Linux Intrusion Detection System FAQ

Omo Kazuki - Translator, v.20J, August 8th, 2003

       omok AT honto DOT info
      

Kurashiki Satoru - Translator, v.17J, Mar 8th, 2002

       ouka AT fx DOT sakura DOT ne DOT jp
      

Sander Klein

lids AT roedie DOT nl

v.20, May 19th, 2003

́ALinux NmVXe (LIDS) FAQ łB̎́A
LIDS-mailling-list Ŏ₳ꂽ̂łB  

̃hLg̎_Ń[XĂLIDS ̃o[W͈ȉɂȂ
܂:

 E Kernel 2.4: 1.1.1 (stable) 1.1.2-rc6 (developement)
   
 E Kernel 2.2: 0.11.0r2 (stable) 0.11.1pre1 (development)
   
 E Kernel 2.5: 2.0.3rc1 (development)
   
 

Table of Contents
1. LIDS 
   
    1.1. LIDS Ƃ͉łH
    1.2. ȂLIDS ĝłH
    1.3. LIDS ͂ǂœ肷邱Ƃł܂H
    1.4. ǂ̃o[WLinux J[lT|[gĂ܂H
    1.5. LIDS ̃[OXg͂܂H
    1.6. A[JCu͂ǂȂĂ܂H
    1.7. 쌠ƒӏ
    1.8. tB[hobN
    1.9. NWbg
    1.10. |
    1.11. XV
    1.12. To-do
    1.13.  FAQ ͂ǂł܂H
   
2. LIDS ̃CXg[
   
    2.1. LIDS J[lpb`͂ǂēĂ̂łH
    2.2. LIDS ̊Ǘ[eBeB (lidsadm  lidsconf) CXg[
        @́H
    2.3. ́H
    2.4. lidsadm RpC悤ƂAgcc  lidstext.h ȂA
        Ƃ܂B̖͂ǂĉ΂́H
    2.5. Debian [Uւ̒Ӂcc
    2.6. LIDS ̃pb` RedHat ̃J[l 2.x.x-x ɂĂ悤ƂA
        G[ɂȂ܂B́H
   
3. lidsadm  lidsconf
   
    3.1. lidsadm Ƃ͉łH
    3.2. lidsconf Ƃ͉łH
    3.3. lidsadm ŎgIvV͉܂H
    3.4. lidsconf ŎgIvV͉܂H
    3.5. f炵BŁǍ͂ǂ̂Ȃ́H
   
4. LIDS ̊Ǘ
   
    4.1. LIDS ̃pX[hݒ肷ɂ͂ǂ΂łH
    4.2. xݒ肳ꂽ LIDS pX[hύXɂ͂ǂ΂悢ł
        H
    4.3. LIDS t[ZbVƂ͉H@ǂč΂́H
    4.4. LIDS t[ZbVǁALIDS ܂LɂȂĂ
        I@܂́H
    4.5. LIDS ɐݒt@C[hɂ͂ǂ΂́H
    4.6. āIII@̃VXeSɎgȂȂĂ܂܂I
        @ǂ΂ł傤H
    4.7. VXeoCiύX/ړ܂Bt@CύX/ړ
        Ƃ LIDS ɋɂ͂ǂ̂łH
    4.8. ႠAċN LIDS Sɖɂ@́H
    4.9. "J[l𕕈󂷂"Ƃ͂ǂƂłH
    4.10. LIDS VXȅԂɂ͂ǂ΂́H
    4.11. LIDS ̃|[gXLmݒ肷ɂ͂ǂ΂łH
    4.12. LIDS  --> --ACL ɂ subject object Ƃ͂ȂłH
    4.13. /etc/lids/lids.cap CĐݒt@C[hȊO
        VXěL/ɂ邱Ƃ͂ł܂H
    4.14. LIDS  ACL Đݒ肵̂ɁAύXfĂȂ悤Ɍ
        ܂B̂ł傤H
    4.15. lidsconf -L  ACL \ĂȂ̂łH
    4.16. R\[ɕ񍐂邽 LIDS ᔽǂɂČ
        Ȃ́H
    4.17. LIDS ǵALD_PRELOAD ϐɒӂł
        H
    4.18. NA"read password file error" ƂbZ[W\
        ܂B̖𒼂ɂ͂ǂ΂悢ł傤H
    4.19. LIDS L𒲂ׂɂ͂ǂ΂́H
   
5. LIDS ̐ݒ
   
    5.1. t@Cǂ݂Ƃpɂĕی삷@́H
    5.2. OK, ႠfBNgǂ݂Ƃpɂɂ͂ǂ΁H
    5.3. Nt@C/fBNgBƂ͂ł܂H
    5.4. ǋLłȂ悤ɃOt@Cی삷@́H
    5.5. /etc/shadow t@Cǂނ̂ɁAȂ΁Aǂ
        ̓VXeɔF؂́H
    5.6. /etc ǂ݂Ƃpŕی삵Amount ͂ǂ /etc/mtab
        ֏݂̂ł傤H
    5.7. LIDS AN modules.dep t@Cɏ߂ȂAƕ
        ܂B̂łH
    5.8. OǋLpŕی삵ĂƁAlogrotated ͂ǂăO
        [e[ĝł傤H
    5.9. ȂAPɃO[e[V[eBeBɃOt@Ĉ
        fBNgւ̏݋^@ŁA[e[
        g悤ɂĂ͂Ȃ̂łH
    5.10. LIDS LȎAVbg_E܂Ńt@CVXeA}E
        go܂Bǂ΂悢ł傤H
    5.11. Ȃ|[ggT[rX root ŊJnłȂ̂łH
    5.12. Ȃ|[ggT[rX LFS JnłȂ̂łH
    5.13. 𖳌/Lɂ@́H
    5.14. LIDS LɂȂĂ X Window System 삵Ȃ̂͂
        łH
    5.15.  ACL SĂɑ΂āȂ͈ŜǂĎ̐ݒc
        Ă΂悢̂ł傤H
    5.16. NƃVbg_E̎ LIDS Ȃ悤ɁAinit
         /etc/initrunlvl ւ̏݃ANZXɂ͂ǂ΂
        łH
    5.17. vZX́AevZX炻̃t@C ACL pł܂H
    5.18. āI@LIDS ̂Ƃł́AvO xyz 삵Ȃ悤
        Bǂ̃t@C/ɃANZXKv̂AǂČ
        ߂̂ł傤H
    5.19. /etc/shadow t@CXVK؂ȃp[~bV passwd
        ɗ^ɂ͂ǂ΂łH
    5.20. LIDS LɂȂĂƁAssh  scp 삵Ȃ͉̂̂
        H
    5.21. OpenSSH NɊJn܂BLIDS  bash Bt@C
        ɃANZX悤ƂĂAƃ|[goĂ܂B͂
        Β܂H
    5.22. BvZXĂ邽߁AVbg_EɃt@CVX
        êA}Egł܂Bǂ΂ kill
        ł܂H
    5.23. {IȐݒ肩n߂ȂłBǉ̕ی񋟂Ă
        āAɃVXe̋@\̂قƂǂʏʂɂĂĂ
        邨߂̃ZbgAbv͂܂H
    5.24. ƂɂăANZX𐧌邱Ƃ͂ł܂H
    5.25. vOoChł|[g𐧌ɂ͂ǂ΂
        ́H
    5.26. /etc/mtab  /proc/mounts ւ̃V{bNNɂĂA
        [UNI[^͋@\܂H
    5.27. LIDS ی삵Ăt@CҏWƁALIDS ɕی삳Ȃ
        Ȃ悤łBȂłH
    5.28. LIDS ̐ݒXVA̃vZXႤ
        悤ł
   
6. ZLeBx̐ݒ
   
    6.1. lbg[NzɃZLeBx𑗂ɂ́Aǂ̃J[lݒ
        IvVKvłH
    6.2. LIDS ̌x𑗂郁[T[o e-mail AhX̏́Aǂ
        Ŏw肷΂̂łH
    6.3. LIDS A qmail SMTP T[oɂ͌xzMĂȂ悤
        łB͒܂H
   
7. ݒ̃Tv
   
    7.1. {IȃVXẽZbgAbv
    7.2. Apache
    7.3. Qmail
    7.4. Dnscache & Tinydns (djbdns)
    7.5. Courier-imap
    7.6. MySQL
    7.7. OpenSSH (3.4p1)
    7.8. OpenLDAP (slapd)
    7.9. Port Sentry
    7.10. Samba
    7.11. Linux HA heartbeat
    7.12. Bind 9.x
    7.13. Sendmail
    7.14. Apcupsd
    7.15. Pump
    7.16. Snort
    7.17. Getty
    7.18. Login
    7.19. Su
    7.20. Exim
    7.21. Qpopper
    7.22. Proftp
    7.23. Aproxy
    7.24. Squid
    7.25. Innd
    7.26. Postfix
   
8. LIDS eNjJ
   
    8.1. LIDS  ext2 ȊÕt@CVXeł삵܂H
    8.2. LIDS  SMP ̃VXeœ삵܂H
    8.3. LIDS  Solar Designer  Openwall pb`Ƌ܂H
    8.4. LIDS ͔Ceȃn[hEFAœ삵܂H
    8.5. LIDS ̃o[W 0.x, 1.x  2.x Ƃ̈Ⴂ͉łH
   
 

Chapter 1. LIDS 

1.1. LIDS Ƃ͉łH

 LIDS ́AXie Huagang <mailto:xie@gnuchina.org> Philippe Biondi
<mailto:philippe.biondi@webmotion.com> ɂďꂽALinux J[l
̊głBfLinux J[lɂ͂ȂA̃ZLeB@\
܂B́A|ANZX(MAC)A|[gXLmAt@C
ی(root ی삵܂)AvZXیȂǂłB

 

1.2. ȂLIDS ĝłH

݂Linux ̋@\́A *nix ɗRA̖Ă
܂B炭ABɂčő̖́Aroot AJEg "S\ł邱
" łBvZX⃆[Uroot ĂāÃvZX⃆[U
VXeSɔj󂵂悤ƂANɂ~߂܂Bӂ̂
[U/N҂ɂroot ANZX́AXZȊǗ҂ɁAȐSJ
炵˂܂BLIDS ́Aroot AJEgglłVXe
ɑ΂卬ЂȂ悤Ȏdg݂łANZX䃊Xg(ACL)
Ă܂BACL ɂALIDS ̓vZX݂̂Ȃ炸t@C
ی삷邱Ƃł̂łB

 

1.3. LIDS ͂ǂœ肷邱Ƃł܂H

http://www.lids.org A̓~[TCg_E[hł܂B
~[TCg̃XǵA http://www.lids.org/mirrors.htmlɂ܂B

 

1.4. ǂ̃o[WLinux J[lT|[gĂ܂H

 ݁ALIDS ͐V 2.4 J[l̑ɁA2.2 J[lT|[gĂ
B LIDS ̊J 2.5 J[lgčsĂ܂BłAV
@\͐ɂŎ܂BƂ͂A[Ũj[YɂāA2.4
邢 2.2 J[lɃobN|[g@\܂BLIDS̍ŐVo[
Wł́ALSM (Linux Security Modules <http://lsm.immunix.org>)̋@\
荞ł܂B

 

1.5. LIDS ̃[OXg͂܂H

܂Bł lids-users@lists.sourceforge.net  e-mail ΁A
[OXgւ̓eɂȂ܂BA[OXgփ|Xg
ꂽbZ[W󂯂Ƃ肽Ȃ΁Ao^Kv܂Bo^
́Ahttp://lists.sourceforge.net/lists/listinfo/lids-user < http://
lists.sourceforge.net/lists/listinfo/lids-user> ֍sAtH[𖄂
ĂBƁAmFv͂܂̂ŁAɕԐMĂB
̃y[WAo^ƃ[OXgIvV̕ύXł܂B

