       ./lidsadm -P
       ./lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
       ./lidsadm -V
       ./lidsadm -h

Commands:
       -A  To add an entry
       -D  To delete an entry
       -Z  To delete all entries
       -U  To update dev/inode numbers
       -L  To list all entries
       -P  To encrypt a password with RipeMD-160
       -S  To submit a password to switch some protections
       -I  To switch some protections without submitting password (sealing time)
       -V  To view current LIDS state (caps/flags)
       -h  To list this help

subject:
        can be any program,must be file
object:
        can be file,directory, or special device
        such as MEM,HD,NET,IO,HIDDEN,KILL
ACTION:
        READ    read only
        APPEND  append only
        WRITE   writable
        GRANT   grant capability to subject
TYPE:
            -d  the object is a EXEC Domain

Available capabilities:
           CAP_CHOWN chown(2)/chgrp(2)
    CAP_DAC_OVERRIDE DAC access
 CAP_DAC_READ_SEARCH DAC read
          CAP_FOWNER owner ID not equal user ID
          CAP_FSETID effective user ID not equal owner ID
            CAP_KILL real/effective ID not equal process ID
          CAP_SETGID setgid(2)
          CAP_SETUID set*uid(2)
         CAP_SETPCAP transfer capability
 CAP_LINUX_IMMUTABLE immutable and append file attributes
CAP_NET_BIND_SERVICE binding to ports below 1024
   CAP_NET_BROADCAST broadcasting/listening to multicast
       CAP_NET_ADMIN interface/firewall/routing changes
         CAP_NET_RAW raw sockets
        CAP_IPC_LOCK locking of shared memory segments
       CAP_IPC_OWNER IPC ownership checks
      CAP_SYS_MODULE insertion and removal of kernel modules
       CAP_SYS_RAWIO ioperm(2)/iopl(2) access
      CAP_SYS_CHROOT chroot(2)
      CAP_SYS_PTRACE ptrace(2)
       CAP_SYS_PACCT configuration of process accounting
       CAP_SYS_ADMIN tons of admin stuff
        CAP_SYS_BOOT reboot(2)
        CAP_SYS_NICE nice(2)
    CAP_SYS_RESOURCE setting resource limits
        CAP_SYS_TIME setting system time
  CAP_SYS_TTY_CONFIG tty configuration
          CAP_HIDDEN Hidden process
       CAP_INIT_KILL Kill init children

Available flags:
         LIDS_GLOBAL LIDS itself

         RELOAD_CONF reload config. file and inode/dev of special programs
                LIDS (de)activate LIDS locally (the shell &amp; childs)
</PRE>
<P>
<H2><A NAME="ss3.3">3.3 Gee, thanks.  What are all these options?</A>
</H2>

<P>lidsadm has a syntax similar to 
<A HREF="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html">IPCHAINS</A>.  Some of the command line switches are the same.
<P>
<UL>
<LI> <CODE> -A </CODE> = Add a rule.</LI>
<LI> <CODE> -D </CODE> = Delete a rule.</LI>
<LI> <CODE> -L </CODE> = List all existing rules.</LI>
<LI> <CODE> -h </CODE> = lidsadm help.</LI>
<LI> <CODE> -Z </CODE> = Delete all existing rules.</LI>
<LI> <CODE> -U </CODE> = Update the device/inode numbers of all files.</LI>
<LI> <CODE> -P </CODE> = Create/update the LIDS password.</LI>
<LI> <CODE> -V </CODE> = View current LIDS state (capabilities/flags).</LI>
<LI> <CODE> -S </CODE> = Make changes to your LIDS enabled system (requires LIDS password set by option "-P").</LI>
<LI> <CODE> -s </CODE> = Specifies a subject file.</LI>
<LI> <CODE> -o </CODE> = Specifies an object file.</LI>
<LI> <CODE> -j </CODE> = Specifies a target.</LI>
<LI> <CODE> -I </CODE> = Seals the kernel.  Used at the end of the startup process.</LI>
<LI> <CODE> -i </CODE> = Specifies that children of the subject will inherit this
file ACL or capability (NOTE: "-i" options isn't listed above).</LI>
</UL>
<P>
<P> lidsadm also uses "TARGETS" similar to ipchains.  The following targets are allowed:
<P>
<UL>
<LI> <CODE> READ        - </CODE> Set access permissions to read only.</LI>
<LI> <CODE> APPEND      - </CODE> Set access permissions to append only (includes read access).</LI>
<LI> <CODE> WRITE       - </CODE> Set access permissions to read/write.</LI>
<LI> <CODE> DENY        - </CODE> Deny access to this object.</LI>
<LI> <CODE> IGNORE      - </CODE> Ignore any permissions set on this object.</LI>
<LI> <CODE> GRANT       - </CODE> Grant the specified capability to the subject.</LI>
</UL>
<P>NOTE: The first five TARGETS apply to file ACLs, and the last TARGET only applies to capabilities.
<P>
<P>
<HR>
<A HREF="LIDS-FAQ-4.html">Next</A>
<A HREF="LIDS-FAQ-2.html">Previous</A>
<A HREF="LIDS-FAQ.html#toc3">Contents</A>
</BODY>
</HTML>