3 .\" Man page written by Sander Klein <roedie@roedie.nl> (May 2003)
4 .\" It is based on the original lidsadm page by Steve Bremer.
5 .\" TODO: I will think of something in the end...
7 .\" This program is free software; you can redistribute it and/or modify
8 .\" it under the terms of the GNU General Public License as published by
9 .\" the Free Software Foundation; either version 2 of the License, or
10 .\" (at your option) any later version.
12 .\" This program is distributed in the hope that it will be useful,
13 .\" but WITHOUT ANY WARRANTY; without even the implied warranty of
14 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 .\" GNU General Public License for more details.
17 .\" You should have received a copy of the GNU General Public License
18 .\" along with this program; if not, write to the Free Software
19 .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 lidsconf \- configuration tool for Linux Intrusion Detection System
26 .B lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION
28 .B lidsconf -D [-s file] [-o file]
45 is a configuration tool for
46 .I Linux Intrusion Detection System (LIDS).
48 LIDS is a kernel patch to enhance the current Linux kernel. With LIDS, you can protect important files, directories, and devices. You can also define ACLs that restrict the access control on the entire system. For more information about LIDS, please go to
49 .I http://www.lids.org.
52 is used to configure the access restriction information for LIDS. All of the information is stored in "/etc/lids/lids.conf".
55 ACL is short for "Access Control List". The ACL in LIDS defines how a subject can access an object. The subject can be any program file on the system. The object can be a file, directory, or a special option (MEM devices, RAW IO, a HIDDEN process, etc). The target defines the access type that the subject has on the object.
57 The synopsis of the ACL is
59 [-s subject] [-d|-i TTL] -o object [-t timescale] -j TARGET
61 When a subject is not specified, the ACL defines the object's default access.
65 A subject can be any program on the system, such as "/bin/login".
67 .B -o object [portscale]
68 An object can be a file, directory, or a special option (CAP_SYS_RAWIO, CAP_HIDDEN, CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SERVICE, you must specify the port scale following it. For example, "20-299,400-1002".
71 This is for the DOMAIN setting. When defined, the subject can only access objects in the domain specified. Any operation that affects an object outside of this domain will not be permitted.
73 .B -i <inheritance level>
74 This specifies that the ACL is inheritable by the subject's children. The
76 affects how far the ACL is inherited. An inheritance level of "-1" means
78 inheritance. An inheritance level of 1 means that a child process spawned by the parent which is not the same program as the parent will inherit the ACL, but a child process spawned from the child (i.e. a grandchild of the orignal process) won't.
79 The Inheritance level only affect the children which is not the same program as its parent. If the child is the same program as the parent, it will gain all the permission from its parent.
82 This is time restriction for an ACL. This restrition only applies to an ACL with a subject. The time restriction sets the time when an ACL will be true. The timescale format here is "hourminute-hourminute". For example, "0905-1021" means "From 9 o'clock and 5 minutes to 10 o'clock and 21 minutes".
86 The Target can be READ, APPEND, WRITE, or IGNORE for normal file access ACLs. For a special object, the Target can only be GRANT.
89 .SH Available capabilities
90 The capabilities used in LIDS are shown below. You can use the name to enable or disable the capability when sealing and switching. You can also grant the capability to a program even if the capability is disabled globally on the system.