 

1.6. A[JCu͂ǂȂĂ܂H

[OXg̃A[JCu http://www.geocrawler.com/lists/3/
SourceForge/9348/0/ <http://www.geocrawler.com/redir-sf.php3?list=
lids-user> ɂ܂BÂA[JCu http://groups.yahoo.com/group/
lids ɒuĂ܂B

 

1.7. 쌠ƒӏ

́̕Acopyright(c) 2000, 2001, 2002 Steve Bremer -- 2002, 2003
for Sander Klein ŁAFREE Ȃ̂łBGNU General Public License ̂
ɍĔzz邱Ƃł܂B 

̕ɂ́ASander ̒m̌ɂāAmłBƂ͂l
ԂłA̎XɂČoOȂǂ͂蓾܂B

ǂȌlO[vA邢͑̎̂A̕ɂg
ɂ邠Ȃ̃Rs[^ւ̔Q≽̑̐ӔC𕉂Ƃ͂
܂BȂ킿|

"҂ёSeíA̕ɂɊĂȂꂽsɂ
ȂQɂӔC𕉂܂B"

 

1.8. tB[hobN

̕ɑ΂ĎARgAĂCȂACy lids AT
roedie DOT nl <mailto:lidsATroedieDOTnl>ŎɃR^NgƂĂ
Bǂ̂łꈫ̂łAłtB[hobN͊}܂I

 

1.9. NWbg

ʂ̎ӈӂ|

 E Xie Huagang - eNjJGfB^łALIDS ̍
   
      LIDS versionɂĂ̎
       
      Subject/objectɂĂ̎
       
 E Philippe Biondi - LIDS ̍
   
 E Andy Harrelson - @/Ԃ̊ďC
   
 E Rob Willis - Open-SSH, OpenLDAP,  Port Sentry ̐ݒ
   
 E Fred Mobach - Ђ߂ƒ
   
 E David Ranch - ́Asgml ̃ev[gɁAނ̑f炵 Linux IP
    Masquerade HOWTO <http://www.linuxdoc.org/HOWTO/
    IP-Masquerade-HOWTO.html> g܂B
   
 E Austin Gonyou -
   
      FAQ ւ̗LvȃtB[hobN
       
      lidsadm ̃RpC̖ւ̐VC
       
      /etc/passwd t@C i m[hXVɂĂ̌x
       
 E Pavel Epifanov - lidsadm ̃RpC̖ւ̊ȒPȏC
   
 E Justus Pendleton - Samba ̐ݒTv
   
 E Nenad Micic
   
      BvZX kill XNvg̗
       
      Vbg_EɉBvZX kill  C vO
       
      LD_PRELOAD x
       
 E Bill Phillips - PDF o[WɂA̎Qƃ~X̎wE
   
 E Szymon Juraszczyk
   
      LD_PRELOAD x
       
 E Lorn Kay -
   
      Linu HA p̃n[gr[g̐ݒ
       
      Sendmail ̐ݒ
       
 E Bill McKenzie - Portsentry ̐ݒɑ΂ǉ
   
 E Sander Klein
   
      LIDS L̃`FbNɊւ鎿.
       
      Apcupsd ̐ݒ
       
      Pump ̐ݒ
       
      Snort ̐ݒ
       
      getty ̐ݒ
       
      login ̐ݒ
       
      su ̐ݒ
       
 E David Spreen - Ԍ̌x crontab ւ̃ANZX.
   
 E Thomas Linden - BIND 9.x ̐ݒ
   
 E Mathias Gygax - exim, qpopper  proftp ̃Tvݒ
   
 E Dimitri Goldin - /dev/pts}EgĂāAی삳ĂȂ
    ł́Aroot[U[LIDS̃pX[h擾łĂ܂wE
   
 E BigSam - Innd ̐ݒ.
   
 E Ralf Dreibrodt - Innd ̐ݒ.
   
 E Steve Bremer - ͂̕߂ĂꂽƂɁB LIDS
    ĎgpɁAƂĂɂȂ܂
   
" Linux  Linus Torvalds ̓o^Wł "

 

1.10. |

̃XǵA̖̕|ł

 E Japanese -- http://www.linux.or.jp/JF/JFdocs/LIDS-FAQ.html
   
 E Polish -- http://www.linuxpub.pl/man/lidsfaq/.
   
 

1.11. XV

FAQ̍ŐVł http://www.roedie.nl/lids-faq/ɂ܂BoO
OɁAŐVo[W`FbNĂ

 E May 19th, 2003. Version .20
   
      Postfix ̗ǉ
       
      Openssh ̗XV
       
      1.1.0ȑÕo[WlidśARpCӏ폜
       
      '/etc/lidsfBNg܂'̉ӏ폜
       
      ̑rɊւ鎿ǉ
       
      ZNV̏C
       
      ܂܂ȍׂC
       
 E December 22th, 2002. Version .19
   
      ͎(Sander Klein)[Xŏ̃o[WLIDS FAQ
        łBSteveɊ
       
      lidsadm -Plidsconf -Pɒu
       
      ܂܂ȉӏŐV̏ɏ
       
      hLgdocbooktH[}bgldpX^Cɏ
       
      ZNV̒ǉ
       
      URL𐳂̂ɕύX
       
 E April 27th, 2002. Version .18
   
      ́A (Steve Breme)񋟂ŌLIDS FAQɂȂ܂B
        Sander KleinFAQ́AVeiX҂ɂȂ܂B
       
      aproxy ݒ̒ǉ
       
      /dev/pts x̒ǉ
       
      squid ݒ̒ǉ
       
      PowerPC status ̃Abvf[g
       
      Innd ݒ̒ǉ
       
      ׂ̑̍
       
 E January 28th, 2002. Version .17
   
      "READ"  "READONLY" ւ̕ύX
       
 E January 12th, 2002. Version .16
   
      o[W1.1.0ṕAlXȕύX
       
      ׂȏC
       
      exim, qpopper,  proftṕAݒ̒ǉ
       
      console logging ̎̃Abvf[g
       
      LD_PRELOAD x̃Abvf[g
       
      file ACL inheritance ̎̃Abvf[g
       
      t@C̕ҏẂA̒ǉ
       
 E November 12th, 2001. Version .15
   
      (Sendmail,apcupsd,pump,snort,getty,login,su)ݒ̒ǉ
        BSander Klein  Lorn KayɊ
       
      Red Hat Kernel pb`̎ǉ
       
      User ̗eʐ̒ǉ
       
 E August 26th, 2001. Version .14
   
      LIDS enabled/disabled ̒ǉ
       
      basic configuration ̒ǉ
       
      Debian [U[̒ӓ_ǉ
       
      Ԑ̎ǉ
       
      VԐ@gāAO[e[V@̎
        XV
       
      Intel n[hEFA̎XV
       
      |ZNV̒ǉ
       
      |[g̎ǉ
       
      BIND 9.x ̐ݒǉ
       
 E May 20th, 2001. Version .13
   
      HA Linux p̃n[gr[gݒǉ
       
      read password error ̎ǉ
       
      {ݒ̎ǉ
       
      portsentry ̐ݒւׂ̍ǉ
       
      pX[hXV̎̊g
       
      ׂ̑̍ȏC
       
 E April 1st, 2001. Version .12
   
      Vo[WLIDS (1.0.6+ and 0.9.14+)p FAQ XV
       
      LD_PRELOAD ł̌x̒ǉ
       
      n[hEFA̎XV
       
 E March 10th, 2001. Version .11
   
      PDF o[Wł̊̎QƃG[Ci܂A́A
        ꂽhLg͒ӂKvj
       
      {IȃVXẽZbgAbvݒ𖾔ɂ
       
      COXg̍XV
       
      pX[hƃO[e[V́A̍XV
       
 E March 1st, 2001. Version .10
   
      Samba ݒ̒ǉ
       
      Vbg_EɉBvZX kill @̗
       
      ssh keygen question ̒ǉ
       
      pX[hXV̎g
       
 E February 10th, 2001. Version .09
   
      ssh/scp ̎ǉ
       
      [OXg̍XV
       
      LIDS SMP status ̍XV
       
 E January 27th, 2001. Version .08
   
      "Server Root"  DENY Ƃĕی삳悤Apache ̐ݒύX
       
      ftHg̃fBNg DENY Ƃĕی삳悤mysql  
        courier-imap ̐ݒύX
       
      ssh ̐ݒApX[hF؂悤ɕύX
       
      ACL ̍ĐݒɊւ鎿ǉ
       
 E January 25th, 2001. Version .07
   
      lidsadm ̃RpCCB Clarified the J[l̕
         (킭)ɂBׂȏC
       
 E January 24th, 2001. Version .06
   
      /etc/mtab ̓VXeNɍč쐬At@CVXe̓A
        }EĝŁA/etc/mtab }Eg ACL ݒ폜
       
      lidsadm RpC̏Cǉ
       
      ׂȏC
       
 E January 22nd, 2001. Version .05
   
      {IȃVXeZbgAbv̐ݒǉBe-mail A[g̐
        ̃ZNVǉ
       
 E January 19th, 2001. Version .04
   
      lidsadm RpCׂ̍ȏC
       
 E January 17th, 2001. Version .03
   
      LIDS-0.9.12 ł̐Vfile ACL  "-i" IvVɊւ
        ǉB܂A"-i" IvVKvɂȂ̎gpXVB
        Alidsadm Rp̏A̗L/AVv
        Oɑ΂ACL̃ZbgAbv@ɊւׂȍXVB
       
 E January 15th, 2001. Version .02
   
      ׂȏC
       
 E January 15th, 2001. Version .01
   
      ŏ̃[X
       
 

1.12. To-do

̃hLg̎_ł܂KvȂ:

 E LIDS-LSM ւ̒ǉ
   
 E 炭AɂƁB
   
 

1.13.  FAQ ͂ǂł܂H

HTML ł LIDS-FAQ LIDS <http://www.lids.org/lids-faq/lids-faq.html>
̃TCgɗL܂B̑̃tH[}bǵA http://www.roedie.nl/
lids-faq/ _E[hł܂B

 

Chapter 2. LIDS ̃CXg[

2.1. LIDS J[lpb`͂ǂēĂ̂łH

Xie  instructions <http://www.lids.org/install.html> LIDS _E
[hāAJ[lɃpb`Ă@肱ł܂BƂ͂A
KvȎ菇ɂĊȒPɂĂƂɂ܂B̗ł́AJ[l
\[X /usr/src/linux ɃCXg[ĂƑz肵Ă܂B

J[lɑΉĂ LIDS ̍ŐVłgpĂ邩ǂAɋC
܂傤BLIDS ͋}sb`ŊJĂAhLgAɔ
ĕς܂B

 E ŏɁALIDS ̃pb` www.lids.org/download.html <http://
    www.lids.org/download.html> _E[hKv܂BJ
    [lɍo[W肷悤ɒӂĂBiꂼ
    ̃fBXgr[Vp̃J[lgpẮA 
    following ǂłBj
   
 E ɁAtarball WJ܂|
   
    
    bash$ tar -zxvf lids-lids ̃o[W-J[l̃o[W.tar.gz  
                                                                        
    
   
 E ̃J[l\[X lids ̃pb`Kp܂|
   
    
    bash$ cd /usr/src/linux                                                                 
    bash$ patch -p1 < /path/to/lids/patch/lids-lids ̃o[W-J[l̃o[W.patch 
                                                                                            
    
   
 E ꂩAJ[l̐ݒ܂BLinux J[l̍ăRpCɂ
    f炵񌹂ƂẮALinux Kernel HOW-TO <http://
    www.tldp.org/HOWTO/Kernel-HOWTO.html> QƂĂB
   
LIDS pɁA̃J[lݒIvV܂BLIDS 삷
߂ɂ́Aȉ̃IvVLɂȂĂ邱ƂmFĂ|

  [*]   Prompt for development and/or incomplete code/drivers       
  [*]   Sysctl Support                                              


 

2.2. LIDS ̊Ǘ[eBeB (lidsadm  lidsconf) CXg[
@́H

 E LIDS 1.1.2+
   
ӁF LIDS AbvO[hĂȂAŏ /etc/lids fBNg
SăobNAbvĂ)

LIDS ̃\[XfBNgŁA͂܂|

bash$ tar -zvxf lidstools- o[W .tar.gz                       
bash$ cd lidstools- o[W                                      
bash$ ./configure                                                   
bash$ make                                                          
bash$ su -                                                          
bash# make install                                                  

 lidsadm  lidsconf  /sbin fBNgɃCXg[܂
BɁA/etc/lids fBNgAftHg̐ݒt@C
ɒu܂Bݒt@ĆAVXe̓K؂ i m[hyуf
oCXōXV܂B܂A̎_ LIDS ̃pX[h͂
悤ɋ߂܂B i m[h̍XVvZXɁAVXeɑ݂Ă
t@C悤ƂĂƂɂ́A̃G[o܂B
̃G[͗LQȂ̂ł͂܂B

lidsadm ̎QƃIvV (-V) LɂȂȂA--disable-view 
w肵 configure sĂB

 

2.3. ́H

ċN LIDS ŋꂽJ[lɂOɁA܂ LIDS  ACL ݒ
˂΂Ȃ܂BȂ΁AċNƃVXeĝɂȂ
Ȃ܂BLIDS  ACL ݒ肷@ɂĂ͌قǁB

 

2.4. lidsadm RpC悤ƂAgcc  lidstext.h ȂAƂ
܂B̖͂ǂĉ΂́H

́A/usr/include/linux  /usr/src/linux/include/linuxւ̃V{
bNNł͂ȂVXeɂĔ܂BSȃG[bZ[W
ł|

lidsadm.c:30: linux/lidsext.h: No such file or directory make: *** [lidsadm.o] Error 1

̖ɂ́Alidsadm ̃\[XfBNgɂ Makefile 
ҏWāACFLAGS IvV -I/usr/src/linux/include Ă
B̎_ŁAʂ lidsadm RpCł͂łB 

 

2.5. Debian [Uւ̒Ӂcc

David Spreen  LIDS  Debian pbP[Wێ炵Ă܂BpbP[W
L LIDS ̐ݒ netzwurm@debian.org <netzwurm@debian.org> ĂɃ[
ƊԂł傤BDebian ŗL̏C܂܂Ă邽߁ADebian [
U LIDS  Debian pbP[Wg悤ɂނ͊߂Ă܂B

 

2.6. LIDS ̃pb` RedHat ̃J[l 2.x.x-x ɂĂ悤ƂAG
[ɂȂ܂B́H

LIDS  Linus J "ʂ" J[lgĊJĂ܂B
RedHat  DebianASuse ܂ޑ̃fBXgr[Vł́AJ[l
JX^}CYĂ܂B͈Ƃł͂܂񂪁ÃJ[
l Linus ̂̂Ɠł͂ȂAƂƂ͒mĂĂB
(Debian [U͏̒ӂĂB)

 

Chapter 3. lidsadm  lidsconf

3.1. lidsadm Ƃ͉łH

lidsadm  LIDS ̊Ǘ[eBeBŁAgăVXe LIDS 
Ǘ܂Bɂ́ALIDS L/ɂAJ[l𕕈󂵂A
LIDS ̏󋵂肷邱Ƃ܂܂܂B

 

3.2. lidsconf Ƃ͉łH

lidsconf  LIDS ̃ANZX䃊Xg (ACL) ݒ肷̂Ɏg܂B
ALIDS ̃pX[hZbĝɂg܂BӁFLIDS 1.1.0 
Õo[Wł́A lidsconf sĂdS lidsadm 
܂B

 

3.3. lidsadm ŎgIvV͉܂H

p\ȃIvVꗗɂ́A͂Ă|

bash# lidsadm -h                                                    

ɂāAȉ̏o͂ԂĂ܂|

lidsadm version 0.4.1 for LIDS project                                            
       Huagang Xie <xie@gnuchina.org>                                             
       Philippe Biondi <pbi@cartel-info.fr>                                       
                                                                                  
Usage: lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]                                   
       lidsadm -V                                                                 
       lidsadm -h                                                                 
                                                                                  
Commands:                                                                         
       -S  To submit a password to switch some protections                        
       -I  To switch some protections without submitting password (sealing time)  
       -V  To view current LIDS state (caps/flags)                                
       -v  To show the version                                                    
       -h  To list this help                                                      
                                                                                  
Available capabilities:                                                           
           CAP_CHOWN chown(2)/chgrp(2)                                            
    CAP_DAC_OVERRIDE DAC access                                                   
 CAP_DAC_READ_SEARCH DAC read                                                     
          CAP_FOWNER owner ID not equal user ID                                   
          CAP_FSETID effective user ID not equal owner ID                         
            CAP_KILL real/effective ID not equal process ID                       
          CAP_SETGID set*gid(2)                                                   
          CAP_SETUID set*uid(2)                                                   
         CAP_SETPCAP transfer capability                                          
 CAP_LINUX_IMMUTABLE immutable and append file attributes                         
CAP_NET_BIND_SERVICE binding to ports below 1024                                  
   CAP_NET_BROADCAST broadcasting/listening to multicast                          
       CAP_NET_ADMIN interface/firewall/routing changes                           
         CAP_NET_RAW raw sockets                                                  
        CAP_IPC_LOCK locking of shared memory segments                            
       CAP_IPC_OWNER IPC ownership checks                                         
      CAP_SYS_MODULE insertion and removal of kernel modules                      
       CAP_SYS_RAWIO ioperm(2)/iopl(2) access                                     
      CAP_SYS_CHROOT chroot(2)                                                    
      CAP_SYS_PTRACE ptrace(2)                                                    
       CAP_SYS_PACCT configuration of process accounting                          
       CAP_SYS_ADMIN tons of admin stuff                                          
        CAP_SYS_BOOT reboot(2)                                                    
        CAP_SYS_NICE nice(2)                                                      
    CAP_SYS_RESOURCE setting resource limits                                      
        CAP_SYS_TIME setting system time                                          
  CAP_SYS_TTY_CONFIG tty configuration                                            
           CAP_MKNOD mknod operation                                              
           CAP_LEASE taking leases on files                                       
          CAP_HIDDEN hidden process                                               
  CAP_KILL_PROTECTED kill protected programs                                      
       CAP_PROTECTED Protect the process from signals                             
                                                                                  
Available flags:                                                                  
                LIDS de-/activate LIDS locally (the shell & childs)               
         LIDS_GLOBAL de-/activate LIDS entirely                                   
         RELOAD_CONF reload config. file and inode/dev of protected programs      


 

3.4. lidsconf ŎgIvV͉܂H

płIvVꗗɂ́A͂Ă|

bash# lidsconf -h                                                   

ɂāAȉ̏o͂ԂĂ܂|

lidsconf version 0.4.1 for the LIDS project                                       
       Huagang Xie <xie@gnuchina.org>                                             
       Philippe Biondi <philippe.biondi@webmotion.net>                            
                                                                                  
Usage: lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION  
       lidsconf -D [-s file] [-o file]                                            
       lidsconf -Z                                                                
       lidsconf -U                                                                
       lidsconf -L [-e]                                                           
       lidsconf -P                                                                
       lidsconf -v                                                                
       lidsconf -[h|H]                                                            
                                                                                  
Commands:                                                                         
       -A,--add To add an entry                                                   
       -D,--delete      To delete an entry                                        
       -Z,--zero        To delete all entries                                     
       -U,--update      To update dev/inode numbers                               
       -L,--list        To list all entries                                       
       -P,--passwd      To encrypt a password with RipeMD-160                     
       -v,--version     To show the version                                       
       -h,--help        To list this help                                         
       -H,--morehelp    To list this help with CAP/SOCKET name                    
                                                                                  
subject: -s,--subject subj                                                        
       can be any program, must be a file                                         
object: -o,--object [obj]                                                         
       can be a file, directory or Capability, Socket Name                        
ACTION: -j,--jump                                                                 
       DENY     deny access                                                       
       READONLY read only                                                         
       APPEND   append only                                                       
       WRITE    writable                                                          
       GRANT    grant capability to subject                                       
       IGNORE   ignore any permissions set on this object                         
       DISABLE  disable some extersion feature                                    
OPTION:                                                                           
      -d,--domain       The object is an EXEC Domain                              
      -i,--inheritance Inheritance level                                          
      -t,--time Time dependency                                                   
      -e,--extended     Extended list                                             


 

3.5. f炵BŁǍ͂ǂ̂Ȃ́H

ɂāAVXeɁAǂ̂悤ȍsׂA邢͋
Ȃ̂ƂƂ`ł܂B CAP_SETUID 𖳌ɂƁA
̂悤ȃvO UID noȂȂ܂BLIDSpƁA
ȃvOɑ΂āAɌL/ɂ鎖o܂Bꂼ
̌ɂẮA/etc/lids/lids.cap ̒AiA܂ LIDS C
Xg[ĂȂ̂ł /path/to/lidstools/example/lids.cap ɂ
܂B

 

Chapter 4. LIDS ̊Ǘ

4.1. LIDS ̃pX[hݒ肷ɂ͂ǂ΂łH

CXg[ɁApX[h̐ݒɂĕȂꍇɂ́ALIDS
ɂĊgꂽJ[lōċNOɁAR}hvvgł̂
ɓ͂܂|

bash# lidsconf -P                                                   

ƁALIDS ̃pX[h߂܂|

MAKE PASSWD                                                         
enter new password:                                                 
reenter new password:                                               
wrote password to /etc/lids/lids.pw                                 

ŁA/etc/lids/lids.pw t@C RipeMD-160 ňÍꂽpX[
h܂܂B̃pX[h́AACL ̌ςALIDS
free session Jn鎞ɕKvłB

 

4.2. xݒ肳ꂽ LIDS pX[hύXɂ͂ǂ΂悢łH

ŏɁALIDS t[ZbV쐬ȂĂ͂Ȃ܂BꂩAŏ
ɂ悤 "-P" IvVgăpX[hݒ肵܂ (݂̃p
X[h͂܂)BLIDS pX[hĐݒ肵ŁALIDS ɐݒt
@C̃[hKv܂B 

ӁF/dev/pts }EgĂ鎞ɂ́Aroot̂ALIDS
pX[h𓾂鎖\łBh߂ɁA/dev/pts A}Eg
ĂAیĂĂB

 

4.3. LIDS t[ZbVƂ͉H@ǂč΂́H

LIDS t[ZbV (LFS)  LIDS ̐󂯂Ȃ[ZbV
łB̃IvV邽߁A LIDS ̃J[lōċNɃVXe
Ǘ邱Ƃł܂B@\ɂ́ALIDS ŊgJ[l
RpC鎞ɁÃIvVIĂKv܂|

  [*] Allow switching LIDS protections                              

LFS ɂ́Avvgł̂悤ɓ͂܂|

bash# lidsadm -S -- -LIDS                                           

ƁALIDS pX[hu˂܂B̒[́A LIDS Ɨ
Ă܂Bȉ̑܂ł́ALIDS Ɨ܂܂ł|

 E LIDS ĂїLɂ (lidsadm -S -- +LIDS).
   
