Import translated manuals from JM CVS Repository.

[linuxjm/jm.git] / manual / lids / original / man8 / lidsconf.8

.TH LIDSCONF 8
.\"
.\" Man page written by Sander Klein <roedie@roedie.nl> (May 2003)
.\" It is based on the original lidsadm page by Steve Bremer.
.\" TODO: I will think of something in the end...
.\"
.\"     This program is free software; you can redistribute it and/or modify
.\"     it under the terms of the GNU General Public License as published by
.\"     the Free Software Foundation; either version 2 of the License, or
.\"     (at your option) any later version.
.\"
.\"     This program is distributed in the hope that it will be useful,
.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of
.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"     GNU General Public License for more details.
.\"
.\"     You should have received a copy of the GNU General Public License
.\"     along with this program; if not, write to the Free Software
.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\"

.SH NAME
lidsconf \- configuration tool for Linux Intrusion Detection System
.SH SYNOPSIS
.B lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION
.br
.B lidsconf -D [-s file] [-o file]
.br
.B lidsconf -Z
.br
.B lidsconf -U
.br
.B lidsconf -L [-e]
.br
.B lidsconf -P
.br
.B lidsconf -v
.br
.B lidsconf [-h|H]

.SH DESCRIPTION

.I lidsconf 
is a configuration tool for 
.I Linux Intrusion Detection System (LIDS).

LIDS is a kernel patch to enhance the current Linux kernel. With LIDS, you can protect important files, directories, and devices. You can also define ACLs that restrict the access control on the entire system. For more information about LIDS, please go to 
.I http://www.lids.org. 

.I lidsconf
is used to configure the access restriction information for LIDS. All of the information is stored in "/etc/lids/lids.conf".

.SH Options (ACL's)
ACL is short for "Access Control List". The ACL in LIDS defines how a subject can access an object. The subject can be any program file on the system. The object can be a file, directory, or a special option (MEM devices, RAW IO, a HIDDEN process, etc). The target defines the access type that the subject has on the object.
.TP
The synopsis of the ACL is 
.B
[-s subject] [-d|-i TTL] -o object [-t timescale] -j TARGET
.TP
When a subject is not specified, the ACL defines the object's default access.

.TP
.B -s subject
A subject can be any program on the system, such as "/bin/login".
.TP
.B -o object [portscale]
An object can be a file, directory, or a special option (CAP_SYS_RAWIO, CAP_HIDDEN, CAP_INIT_KILL, etc).  If the object is CAP_NET_BIND_SERVICE, you must specify the port scale following it. For example, "20-299,400-1002".
.TP
.B -d
This is for the DOMAIN setting. When defined, the subject can only access objects in the domain specified. Any operation that affects an object outside of this domain will not be permitted.
.TP
.B -i <inheritance level>
This specifies that the ACL is inheritable by the subject's children.  The 
.B inheritance level
affects how far the ACL is inherited.  An inheritance level of "-1" means 
.B unlimited 
inheritance.  An inheritance level of 1 means that a child process spawned by the parent which is not the same program as the parent will inherit the ACL, but a child process spawned from the child (i.e. a grandchild of the orignal process) won't.
The Inheritance level only affect the children which is not the same program as its parent. If the child is the same program as the parent, it will gain all the permission from its parent.
.TP
.B -t timescale
This is time restriction for an ACL. This restrition only applies to an ACL with a subject. The time restriction sets the time when an ACL will be true. The timescale format here is "hourminute-hourminute". For example, "0905-1021" means "From 9 o'clock and 5 minutes to 10 o'clock and 21 minutes".

.TP
.B -j Target
The Target can be READ, APPEND, WRITE, or IGNORE for normal file access ACLs. For a special object, the Target can only be GRANT.

.TP
.SH Available capabilities
The capabilities used in LIDS are shown below. You can use the name to enable or disable the capability when sealing and switching. You can also grant the capability to a program even if the capability is disabled globally on the system.

.SP
.TP
.B CAP_CHOWN
chown(2)/chgrp(2)
.TP
.B    CAP_DAC_OVERRIDE
DAC access.
.TP
.B CAP_DAC_READ_SEARCH
DAC read.
.TP
.B          CAP_FOWNER
Owner ID not equal user ID.
.TP
.B          CAP_FSETID
Effective user ID not equal owner ID.
.TP
.B            CAP_KILL
Real/effective ID not equal process ID.
.TP 
.B         CAP_SETGID
setgid(2)
.TP 
.B          CAP_SETUID 
set*uid(2)
.TP
.B         CAP_SETPCAP
Transfer capability.
.TP
.B  CAP_LINUX_IMMUTABLE
Immutable and append file attributes.
.TP
.B CAP_NET_BIND_SERVICE
Binding to ports below 1024.
.TP
.B   CAP_NET_BROADCAST
Broadcasting/listening to multicast.
.TP
.B       CAP_NET_ADMIN
Interface/firewall/routing changes.
.TP
.B         CAP_NET_RAW
Raw sockets (ping).
.TP
.B        CAP_IPC_LOCK
Locking of shared memory segments.
.TP
.B       CAP_IPC_OWNER
IPC ownership checks.
.TP
.B      CAP_SYS_MODULE
Insertion and removal of kernel modules.
.TP
.B       CAP_SYS_RAWIO
ioperm(2)/iopl(2) access
.TP
.B      CAP_SYS_CHROOT
chroot(2)
.TP
.B      CAP_SYS_PTRACE
ptrace(2)
.TP
.B       CAP_SYS_PACCT
Configuration of process accounting.
.TP
.B       CAP_SYS_ADMIN
Tons of admin stuff.
.TP
.B        CAP_SYS_BOOT
reboot(2)
.TP
.B        CAP_SYS_NICE
nice(2)
.TP
.B    CAP_SYS_RESOURCE
Setting resource limits.
.TP
.B        CAP_SYS_TIME
Setting system time.
.TP
.B  CAP_SYS_TTY_CONFIG
TTY configuration.
.TP
.B  CAP_MKNOD
Allow the privileged aspects of mknod().
.TP
.B  CAP_LEASE
Allow taking of leases on files.
.TP
.B  CAP_HIDDEN
Make a program hidden from the entire system.
.TP
.B  CAP_KILL_PROTECTED
Allow/disallow a process to kille protected processes.
.TP
.B  CAP_PROTECTED
Protect the process from signals.