100 .B CAP_DAC_READ_SEARCH
104 Owner ID not equal user ID.
107 Effective user ID not equal owner ID.
110 Real/effective ID not equal process ID.
121 .B CAP_LINUX_IMMUTABLE
122 Immutable and append file attributes.
124 .B CAP_NET_BIND_SERVICE
125 Binding to ports below 1024.
128 Broadcasting/listening to multicast.
131 Interface/firewall/routing changes.
137 Locking of shared memory segments.
140 IPC ownership checks.
143 Insertion and removal of kernel modules.
146 ioperm(2)/iopl(2) access
155 Configuration of process accounting.
167 Setting resource limits.
172 .B CAP_SYS_TTY_CONFIG
176 Allow the privileged aspects of mknod().
179 Allow taking of leases on files.
182 Make a program hidden from the entire system.
184 .B CAP_KILL_PROTECTED
185 Allow/disallow a process to kille protected processes.
188 Protect the process from signals.
191 Here are some examples of using lidsconf. They range from simple/normal to a little more complex/esoteric. Note that actual file names are used to make things more concrete. In their place you should substitute file/directories from
194 .B lidsconf -A -o /sbin -j READ
195 This ACL protects the /sbin directory as read-only.
197 .B lidsconf -A -o /var/log/message -j APPEND
198 Protects /var/log/message as append only.
200 .B lidsconf -A -o /sbin/test -j IGNORE
201 Specifies that the read-only protection of /sbin doesn't apply to /sbin/test.
203 .B lidsconf -A -o /etc/passwd -j DENY
204 Make /etc/passwd hidden from everyone. Nothing can see the file (open,stat,..).
206 .B lidsconf -A -s /bin/login -o /etc/passwd -j READ
207 Allows the /bin/login program to read the /etc/passwd even though it has been defined as hidden above.
208 In this case, only /bin/login can read /etc/passwd. No other program or user can see the file (/etc/passwd).
210 .B lidsconf -A -o /home/httpd -j DENY
212 .B lidsconf -A -s /usr/sbin/httpd -o /home/httpd -j READ
214 .B lidsconf -A -s /usr/sbin/httpd -o CAP_NET_BIND_SERVICE 80 -i -1 -j GRANT
215 Protects the server root of a web server (/home/httpd) as DENY, and allow only the httpd binary (/usr/sbin/httpd) to read the server root (/home/httpd),and the httpd can only bind to port 80.
217 .B lidsconf -A -s /bin/program -i 2 -o CAP_NET_ADMIN -j GRANT
218 Grant the /bin/program the capability of CAP_NET_ADMIN, and the inheritance level is 2.
220 .B lidsconf -A -s /usr/X11/bin/XF86_SVGA -o CAP_SYS_RAWIO -j GRANT
221 Grants the program XF86_SVGA the capability of CAP_SYS_RAWIO if the CAP_SYS_RAWIO has been disabled in /etc/lids/lids.cap.
223 .B lidsconf -A -s /usr/sbin/httpd -d -o /home/httpd -j READ
224 Define the program httpd's EXEC DOMAIN as /home/httpd. Any operation outside of /home/httpd is not allowed when httpd running.
226 .B lidsconf -A -s /bin/login -o /etc/shadow -t 0900:1800 -j READ
227 Define the /bin/login can read /etc/shadow only during 09:00 to 18:00.With this, you can restrict the login event occur during this time.
229 .B lidsconf -A -s /usr/sbin/sshd -o CAP_NET_BIND_SERVICE 10-22,300-1020 -j GRANT
230 Define the /usr/sbin/sshd can bind to port number from 10 to 22 and 300 to 1020 , in this case, ssh can only bind to that port scale.
232 .SH OTHER SOURCES OF INFORMATION.
235 To subscribe, unsubscribe, go to:
236 .I http://lists.sourceforge.net/lists/listinfo/lids-user
238 To post a message to the list, send an e-mail to:
239 .B lids-user@lists.sourceforge.net
241 Current LIDS archive can be found at:
242 .I http://www.geocrawler.com/redir-sf.php3?list=lids-user
244 An outdated searchable archive can be found at:
245 .I http://groups.yahoo.com/group/lids
249 The LIDS FAQ is located at:
251 .I http://www.lids.org/lids-faq/lids-faq.html
255 .I http://www.roedie.nl/lids-faq
258 Any bugs found with LIDS itself should be sent to Xie, Phil, or the mailing list
259 .B (lids-user@lists.sourceforge.net).
260 Please include your .config file used to compile your kernel, and the lids.conf and lids.cap files located in /etc/lids directory. Any errors found in this man page should be sent to Sander Klein.
262 \fB/etc/lids/lids.conf\fR \- LIDS configuration file.
264 \fB/etc/lids/lids.cap\fR \- Defines the global capabilities.
266 \fB/etc/lids/lids.net\fR \- Configuration file for e-mail alerts.
268 \fB/etc/lids/lids.pw\fR \- Contains the encrypted LIDS password.
278 .I <biondi@cartel-securite.fr>
280 Manpage written by Sander Klein
281 .I <roedie@roedie.nl>
285 The newest version of
288 .I http://www.lids.org/
292 is (C) 1999-2003 by Huagang Xie(xie@lids.org).
293 .\" See the lidsadm (8) man page for some funny remarks...