 E ^[~i烍OAEg
   
xɃANeBuɂł LFS  1 łBʂ̒[ɓĂ
lidsadm -S -- -LIDS ͖ɂȂȂƂ͂ALFS ͂ 1 Ă
B 

 

4.4. LIDS t[ZbVǁALIDS ܂LɂȂĂ݂
I@܂́H

́ALFS z[ōĂʂ̉z[Ɉړă}VǗ
悤ƂƔ܂B邽߂ɂ́ALIDS LɂĂ݂āA
xɂ܂ (vvgopX[h͂܂)B

# lidsadm -S -- +LIDS                                               
# lidsadm -S -- -LIDS                                               

ӁF LFS ɑ̊Ǘ҂ꍇɂ́A̐l LFS Ă܂̂
ÅǗ҂ȂƂ`FbNĂI

 

4.5. LIDS ɐݒt@C[hɂ͂ǂ΂́H

LIDS ɂ̐ݒt@C[hɂ́ALIDS ŊgJ[l
ݒ肷鎞ɁÃIvVLɂKv܂B

  [*]  Allow switching LIDS protections                               
  (3)    Number of attempts to submit password                        
  (30)     Time to wait after a fail (seconds)                        
  [ ]    Allow remote users to switch LIDS protections                
  [ ]    Allow any program to switch LIDS protections                 
  [*]    Allow reloading config. file   <---------------------------- 

ӁFݒt@C[hł悤ɂɂ́ALIDS ̕ی؂芷
悤ɂKv܂B LFS (邢 LIDS_GLOBAL 𖳌ɂ
) ÃR}hs LIDS ɐݒt@C[h
悤w܂|

# lidsadm -S -- +RELOAD_CONF                                        

ŁAȉ̐ݒt@C[h܂|

 E /etc/lids/lids.conf - LIDS ACL ̐ݒt@CłB
   
 E /etc/lids/lids.cap - LIDS ̌t@CłB
   
 E /etc/lids/lids.pw - LIDS ̃pX[ht@CłB
   
 E /etc/lids/lids.net - LIDS ̃[ɂxݒ肷t@Cł
    B
   
 

4.6. āIII@̃VXeSɎgȂȂĂ܂܂I@
΂ł傤H

ċN LIDS ŋĂȂJ[lɂ邩ALIDS 𖳌ɂ
LIDS ŋꂽJ[lNA݂邱Ƃł܂BLIDS 
ɂċNɂ́Alilo vvg security=0 Ǝw肵܂BႦ
΁ALIDS ŋꂽJ[l lids-kernel ƂƁAlilo vvg
ł̂悤ɓ͂̂ł|

lilo: lids-kernel lids=0                                            

͊ȒPȕłB̂́ALIDS LɂVXeVbg_
E邱ƂłBLIDS ̐ݒɂẮA܂Vbg_EłȂ
܂B 

xFK؂ɐݒ肳ĂȂԂ LIDS LɂȂJ[lċN
ƁAt@CVXeȂAf[^邩m
܂B

 

4.7. VXeoCiύX/ړ܂Bt@CύX/ړƂ
LIDS ɋɂ͂ǂ̂łH

t@C݂ĂfoCXA邢̓t@C im[hԍς
ɂ͂łA/etc/lids/lids.conf t@CK؂ȏōXVȂ
΂Ȃ܂BK^ȂƂɁAXie ͂̂߂̃IvVp
ĂĂ܂|

bash# lidsadm -U                                                    

ꂩAݒt@C[hKv܂B

 

4.8. ႠAċN LIDS Sɖɂ@́H

LFS gȊOɂALIDS S̓Iɒ~邱Ƃ͂ł܂Bɂ́A
IvV݂ŃJ[lRpCĂꍇ̂݋@\܂B

bash# lidsadm -S -- -LIDS_GLOBAL                                    

LIDS_GLOBAL ɂȂĂƁAVXe "ʏ" Linux VXe
悤ɉғ܂BLIDS S̓IɍĂїLɂɂ́A΂̂Ƃ܂
|

bash# lidsadm -S -- +LIDS_GLOBAL                                    

ӁF LFS LɂĂȂAɂ LFS e邱
͂܂B

 

4.9. "J[l𕕈󂷂"Ƃ͂ǂƂłH

NvZX̍ŌɁAJ[l𕕈󂷂Kv܂BɂAV
Xe /etc/lids/lids.cap t@Cł̃O[oȌZbg
BAt@C ACL ̓J[l󂳂Ołs܂BJ
[l𕕈󂷂ɂ́Arc.local(SysV X^C init ̏ꍇ) ̍ŌɁA
Ă|

/sbin/lidsadm -I                                                    

"-I" IvV́AJ[l𕕈󂷂鎞̂ݎg܂B󂳂ꂽ́A
VXeɕύX邽߂ "-S" IvVgKv܂Bx
FNɃJ[l𕕈󂵂ȂꍇALIDS ŋꂽVXẻb
SɎ󂯂邱Ƃ͂ł܂B 

 

4.10. LIDS VXȅԂɂ͂ǂ΂́H

"-V" IvVg߂ɂ́Alidsadm  view IvV enable ɂ
ԂŃRpCĂKv܂Biʏ̐ÚALQƁjR
}hCŁA͂܂|

bash# lidsadm -V                                                    

ƁA2.4.x J[l̏ꍇÂ悤ȏo͂܂|

VIEW                                                                
                     CAP_CHOWN 0                                    
              CAP_DAC_OVERRIDE 0                                    
           CAP_DAC_READ_SEARCH 0                                    
                    CAP_FOWNER 0                                    
                    CAP_FSETID 0                                    
                      CAP_KILL 0                                    
                    CAP_SETGID 0                                    
                    CAP_SETUID 0                                    
                   CAP_SETPCAP 0                                    
           CAP_LINUX_IMMUTABLE 0                                    
          CAP_NET_BIND_SERVICE 0                                    
             CAP_NET_BROADCAST 0                                    
                 CAP_NET_ADMIN 0                                    
                   CAP_NET_RAW 0                                    
                  CAP_IPC_LOCK 0                                    
                 CAP_IPC_OWNER 0                                    
                CAP_SYS_MODULE 0                                    
                 CAP_SYS_RAWIO 0                                    
                CAP_SYS_CHROOT 0                                    
                CAP_SYS_PTRACE 0                                    
                 CAP_SYS_PACCT 0                                    
                 CAP_SYS_ADMIN 0                                    
                  CAP_SYS_BOOT 1                                    
                  CAP_SYS_NICE 0                                    
              CAP_SYS_RESOURCE 1                                    
                  CAP_SYS_TIME 0                                    
            CAP_SYS_TTY_CONFIG 0                                    
                     CAP_MKNOD 0                                    
                     CAP_LEASE 0                                    
                    CAP_HIDDEN 1                                    
            CAP_KILL_PROTECTED 0                                    
                 CAP_PROTECTED 0                                    
                          LIDS 0                                    
                   LIDS_GLOBAL 1                                    
                   RELOAD_CONF 0                                    

L̏o͂ǂ݂Ƃ悤ɁÃVXeł LFS LɂȂĂ
BALIDS ̓O[oɗLɂȂĂ܂B 1 Ă鍀
ڂ͗LȂ̂ŁA0 Ă͖̂̂̂łBŌ 2 ̌
āAroot ͒ʏ킱SĂ̌Ă܂BLIDS ̂ŁA
̓̏󋵂ɂ root  CAP_SYS_BOOT, SAP_SYS_RESOURCE, CAP_HIDDEN
(FCAP_HIDDEN ͒ʏ Linux J[l񋟂錠ł͂܂) 
݂̂Ă܂B

 

4.11. LIDS ̃|[gXLmݒ肷ɂ͂ǂ΂łH

Kv܂BLIDS ŊgJ[lݒ肷ƂɃIvVI
ł΁A|[gXLm͗LɂȂĂ܂B

   [*]  Port Scanner Detector in kernel                             


 

4.12. LIDS  --> --ACL ɂ subject object Ƃ͂ȂłH

subject ̓oCiVFXNvgƂALinux VXeŎs
vÔƂłBobject ́Asubject ANZX悤Ƃ
łBɂ́At@CAfBNgAƂ̂܂B

 

4.13. /etc/lids/lids.cap CĐݒt@C[hȊOɃVX
ěL/ɂ邱Ƃ͂ł܂H

ł܂BA̕@ƃVXẽVbg_EɕύXۑ
܂BLɂɂ́|

bash# lidsadm -S -- +CAP_SYS_ADMIN                                  

𖳌ɂɂ́|

bash# lidsadm -S -- -CAP_SYS_ADMIN                                  


 

4.14. LIDS  ACL Đݒ肵̂ɁAύXfĂȂ悤Ɍ
B̂ł傤H

LIDS Đݒ肷鎞ɂ́AׂƂ 2 ܂|

 1. ݒt@C̃[h
   
 2. ύXɂĉe󂯂T[rX(Q)̍ċN
   
 

4.15. lidsconf -L  ACL \ĂȂ̂łH

lidsconf -L  LFS ォ炩ALIDS_GLOBAL ɂȂĂ鎞ɎgȂ
΂Ȃ܂Bǂ̏ԂłȂȂÃG[bZ[W邱
ƂɂȂ܂|

lidsconf: can not open conf file                                    
reason:: Permission denied                                          
LIST                                                                


 

4.16. R\[ɕ񍐂邽 LIDS ᔽǂɂČ点
́H

ł܂Bsyslog ̏XNvgCāAklogd  "-c" IvV
ŋN邱Ƃł܂B̃IvV́AR\[ɋL^
VXebZ[W̃ftHgxݒ肷̂łBw肳ꂽl
ႢlbZ[WR\[ɕ\܂ (include/linux/
kernel.hQ)BႦ΁|

klogd -c 4                                                          

klogd Ƀx 4 ȉ̑SbZ[WR\[ɋL^悤Ɏw
B

R\[̃OxύXɂ́A/proc/sys/kernel/printk ̒lC
Ƃ@܂BڍׂɂẮA/usr/src/linux/
Documentation/sysctl/kernel.txt Œ񋟂镶QƂĂB

 

4.17. LIDS ǵALD_PRELOAD ϐɒӂłH

͂B1.1.1preX Âo[W LIDS gpĂꍇɂ́A
łB

setuid ꂽvOɂāALD_PRELOAD ϐ "`" ł
AvOɂă[h郉CuɉeyڂƂ͂ł
 (ŋ߂ glibc ̐Ǝ㐫ƂO͂܂)B 

肪̂́Asetuid ĂȂoCiɓʂȌt@CA
NZX^ƂłBLD_PRELOAD ϐ̓Cu[h
O "`" ł͂Ȃ߁Aӂ̂NgC̃Cu[h
邱ƂłɁA̓IWĩvOɗ^ꂽ̂Ɠ
ʂȌ/t@CANZXƂɂȂĂ܂܂B

XN炷߂ɉ\ȃIvV́|

 E ʂȌt@CANZXvO͑SĒʏ unix
    t@Cp[~bVŐ˂΂Ȃ܂BɂAS
    słȂ悤ɂ܂ (e.g. chmod o-rwx /path/to/program )B
   
 E ʉƂẮAt@C setuid ŏL root ȊÕ[U
    ɕςƂ̂܂BƁAvO̎sOɁA
    LD_PRELOAD ϐ "`" ƂȂ܂B
   
ZLeB̍XVFLIDS 1.1.1preX ȍ~ALD_PRELOAD ϐ
LIDS ^SẴvOɑ΂āAIɖɂȂ
B́ALIDS 0.10.3 ɂobN|[gĂ܂B

 

4.18. NA"read password file error" ƂbZ[W\
܂B̖𒼂ɂ͂ǂ΂悢ł傤H

́Aŏ LIDS NOɁALIDS ̃pX[hݒ肵Yꂽꍇ
ɔ܂BCɂ́A}VċN (gpłȂVX
e̋NQ)A LIDS pX[hݒ肵ĂB

 