.SH EXAMPLES
Here are some examples of using lidsconf.  They range from simple/normal to a little more complex/esoteric.  Note that actual file names are used to make things more concrete. In their place you should substitute file/directories from
.B your own system.
.TP
.B lidsconf -A -o /sbin -j READ
This ACL protects the /sbin directory as read-only.
.TP
.B lidsconf -A -o /var/log/message -j APPEND
Protects /var/log/message as append only.
.TP
.B lidsconf -A -o /sbin/test -j IGNORE
Specifies that the read-only protection of /sbin doesn't apply to /sbin/test.
.TP
.B lidsconf -A -o /etc/passwd -j DENY
Make /etc/passwd hidden from everyone. Nothing can see the file (open,stat,..).
.TP
.B lidsconf -A -s /bin/login -o /etc/passwd -j READ
Allows the /bin/login program to read the /etc/passwd even though it has been defined as hidden above.
In this case, only /bin/login can read /etc/passwd.  No other program or user can see the file (/etc/passwd).
.TP
.B lidsconf -A -o /home/httpd -j DENY
.TP
.B lidsconf -A -s /usr/sbin/httpd -o /home/httpd -j READ
.TP
.B lidsconf -A -s /usr/sbin/httpd -o CAP_NET_BIND_SERVICE 80 -i -1 -j GRANT
Protects the server root of a web server (/home/httpd) as DENY, and allow only the httpd binary (/usr/sbin/httpd) to read the server root (/home/httpd),and the httpd can only bind to port 80.
.TP
.B lidsconf -A -s /bin/program -i 2 -o CAP_NET_ADMIN -j GRANT
Grant the /bin/program the capability of CAP_NET_ADMIN, and the inheritance level is 2.
.TP
.B lidsconf -A -s /usr/X11/bin/XF86_SVGA -o CAP_SYS_RAWIO -j GRANT
Grants the program XF86_SVGA the capability of CAP_SYS_RAWIO if the CAP_SYS_RAWIO has been disabled in /etc/lids/lids.cap.
.TP
.B lidsconf -A -s /usr/sbin/httpd -d -o /home/httpd -j READ
Define the program httpd's EXEC DOMAIN as /home/httpd.  Any operation outside of /home/httpd is not allowed when httpd running.
.TP
.B lidsconf -A -s /bin/login -o /etc/shadow -t 0900:1800 -j READ
Define the /bin/login can read /etc/shadow only during 09:00 to 18:00.With this, you can restrict the login event occur during this time.
.TP
.B lidsconf -A -s /usr/sbin/sshd -o CAP_NET_BIND_SERVICE 10-22,300-1020 -j GRANT
Define the /usr/sbin/sshd can bind to port number from 10 to 22 and 300 to 1020 , in this case, ssh can only bind to that port scale.

.SH OTHER SOURCES OF INFORMATION.
.TP
.B Mailing List
To subscribe, unsubscribe, go to:
.I http://lists.sourceforge.net/lists/listinfo/lids-user
.br
To post a message to the list, send an e-mail to:
.B lids-user@lists.sourceforge.net
.br
Current LIDS archive can be found at:
.I http://www.geocrawler.com/redir-sf.php3?list=lids-user
.br
An outdated searchable archive can be found at:
.I http://groups.yahoo.com/group/lids

.TP
.B LIDS FAQ
The LIDS FAQ is located at:
.br
.I http://www.lids.org/lids-faq/lids-faq.html
.br
or
.br
.I http://www.roedie.nl/lids-faq

.SH BUGS
Any bugs found with LIDS itself should be sent to Xie, Phil, or the mailing list
.B (lids-user@lists.sourceforge.net).
Please include your .config file used to compile your kernel, and the lids.conf and lids.cap files located in /etc/lids directory.  Any errors found in this man page should be sent to Sander Klein.
.SH FILES
\fB/etc/lids/lids.conf\fR \- LIDS configuration file.
.br
\fB/etc/lids/lids.cap\fR \- Defines the global capabilities.
.br
\fB/etc/lids/lids.net\fR \- Configuration file for e-mail alerts.
.br
\fB/etc/lids/lids.pw\fR \- Contains the encrypted LIDS password.

.SH SEE ALSO
.BR lidsadm (8)

.SH AUTHORS
Huagang Xie
.I <xie@lids.org>
.PP
Philippe Biondi
.I <biondi@cartel-securite.fr>
.PP
Manpage written by Sander Klein
.I <roedie@roedie.nl>
.PP

.SH DISTRIBUTION
The newest version of 
.I LIDS 
can be obtained from 
.I http://www.lids.org/ 
or the mirrors.
.Sp
.I LIDS 
is (C) 1999-2003 by Huagang Xie(xie@lids.org).
.\" See the lidsadm (8) man page for some funny remarks...
.\"