4.19. LIDS L𒲂ׂɂ͂ǂ΂́H

lidsadm  'make VIEW=1' ƂăRpCĂ΁A'lidsadm -V' g
 LIDS LɂȂĂ邩m邱Ƃł܂B'LIDS_GLOBAL 0' ƕ\
΁ALIDS ͖ɂȂĂ܂B'LIDS 0' ƕ\΁AN
LIDS t[ZbVgĂ܂B lidsadm  VIEW IvV
RpCĂȂꍇ́ALIDS sׂ@͂
܂B

 1. dmesg  'Linux Intrusion Detection System <lids-version> for
    <kernel-version> doesn't start' ƂsȂׂ邱Ƃł
    BA'Linux Intrusion Detection System <lids-version> for
    <kernel-version> starts' ƏoĂꍇɂ́ALIDS ͎sĂ
    B
   
 2. {ȂłȂ͂̉łāALIDS sN
    Ƃł܂BȂ΁ALIDS ͓삵Ă܂B
   
 

Chapter 5. LIDS ̐ݒ

5.1. t@Cǂ݂Ƃpɂĕی삷@́H


bash# lidsconf -A -o /some/file -j READONLY                         

ɂALIDS LɂȂĂ΁A(root ܂) ҂ /some/
file ύX폜肷̂hƂł܂BLFS ɂȂA
K؂ȃt@Cp[~bVAp[eBVǂ݂Ƃp
mount Ă̂łȂ΁AR /some/file ύX邱Ƃł
B

 

5.2. OK, ႠfBNgǂ݂Ƃpɂɂ͂ǂ΁H

ƓłAw肷̂ /some/directory łB

bash# lidsconf -A -o /some/directory     -j READONLY                

IuWFNgfBNg̏ꍇALIDS ̓fBNĝ̂ƁAċAI
ɂ̉̓t@CVXeɂ̂ی삵܂B(e.g. LIDS 
ACL ̓t@CVXe̋Ez܂I) ͊oĂׂ
dvȂƂŁAɂA͂炸VXëꕔی삳Ȃ܂܂
ĂƂȂȂ܂B

ǂ݂ƂpƂĕی삵ĂƎvfBNǵA/etc ł傤B

bash# lidsconf -A -o /etc -j READONLY                               


 

5.3. Nt@C/fBNgBƂ͂ł܂H


bash# lidsconf -A -o /some/file_or_directory   -j DENY              

JԂ܂AŁAroot ANZXoȂȂ܂BɁA
ꂪfBNgł΁ẢɂSẴt@CƃfBNg
B܂ (At@CVXeɂ΁Ał)B

 

5.4. ǋLłȂ悤ɃOt@Cی삷@́H


bash# lidsconf -A -o /some/log/file  -j APPEND                      

ɂAɒNt@C̖ɏłA̓e
ύXłȂ悤ɂȂ܂BVXeOǋLpƂĕی
ȒPȕ@͂ł|

bash# lidsconf -A -o /var/log  -j APPEND                            


 

5.5. /etc/shadow t@Cǂނ̂ɁAȂ΁AǂĎ
VXeɔF؂́H

[UgVXeɔF؂ɂ́A̃vO /etc
/shadow ւ̓ǂ݂Ƃp̃ANZXKv܂Bǂ݂ƂAN
ZX^悤ɍl邩mȂvOƂẮ| login, sshd,
su, vlock Ȃǂ܂B login vO /etc/shadow ǂ߂悤
ɂɂ́A ACL g܂|

bash# lidsconf -A -s /bin/login -o /etc/shadow -j READONLY          

̏ꍇA"-s" IvV subject ł /bin/login w肵Ă܂
Bsubject ɑ΂āAobject (/etc/shadow) ւ̓ǂ݂ƂpANZX^
Ă邱ƂɂȂ܂BɂA/var/log ȉɂSẴt@C
LpƂĕی삳܂BREAD  DENY ƓlɁÃ^[QbgċAI
łB

 

5.6. /etc ǂ݂Ƃpŕی삵Amount ͂ǂ /etc/mtab ֏
݂̂ł傤H

ł܂B̖Cɂ́A/etc/mtab t@C폜āA/proc
/mounts ւ̃V{bNNɒu@܂B@\
邽߂ɂ́ANXNvgCāASĂ mount  umount R}h
 "-n" IvVg悤ɂKv܂BɂAmount 
umount  /etc/mtab t@CXVȂȂ܂B 

Ⴆ΁Â|

mount -av -t nonfs,noproc                                           

NXNvg̒ɌȂÂ悤ɕύX܂|

mount -av -n -t nonfs,noproc                                        

 mount R}h́ANXNvgŜɎU݂Ăł傤B
SĂ߂܂邽߂ɁAgrep gĂB@ŁAS
umount R}h̏CƎvł傤B 

 

5.7. LIDS AN modules.dep t@Cɏ߂ȂAƕ
܂B̂łH

́A/lib ǂ݂ݐpŕی삳Ă鎞 (̂́A悢
ł) ܂B󂯂ƂG[́AɂȂ܂|

LIDS: depmod (3 12 inode 16119) pid 13203 user (0/0) on tty2: Try to open /lib/modules/2.2.18/modules.dep for writing,flag=578

́AN /etc/rc.d/rc.sysinit NXNvgW[̈ˑ
č\z悤Ƃ邩łBʏA͕Kv܂BƂ̂
AW[ǉύX폜肵ȂAW[̈
͕ωȂłBG[͖QłÂȂP /
etc/rc.d/rc.sysinitXNvgŃW[̈ˑč\zĂs
(depmod -a Ƃ̂TĂ) RgAEg邱Ƃł
܂B 

 

5.8. OǋLpŕی삵ĂƁAlogrotated ͂ǂăO[
e[ĝł傤H

Ȃ܂BÕ[e[V́ALIDS_GLOBAL ɂȂĂ鎞
ɁAO[e[V[eBeB蓮ŎsĂȂׂ̂
BÕ[e[V𐶋N cron ̃Wu͖ɂׂłB
(ʉɂĂ͉LQƂĂ)

 

5.9. ȂAPɃO[e[V[eBeBɃOt@Ĉf
BNgւ̏݋^@ŁA[e[g悤
Ă͂Ȃ̂łH

Ă\܂񂪁A߂܂BNVXeɐNAႦނ炪
OύX邱ƂłȂĂAN̊ԂɏW߂ꂽO
nォp܂ŁA(O[e[V[eBeB蓮Ŏs
) [e[gKvȂJԂƂł܂B́AxȃZL
eB̂߂Ɏxׂ㉿̈ꕔȂ̂łB 

O[e[V[eBeB /var/log ւ̏݃ANZX
ʉƂẮAcron f[ /var/log ւ̏݋^A
p\Ƃ@܂B

lidsconf -A -s /usr/sbin/crond -i -o /var/log   -j WRITE            

ŁAN蓮ŃO[e[V[eBeBs邱Ƃ͂
܂񂪁Acron f[ɂĎsꂽ͓삷悤ɂȂ܂B
xF cron f[ɐƎ㐫ꍇ́AN˂ƁA
cron  /var/log ւ̏݌Ă邽߂ɃO|łĂ܂
܂B́A MAC pړI𖳈ׂɂ܂BȂɂAƎ㐫
΁AANZX͉I񂳂꓾̂łB̃IvV
͎ȐӔĈƂɎg悤ɁI

XVFVԐ@\̂߁Acrond  /var/log ɏ݌
ĂȂA̎ԑтɐ̂߂܂BႦ΁A
logrotated  crond ɂĖ 6:00 AM ɎsȂAcrond ̏
݌ 1 Ԃɐ܂|

/sbin/lidsconf -A -s /usr/sbin/crond -i 2 -o /var/log -t 0600-0601 -j WRITE 

1 \ȒłȂȂAlogrotated sI܂ŁAԂ 1
Â₵ĂB

 

5.10. LIDS LȎAVbg_E܂Ńt@CVXeA}Eg
o܂Bǂ΂悢ł傤H

́ACAP_SYS_ADMIN ŜŖɂĂāAt@CVXe
A}Eg邽߂̓K؂Ȍ shutdown XNvgɗ^ĂȂ
ꍇɂ܂BႦ΁ARed Hat6.2 ł́A/etc/rc.d/init.d/halt XN
vgt@CVXẽA}Egs܂B CAP_SYS_ADMIN 
^Kv܂BāAt@CVXẽA}Eg
\ɂȂ̂ł|

bash# lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT 

^[Qbg "GRANT"  LIDS  subject (̏ꍇA/etc/rc.d/init.d/halt)
 CAP_SYS_ADMIN 悤ɓ`܂B "-i 1" IvV́A
ACL  "px"  1 ɃZbg܂B 

ɂA/etc/rc.d/init.d/halt XNvgsłNɂAt@
CVXẽA}Eg\ɂȂ邱ƂɒӂĂB}V
ɕIɃANZXłȂAVbg_EXNvgɌ^
AVbg_ȆO LIDS_GLOBAL 𖳌ɂ邾̕
܂BƂ͂AdɃVXeVbg_E邱Ƃł
 UPS ĂȂALIDS_GLOBAL 𖳌ɂ킯ɂ͂Ȃł
B 

 

5.11. Ȃ|[ggT[rX root ŊJnłȂ̂łH

|[g (1024 ȉ̂) őT[rX́A|[gɃoCh邽
 CAP_NET_BIND_SERVICE KvƂ܂B/etc/lids/lids.cap t@C
ł̌S̓IɖɂĂȂAvOɂ̌
˂΂Ȃ܂B

bash# lidsconf -A -s /usr/local/bin/apache -o CAP_NET_BIND_SERVICE 80 -j GRANT

邢́ALIDS_GLOBAL ȂƂɃT[rXJnĂB

 

5.12. Ȃ|[ggT[rX LFS JnłȂ̂łH

LFS ́AP̒[ZbVɓKp܂Bf[́A[玩
؂藣߂ɁAg fork ܂BȂƁA͂͂[
 LFS ɂ͐ڑĂ炸A䂦 LIDS ɕی삳邱ƂɂȂ̂ł
B

 

5.13. 𖳌/Lɂ@́H

/etc/lids/lids.cap t@C LIDS ŋꂽ Linux J[lŗp
S̃XgێĂ܂B "+" ̂̂ALɂȂ
̂ŁA"-" ɂĂ̂́AȂ̂łB̏Ԃ
Xɂ́APɃeLXgt@CҏW "+"  "-" ɕςΌ
ɂȂ܂AtƗLɂȂ܂Bt@C̕ҏWIA
LIDS ɐݒt@C[hKv܂B

 

5.14. LIDS LɂȂĂ X Window System 삵Ȃ̂͂Ȃ
H

gpĂ X T[oɂ CAP_SYS_RAWIO KvłB

bash# lidsconf -A -s /path/to/your/X_server -o CAP_SYS_RAWIO -j GRANT 


 

5.15.  ACL SĂɑ΂āȂ͈ŜǂĎ̐ݒc
Ă΂悢̂ł傤H

Ȃ]ޑSĂ ACL VXeɒǉVFXNvg쐬
߂܂B΁AVXeύXɁA͂炸
삳Ȃ܂܂ɂĂƂ͂܂BXNvǵAÂ ACL 
Ƃn߂΁A2 dɐݒ肷邱Ƃ܂B

bash# lidsconf -Z                                                   

̃VFXNvgی삷ɂ́Aւ̃ANZX DENY  ACL 
A/etc/lids fBNg֔zuĎI DENY ŕی삳
ɂł܂B 

 

5.16. NƃVbg_E̎ LIDS Ȃ悤ɁAinit  /
etc/initrunlvl ւ̏݃ANZXɂ͂ǂ΂łH

sKɂAɂďo邱Ƃ͂܂Binit ͋N̓x
̃t@Cč쐬̂ŁA im[hԍω̂łB
Ãt@C LIDS ɂ͈ɂȂ܂B̃G[͖Qł
A/etc/initrunlvl ȂĂVXe͓K؂ɋ@\܂B

 

5.17. vZX́AevZX炻̃t@C ACL pł܂H

ł܂Bo[W 0.9.12  2.2.18 ܂ł́AꂪftHg̓
łB݂́AftHgł́Aq͂̐et@C ACL p܂
BevZXqvZXփt@C ACL ڍsł悤ɂɂ́A
"-i <px>" IvVgKv܂B 

"px" (ʖ TTL) Ƃ́AACL p鐢㐔肵܂BTTL
 1 w肳΁AACL Ŏw肳ꂽ subject Ƃ̎qSĂ ACL p
܂BAq̎q (ʂ̌ ACL  subject ̑)  ACL
p܂ (Ȃ悤ɂɂ́ATTL  2 ɂKv܂)
B

ӁF ACL ɂAƓp̃[Kp܂B

ZLeB̍XV LIDS 1.1.1prex y 0.10.1 ȍ~ł́Aی삳ꂽv
Ô݂̐e ACL p邱Ƃł܂Bی삳ĂȂ
vZX ACL ̌pƁAexploit ̌ƂȂ܂B

 

5.18. āI@LIDS ̂Ƃł́AvO xyz 삵Ȃ悤łB
ǂ̃t@C/ɃANZXKv̂AǂČ߂̂ł
H

ŏɂׂƂ́APɃvOsāALIDS ǂȈᔽ
Ă邩邱ƂłBƂ͂AxĂA\ȏ
܂BꂪŃAstrace găvOǂāA
ǂ̃VXeR[sĂ̂邱Ƃł܂BƁA
Ă̏ꍇ͂ǂ̌ᔽĂ̂A悢𓾂邱Ƃł܂
B 

ӁFŜ CAP_SYS_PTRACE 𖳌ɂĂȂALIDS LȏԂŃv
O̒ǐՂł悤ɁAꎞI strace  CAP_SET_PTRACE 
^Kv܂B

 

5.19. /etc/shadow t@CXVK؂ȃp[~bV passwd ɗ^
ɂ͂ǂ΂łH

cOȂAȒPȉ݂͑܂B́Apasswd [eBeBpX
[hύX邽т /etc/shadow t@Cč쐬邩łB
Apasswd [eBeB𐬌ɎgxɁAႤ i m[ht@C
n܂̂łB

VXeǗ҂ɂ́AȒPȉ@܂BLFS JnāALFS ̒
 passwd [eBeBĝłBpX[hύXKv̂郆
[UꍇALDAP g΁A[ŨpX[hύXłN
CAgF؎i񋟂Ă܂B

WI unix VXet@CgāAUNIX F؂鎞ɁA[U
̃VXepX[hύXł悤ɂI܂BłA
߂͂ł܂B/usr/bin/passwd  /etc ւ̏݃ANZX^
΁Ał shadow t@C i m[hԍɊւ炸Cł悤
ɂȂ܂B

xFN /usr/bin/password AꂪgCu/PAM W[
̉ꂩɐƎ㐫𔭌΁A̐l͐ݓI /etc fBNgւ̏
݃ANZX𓾂邱Ƃł܂BƎ㐫΁AȂ̃ANZ
XoƂł킯ŁA͂ MAC pړI
ʂɂ̂łB̃IvV͎Ȃ̍ٗʂŎg悤ɂĂB

/usr/bin/passwd  /etc ւ̏݃ANZX^邱Ƃɂ̂ȂA/
etc ̉ɂāA/usr/bin/passwd Cł悤ɂȂt@C
ƃfBNgSĂی삷 ACL 쐬邱Ƃ߂܂Bɂ
AL̃XN܂ (mɍs΁ASɎ菜
Ƃł܂)BႦ΁F

/sbin/lidsconf -A -s /usr/bin/passwd -o /etc                     -j WRITE     
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/hosts.allow         -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/hosts.deny          -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc0.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc1.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc2.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc3.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc4.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc5.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc6.d               -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/init.d              -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/cron.d              -j READONLY  
/sbin/lidsconf -A -s /usr/bin/passwd -o /etc/pam.d               -j READONLY  
...                                                                           

́AǂȂɑz͂痂ƂŊSȃXgł͂܂񂪁A
ɂ͂Ȃ܂B/etc  passwd ɃANZXȂt@Cf
BNgǉƂ͂łAی삷V ACL ˂
ȂȂƂAɓĂĂB

i m[h̍XVɊւ郁F /etc/shadow  /etc/passwd ւ̃ANZX
 ACL `ȂALIDS i m[hXVƂm点A
ꂩݒt@C[ĥYȂ悤ɂȂ΂Ȃ܂
BȂƁA肪邱ƂɂȂ܂B

Ⴆ΁F/etc/passwd  DENY ŕی삳ĂA/bin/login  /etc/passwd
ǂ߂̂Ƃ܂BpX[hύXAi m[hXVȂ
΁AN񃍃OC悤Ƃɖ肪܂B/bin/login  /
etc/passwd ǂ݂ނƂłAOCs\ɂȂ܂B邢
ɍAP <ENTER> L[ŃOCł悤ɂȂĂ
̂łB 

 

5.20. LIDS LɂȂĂƁAssh  scp 삵Ȃ͉̂̂ł
H

ftHgł́Assh/scp ͊ÕRlNV쐬鎞ɁA\[X|
[gƂē|[ggƂ܂Bɂ́ACAP_NET_BIND_SERVICE 
KvłBłA\[X|[gƂ 1023 ȏ̃|[gg悤
邽߁Assh_config ł̃IvVw肷邱Ƃł܂|

UsePrivilegedPort no                                                

邢́Assh (scp  ssh ĝŁA삵܂) 
CAP_NET_BIND_SERVICE 邱Ƃł܂|

lidsconf -A -s /usr/bin/ssh -o CAP_NET_BIND_SERVICE 22 -j GRANT     


 

5.21. OpenSSH NɊJn܂BLIDS  bash Bt@CɃA
NZX悤ƂĂAƃ|[goĂ܂B͂ǂΒ
܂H

́AftHg|V[ DENY ƂĔ閧ی삵Ă鎞ɔ
܂Bopenssh-server  RPM Œ񋟂 init XNvg /etc/ssh 
ɔ閧t@C邩`FbN܂BXNvg͔łȂ
A𐶐邽߂ ssh-keygen s܂BBeckeygenthe ͎
ɂ͂ɂ̂ŁAssh-keygen ͎sāANXNvg͏I܂B

Cɂ́ANXNvg献t@C̃`FbN폜܂
|

start)                                                              
      # Create keys if necessary                                    
      #do_rsa_keygen;  <------------ Comment out these lines        
      #do_dsa_keygen;                                               
                                                                    
      echo -n "Starting sshd: "                                     
      if [ ! -f $PID_FILE ] ; then                                  
              sshd                                                  
              RETVAL=$?                                             
              if [ "$RETVAL" = "0" ] ; then                         
                      success "sshd startup"                        
                      touch /var/lock/subsys/sshd                   
              else                                                  
                      failure "sshd startup"                        
              fi                                                    
      fi                                                            
      echo                                                          
      ;;                                                            

ӁFꂪӖ̂́Asshd NOɁA蓮Ŕ閧K
vAƂƂłBȂ΁AN͎s܂B 

 

5.22. BvZXĂ邽߁AVbg_EɃt@CVXe
̂A}Egł܂Bǂ΂ kill ł܂
H

BvZXłÃvZX id (pid) 킩 kill ł܂B
̃VXeł́ANɊJnꂽSvZX pid A/var ( /var/
run g܂) ̉̂ǂɕۑ܂BVbg_EXNvg
CāÃt@C pid ǂ݁AK؂ȃVOi𑗂悤ɂ
܂B 

Ⴆ΁AVXe pid  /var/run/<vZX>.pid ɕۑĂȂ
Aȉ̍sVbg_EXNvgɒǉ邱Ƃł܂|

for p in `ls /var/run/*.pid`                                        
do                                                                  
   kill -15 `cat $p`                                                
done                                                                
sleep 5                                                             
sync;sync;sync                                                      
                                                                    
for p in `ls /var/run/*.pid`                                        
do                                                                  
   kill -9 `cat $p`                                                 
done                                                                
sleep 5                                                             
sync;sync;sync                                                      

̍s܂ރVbg_EXNvgɁACAP_KILL  CAP_INIT_KILL
Ȃ΂Ȃ܂B/var/run fBNg init XNvg
QȊȎSĂB̂A炭悢lłB

ʉƂẮASẴvZXɁATERM  KILL ̃VOiPɑƂ
̂܂B

MAX_PROC=65535                                                      
trap : 1 2 15                                                       
I=1;while (( $I < $MAX_PROC ));do                                   
        I=$(($I+1));                                                
        if (( $$ != $I ));then                                      
                kill -15 $I;                                        
        fi;                                                         
done                                                                
sleep 5                                                             
sync;sync;sync;                                                     
I=1;                                                                
while (( $I < $MAX_PROC ));do                                       
        I=$(($I+1));                                                
        if (( $$ != $I ));then                                      
                kill -9 $I;                                         
        fi;                                                         
done                                                                
sync;sync;sync                                                      


Nenad Micic ̓Vbg_EɉBvZX kill Ǝ C vO
 <http://www.bg.ac.yu/~mclaffin/lids/mklidsconf/sbin/brc.c> 
܂B

 

5.23. {IȐݒ肩n߂ȂłBǉ̕ی񋟂Ă
AɃVXe̋@\̂قƂǂʏʂɂĂĂ邨߂̃Z
bgAbv͂܂H

̃J[lIvVI悤ɂĂ|

  ...                                                                     
  [*]    Security alert when execing unprotected programs before sealing  
  [*]      Do not execute unprotected programs before sealing lids        
  ...                                                                     
  [*]    Allow switching LIDS protections                                 
  ...                                                                     
  [*]      Allow reloading config. file                                   

o_ƂĂ悢̂́Ainit XNvgVXeoCiACu
삷̂ł傤 (fBXgɂĂ͕ω邱Ƃɒ) |

/sbin/lidsconf -A -o /etc/rc0.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc1.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc2.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc3.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc4.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc5.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/rc6.d                  -j READONLY        
/sbin/lidsconf -A -o /etc/init.d                 -j READONLY        
/sbin/lidsconf -A -o /etc/rc                     -j READONLY        
/sbin/lidsconf -A -o /etc/rc.local               -j READONLY        
/sbin/lidsconf -A -o /etc/rc.sysconfig           -j READONLY        
                                                                    
/sbin/lidsconf -A -o /bin                        -j READONLY        
/sbin/lidsconf -A -o /sbin                       -j READONLY        
/sbin/lidsconf -A -o /lib                        -j READONLY        
                                                                    
/sbin/lidsconf -A -o /usr/bin                    -j READONLY        
/sbin/lidsconf -A -o /usr/sbin                   -j READONLY        
/sbin/lidsconf -A -o /usr/lib                    -j READONLY        

/usr/local ʂ̃p[eBVɂȂAȉ ACL Ă
|

/sbin/lidsconf -A -o /usr/local/bin              -j READONLY        
/sbin/lidsconf -A -o /usr/local/sbin             -j READONLY        
/sbin/lidsconf -A -o /usr/local/lib              -j READONLY        


/etc/lids/lids.cap t@CŁACAP_SYS_RAWIO  CAP_SYS_PTRACE 
ׂłBCAP_SYS_RAWIO 𖳌ɂȂ΁AfoCXɒڏ
ƂŁANłL̃t@Cی𖳎łĂ܂܂B

X Window System sĂȂALIDS ̉ X 𓮍삳邱Ƃɂ
āALQƂ悤ɂĂB 

 

5.24. ƂɂăANZX𐧌邱Ƃ͂ł܂H

ł܂BLIDS o[W 0.10.1 for 2.2.19 ƃo[W 1.0.10 for
2.4.5 ł̐V@\ŁAACL ̋LڂԐł悤ɂ܂BႦ
AOC 9:00 AM  6:00 PM (18:00) ܂ł̎Ԃ̂݋ɂ́|

/sbin/lidsconf -A -s /bin/login -o /etc/shadow -t 0900-1800 -j READONLY 

ŁA/bin/login  /etc/shadow t@Cw肳ꂽԑтɂ̂ݓǂ
Ƃł̂ŁA̎ԑшȊÔ郍OC݂͎̎s܂B
ے̂߂ "!" ZqgƂł܂ (Ⴆ΁AACL Xgꂽ
ԑшȊȎSANZXeAȂ)B

crond ɎԐꂽ^ȂA(root ܂)S crontab
BAcrond ݂̂ǂ߂悤ɂ邱Ƃɂ߂܂B
Ȃ΁A crontab āAǂ̎ԂɉĐĤɂ
ANĂ܂m܂B[Û̂łȂ
AVXe crontab 邱ƂYȂłB

Ⴆ΁A͉Bׂł|

/var/spool/cron/                                                    
/etc/crontab                                                        
/etc/cron.hourly/                                                   
/etc/cron.daily/                                                    
/etc/cron.weekly/                                                   
/etc/cron.monthly/                                                  
/etc/cron.d/                                                        


xF̐V@\̓VXe̎ɈˑĂ̂ŁAVXe̎
ύXǂȃvO (Ⴆ /sbin/hwclock) ɂACAP_SYS_RAWIO
^ׂł͂܂BɂāANVXe̎ύX
āAԐ蔲Ă܂܂B

 

5.25. vOoChł|[g𐧌ɂ͂ǂ΂́H

o[W 0.10.1 for 2.2.19 ƃo[W 1.0.11 for 2.4.6 ́Av
OoChł|[g𐧌ł܂BvO
CAP_NET_BIND_SERVICE ^ꍇɂ́AvOoChł|
[g (Q) ̌Ɏw肵܂B̂悤ɂ܂|

/sbin/lidsconf -A -s /bin/httpd -o CAP_NET_BIND_SERVICE 80-80 -j GRANT

܂́ASSL p 443 |[goChKvȂ|

/sbin/lidsconf -A -s /bin/httpd -o CAP_NET_BIND_SERVICE 80-80,443-443 -j GRANT

vO|[g͈̔͂KvƂȂÂ悤ɂĂ݂ĉ|

/sbin/lidsconf -A -s /path/to/program -o CAP_NET_BIND_SERVICE 423-867 -j GRANT


 

5.26. /etc/mtab  /proc/mounts ւ̃V{bNNɂĂA[U
NI[^͋@\܂H

͂A"-a" IvV quotaon Jn΂悢̂łB

 

5.27. LIDS ی삵Ăt@CҏWƁALIDS ɕی삳ȂȂ
悤łBȂłH

̃GfB^ (Ⴆ vi) ́AҏW̃t@Ce|t@CɃR
s[܂BύX͑SẴe|t@Cɑ΂ĂȂ̂łBG
fB^IƁAe|t@CIWĩt@C㏑
܂BɂăIWit@C i m[hςÃt@C
֌WĂȑO LIDS ACL ͂@\ȂȂ̂łB͂ā|

/sbin/lidsconf -U                                                   

lids.conf ̃t@C i m[hXVĂB 

 

5.28. LIDS ̐ݒXVA̃vZXႤ悤
ł

́AvZXpɂēɋN܂B̏󋵂l
݂Ă|

evZXǍqvZXɗ^̂AevZXIāA
qvZX܂cĂƂ܂B̎ LFS JnāA ACL 
XĐݒ[hƁA LIDS ͍ĂсAevZX̌Ƃ̃vZ
XǧɊÂāA^܂B̂ƂAevZXĂ
ȂƂɂ́AvZX͂̌󂯎鎖oɁAG[
܂B

 

Chapter 6. ZLeBx̐ݒ

6.1. lbg[NzɃZLeBx𑗂ɂ́Aǂ̃J[lݒIv
VKvłH


[*]   Send security alerts through network                          
[ ]      Hide klids kernel thread                                   
(3)      Number of connection tries before giving up                
(30)     Sleep time after a failed connection                       
(16)     Message queue size                                         
[*]      Use generic mailer pseudo-script                           

ŏ̃IvVŁAZLeBxg悤ɂȂ܂B2 Ԗڂ̃I
vVł́Ax𑗂vZXBƂł܂B[ł̒ʒm
삷܂ł́ÃIvV͖Ȃ܂܂ɂĂƂ߂܂
BȂȂA̓G[bZ[W̃OW邩łBŌ̃I
vV́AxbZ[WȂ̃[T[oɑ邽߂ɁA
LIDS 񋟂ʓIȃ[XNvgg悤ALIDS Ɏw
łB͍̂ƂB̃IvVłB

 

6.2. LIDS ̌x𑗂郁[T[o e-mail AhX̏́AǂŎw
肷΂̂łH

ZLeBx𑗐M̂ɕKvȑSĂ̏́A/etc/lids/lids.net t
@CŐݒ肳Kv܂BeIvV̐́Aݒt@C
̂̂Œ񋟂܂Be-mail AhXw肷鎞́A e-mail AhX
OɁAǂȃXy[XcȂ悤ɋCĂBɂA
zɖ肪\܂BႦ΁Aɋ 2 MAIL_TO 
́A@\܂|

"MAIL_TO= steve@somedomain.org"                                     
"MAIL_TO=steve@somedomain.org "                                     

ӁFdṕAɑXy[Xo邽߂ɎgĂ
Bۂ̐ݒt@Cɂ͊܂߂Ă͂܂B

/etc/lids/lids.net t@CɕύXśALIDS ɐݒt@C̃
[hw悤ɂĂB

 

6.3. LIDS A qmail SMTP T[oɂ͌xzMĂȂ悤ł
B͒܂H

܂BLIDS ̃o[W 0.9.12 ȑOƁALIDS  e-mail x
qmail SMTP T[oŋ@\ɂ̓pb`KvłBpb`͂ɂ
| http://www.egroups.com/message/lids/1896.

 

Chapter 7. ݒ̃Tv

ӁF LIDS ̊J͋}ɐiłAۃ\tgEFApbP[Wω
Ă邽߁A̐ݒ̊́AƓ"ʖ"ɂȂ
Ă邩܂BȂA̐ݒ́AɍڂĂT
[rX̐ݒɋlɂƂāAǂX^[g|CgɂȂł傤
B 

 

7.1. {IȃVXẽZbgAbv

̂̂́A{IȃVXeZbgAbvݒ̃TvłB

# Protect System Binaries                                                     
# VXeoCi̕ی                                                      
#                                                                             
/sbin/lidsconf -A -o /sbin                               -j READONLY          
/sbin/lidsconf -A -o /bin                                -j READONLY          
                                                                              
# Protect all of /usr and /usr/local                                          
# (This assumes /usr/local is on a separate file system).                     
# /usr  /usr/local ̕ی                                                   
# (ł /usr/local ͕ʂ̃t@CVXeɂƑz肵Ă܂)        
#                                                                             
/sbin/lidsconf -A -o /usr                                -j READONLY          
/sbin/lidsconf -A -o /usr/local                          -j READONLY          
                                                                              
# Protect the System Libraries                                                
#(/usr/lib is protected above since /usr/lib generally isn't                  
# on a separate file system than /usr)                                        
# VXeCu̕ی                                                    
# (/usr/lib ͕ /usr ƕʂ̃t@CVXeɂ͂Ȃ̂ŁA                
#  łɏŕی삳Ă܂)                                                
#                                                                             
/sbin/lidsconf -A -o /lib                                -j READONLY          
                                                                              
# Protect /opt                                                                
# /opt ی                                                                 
#                                                                             
/sbin/lidsconf -A -o /opt                               -j READONLY           
                                                                              
# Protect System Configuration files                                          
# VXe̐ݒt@Cی                                                
#                                                                             
/sbin/lidsconf -A -o /etc                                -j READONLY          
/sbin/lidsconf -A -o /usr/local/etc                      -j READONLY          
/sbin/lidsconf -A -o /etc/shadow                         -j DENY              
/sbin/lidsconf -A -o /etc/lilo.conf                      -j DENY              
                                                                              
# Enable system authentication                                                
# VXe̔F؂L                                                      
#                                                                             
/sbin/lidsconf -A -s /bin/login -o /etc/shadow           -j READONLY          
/sbin/lidsconf -A -s /usr/bin/vlock -o /etc/shadow       -j READONLY          
/sbin/lidsconf -A -s /bin/su -o /etc/shadow              -j READONLY          
/sbin/lidsconf -A -s /bin/su \                                                
                  -o CAP_SETUID                          -j GRANT             
/sbin/lidsconf -A -s /bin/su \                                                
                  -o CAP_SETGID                          -j GRANT             
                                                                              
# Protect the boot partition                                                  
# boot p[eBV̕ی                                                   
#                                                                             
/sbin/lidsconf -A -o /boot                               -j READONLY          
                                                                              
# Protect root's home dir, but allow bash history                             
# root ̃z[fBNgی삷邪Abash ̗͋                    
#                                                                             
/sbin/lidsconf -A -o /root                               -j READONLY          
/sbin/lidsconf -A -s /bin/bash -o /root/.bash_history    -j WRITE             
                                                                              
# Protect system logs                                                         
# VXeO̕ی                                                          
#                                                                             
/sbin/lidsconf -A -o /var/log                            -j APPEND            
/sbin/lidsconf -A -s /bin/login -o /var/log/wtmp         -j WRITE             
/sbin/lidsconf -A -s /bin/login -o /var/log/lastlog      -j WRITE             
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp         -j WRITE             
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog      -j WRITE             
/sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp         -j WRITE             
/sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog      -j WRITE             
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \                                   
                  -o /var/log/wtmp -i 1                  -j WRITE             
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \                                   
                  -o /var/log/lastlog -i 1               -j WRITE             
                                                                              
# Startup                                                                     
#                                                                             
/sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime       -j WRITE             
                                                                              
                                                                              
# Shutdown                                                                    
#                                                                             
/sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL         -j GRANT             
/sbin/lidsconf -A -s /sbin/init -o CAP_KILL              -j GRANT             
                                                                              
# Give the following init script the proper privileges to kill processes and  
# unmount the file systems.  However, anyone who can execute these scripts    
# by themselves can effectively kill your processes.  It's better than        
# the alternative, however.                                                   
# ̋NXNvgɁAvZX kill  t@CVXe         
# A}Eg邽߂̓K؂Ȍ^ĂBƂ͂A        
# XNvgŎsl݂͂ȁAʓIɃvZX kill 邱Ƃ        
# ł܂BłA̕@̓}VȂ͂łB                            
#                                                                             
# Any ideas on how to get around this are welcome!                            
# ACfA}܂!                                         
#                                                                             
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \                                  
                  -o CAP_INIT_KILL -i 1                  -j GRANT             
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \                                  
                  -o CAP_KILL -i 1                       -j GRANT             
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \                                  
                  -o CAP_NET_ADMIN -i 1                  -j GRANT             
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \                                  
                  -o CAP_SYS_ADMIN -i 1                  -j GRANT             
                                                                              
# Other                                                                       
#                                                                             
/sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN       -j GRANT             


 

7.2. Apache

̐ݒTvł́AApache  /usr/local/apache ɁAOfBNg
 /var/log/httpd ɁAݒfBNg /etc/httpd ɃCXg[
Ă邱ƂOɂĂ܂BACL ̃pXAe̐ݒɍ悤ɒ
ȂĂ͂Ȃ܂B̐ݒł́A|[g 80 (Ƃɂ 443 )
oChł悤ɁAApache ̓J[l𕕈󂷂OA
LIDS_GLOBAL ȎɋNKv܂B

/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o CAP_SETUID                          -j GRANT     
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o CAP_SETGID                          -j GRANT     
                                                                      
# Config files                                                        
/sbin/lidsconf -A -o /etc/httpd                          -j DENY      
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o /etc/httpd                          -j READONLY  
                                                                      
# Server Root                                                         
/sbin/lidsconf -A -o /usr/local/apache                   -j DENY      
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o /usr/local/apache                   -j READONLY  
                                                                      
# Log Files                                                           
/sbin/lidsconf -A -o /var/log/httpd                      -j DENY      
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o /var/log/httpd                      -j APPEND    
/sbin/lidsconf -A -s /usr/local/apache/bin/httpd \                    
                  -o /usr/local/apache/logs              -j WRITE     


 

7.3. Qmail

 ACL ́ADave Sill  Life with qmail <http://Web.InfoAve.Net/
~dsill/lwq.html> ɂăCXg[ꂽ qmail ̃ZbgAbv
Ă܂B̐ݒł́Atcpserver |[g 25 oChł
ɁAqmail ̓J[l𕕈󂷂OALIDS_GLOBAL ȎɋN
Kv܂B

# setup                                                                       
/sbin/lidsconf -A -o /var/qmail                          -j READONLY          
/sbin/lidsconf -A -s /usr/local/bin/multilog \                                
                  -o /var/log/qmail                      -j WRITE             
/sbin/lidsconf -A -s /usr/local/bin/svc \                                     
                  -o /var/qmail/supervise                -j WRITE             
                                                                              
# queue access                                                                
# L[ւ̃ANZX                                                          
#                                                                             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-inject \                            
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \                            
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \                            
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-queue \                             
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-clean \                             
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-send \                              
                  -o /var/qmail/queue                    -j WRITE             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-remote \                            
                  -o /var/qmail/queue                    -j WRITE             
                                                                              
# Access to local mail boxes                                                  
# [J[{bNXւ̃ANZX                                          
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \                            
                  -o CAP_SETUID                          -j GRANT             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \                            
                  -o CAP_SETGID                          -j GRANT             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \                            
                  -o CAP_DAC_OVERRIDE                    -j GRANT             
/sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \                            
                  -o CAP_DAC_READ_SEARCH                 -j GRANT             
                                                                              
                                                                              
# Remote delivery                                                             
# [gz                                                                
/sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \                            
                  -o CAP_NET_BIND_SERVICE -i -1          -j GRANT             
                                                                              
# supervise                                                                   
                                                                              
/sbin/lidsconf -A -s /usr/local/bin/supervise \                               
                  -o /var/qmail/supervise/qmail-smtpd/supervise     -j WRITE  
/sbin/lidsconf -A -s /usr/local/bin/supervise \                               
                  -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE  
/sbin/lidsconf -A -s /usr/local/bin/supervise \                               
                  -o /var/qmail/supervise/qmail-send/supervise      -j WRITE  
/sbin/lidsconf -A -s /usr/local/bin/supervise \                               
                  -o /var/qmail/supervise/qmail-send/log/supervise  -j WRITE  


 

7.4. Dnscache & Tinydns (djbdns)

 ACL ́AJeremy Rauch  Installing djbdns (DNScache) for Name
Service ̃p[g 1 <http://www.securityfocus.com/focus/sun/articles/
dnscache.html> & 2 <http://www.securityfocus.com/focus/sun/articles/
dnscache2.html> Ƃɂ djbdns ̃ZbgAbvɏĂ܂
B̐ݒł́A dnscache  tinydns ̓J[l𕕈󂷂OɊJn
邩ÃvO|[g 53 oCh鎞 LIDS_GLOBAL 
ɂȂĂȂ΂Ȃ܂B

# dnscache                                                            
#                                                                     
/sbin/lidsconf -A -o /var/dnscache                        -j READONLY 
/sbin/lidsconf -A -s /usr/local/bin/supervise \                       
                  -o /var/dnscache/dnscache/supervise     -j WRITE    
/sbin/lidsconf -A -s /usr/local/bin/supervise \                       
                  -o /var/dnscache/dnscache/log/supervise -j WRITE    
/sbin/lidsconf -A -s /usr/local/bin/multilog \                        
                  -o /var/dnscache/dnscache/log/main      -j WRITE    
                                                                      
# tinydns                                                             
#                                                                     
/bin/echo "tinydns"                                                   
                                                                      
/sbin/lidsconf -A -s /usr/local/bin/supervise \                       
                  -o /var/dnscache/tinydns/supervise      -j WRITE    
/sbin/lidsconf -A -s /usr/local/bin/supervise \                       
                  -o /var/dnscache/tinydns/log/supervise  -j WRITE    
/sbin/lidsconf -A -s /usr/local/bin/multilog \                        
                  -o /var/dnscache/tinydns/log/main       -j WRITE    


 

7.5. Courier-imap

 ACL ́Acourier-imap  /usr/local/courier-imap ɃCXg[
Ă邱ƂOɂĂ܂B̐ݒł́A|[g 143 oCh
悤ɁAcourier-imap ̓J[l𕕈󂷂OALIDS_GLOBAL 
ɋNKv܂B

/sbin/lidsconf -A -o /usr/local/courier-imap                     -j DENY      
                                                                              
/sbin/lidsconf -A -s /usr/local/courier-imap/sbin/imaplogin \                 
                  -o /etc/shadow                                 -j READONLY  
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/authlib/authpam \        
                  -o /etc/shadow                                 -j READONLY  
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \            
                  -o /usr/local/courier-imap                     -j READONLY  
                                                                              
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \            
                  -o CAP_SETUID -i 3                             -j GRANT     
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \            
                  -o CAP_SETGID -i 3                             -j GRANT     
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \            
                  -o CAP_DAC_OVERRIDE -i 3                       -j GRANT     
/sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \            
                  -o CAP_DAC_READ_SEARCH -i 3                    -j GRANT     


 

7.6. MySQL

 ACL ́AMySQL  /usr/local/mysql ɃCXg[Ă邱
OɂĂ܂B

/sbin/lidsconf -A -o /usr/local/mysql/var                -j APPEND    
                                                                      
/sbin/lidsconf -A -o /usr/local/mysql                    -j DENY      
/sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld \                
                  -o /usr/local/mysql                    -j READONLY  
/sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld \                
                  -o /usr/local/mysql/var                -j WRITE     


 

7.7. OpenSSH (3.4p1)

̐ݒ́Asshd  CAP_NET_BIND_SERVICE ^Ă܂̂ŁAN
ALIDS_GLOBAL LȎɋ@\܂B

/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow      -j READONLY 
                                                                    
/sbin/lidsconf -A -o /etc/ssh/sshd_config               -j DENY     
/sbin/lidsconf -A -o /etc/ssh/ssh_host_key              -j DENY     
/sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key          -j DENY     
                                                                    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o /etc/ssh/sshd_config               -j READONLY 
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o /etc/ssh/ssh_host_key              -j READONLY 
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o /etc/ssh/ssh_host_dsa_key          -j READONLY 
                                                                    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o /var/log/wtmp                      -j WRITE    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o /var/log/lastlog                   -j WRITE    
                                                                    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_SETUID                         -j GRANT    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_SETGID                         -j GRANT    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_FOWNER                         -j GRANT    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_CHOWN                          -j GRANT    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_DAC_OVERRIDE                   -j GRANT    
/sbin/lidsconf -A -s /usr/sbin/sshd \                               
                  -o CAP_NET_BIND_SERVICE 22-22         -j GRANT    
/sbin/lidscond -A -s /usr/sbin/sshd \                               
                  -o CAP_SYS_CHROOT                     -j GRANT    
/sbin/lidscond -A -s /usr/sbin/sshd \                               
                  -o CAP_SYS_RESOURCE                   -j GRANT    
/sbin/lidscond -A -s /usr/sbin/sshd \                               
                  -o CAP_SYS_TTY_CONFIG                 -j GRANT    


 

7.8. OpenLDAP (slapd)

̐ݒ́Aslapd  CAP_NET_BIND_SERVICE ^Ă܂̂ŁA
NALIDS_GLOBAL LȎɋ@\܂B

/sbin/lidsconf -A -s /usr/local/libexec/slapd \                         
                  -o /usr/local/ldapdb                  -j WRITE        
/sbin/lidsconf -A -s /usr/local/libexec/slapd \                         
                  -o CAP_NET_BIND_SERVICE                -j GRANT       
/sbin/lidsconf -A -s /usr/local/libexec/slapd \                         
                  -o CAP_INIT_KILL                       -j GRANT       
/sbin/lidsconf -A -s /usr/local/libexec/slapd \                         
                  -o CAP_SYS_MODULE                      -j GRANT       


 

7.9. Port Sentry

̐ݒ́Aportsentry  CAP_NET_BIND_SERVICE ^Ă܂
ŁANALIDS_GLOBAL LȎɋ@\܂Bportsentry ɂ点悤
ƎvĂeɂāA ACL SĂ͕Kvsv肷
邩܂B

/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o /usr/local/psionic/portsentry                                      -j WRITE                                        
/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o /var/log                                                                                           -j WRITE        
/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o CAP_NET_BIND_SERVICE                        -j GRANT                                                               
                                                                                                                                        
# For portsentry to be able to update the firewall:                                                                                     
# portsentry t@CAEH[XV邽߁F                                                                                         
/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o CAP_NET_RAW -i 1                            -j GRANT                                                               
                                                                                                                                        
# For portsentry to be able to update /etc/hosts.allow and/or /etc/hosts.deny:                                                          
# portsentry  /etc/hosts.allow /etc/hosts.deny XV邽߁F                                                                     
/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o /etc/hosts.allow                           -j WRITE                                                                
/sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \                                                                         
                  -o /etc/hosts.deny                            -j WRITE                                                                


 

7.10. Samba

̐ݒł́A|[g 137 & 139 oChł悤ɁASamba ̓J[l
𕕈󂷂OALIDS_GLOBAL ɂȂĂ鎞ɋNKv
܂B

/sbin/lidsconf -A -o /etc/samba -j READONLY                         
/sbin/lidsconf -A -o /var/samba -j READONLY                         
/sbin/lidsconf -A -s /usr/sbin/smbd -o /var/samba -j WRITE          
/sbin/lidsconf -A -s /usr/sbin/nmbd -o /var/samba -j WRITE          
                                                                    
# smbd needs write access to smbpasswd to chmod it.  i think it     
# also needs access to MACHINE.SID                                  
# smbd  chmod 邽߂ smbpasswd ւ̏݌KvłB   
# MACHINE.SID ɂlɕKvƎv܂B                          
/sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/samba -j WRITE          
/sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/shadow -j READONLY      
                                                                    
/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT          
/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT          
/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT          
                                                                    
# LIDS complains about smbd trying to chroot to /                   
# everything still seems to work without it, though                 
# (and isn't chrooting to / kinda pointless anyway?)                
# LIDS  smbd  /   chroot 悤Ƃ|܂B       
# AȂłSĂ܂@\Ă悤ɂ͌܂B        
# ( /  chroot Ă͂Ȃ̂ɁAƖʂȂH)     
#/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT     
/sbin/lidsconf -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT          


 

7.11. Linux HA heartbeat


/sbin/lidsconf -A -o /usr/lib/heartbeat/heartbeat                -j READONLY  
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_NET_BIND_SERVICE -i -1                  -j GRANT     
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_SYS_RAWIO -i -1                         -j GRANT     
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_NET_BROADCAST -i -1                     -j GRANT     
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_NET_ADMIN -i -1                         -j GRANT     
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_NET_RAW -i -1                           -j GRANT     
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o CAP_SYS_ADMIN -i -1                         -j GRANT     
                                                                              
# For sending Gratuitous Arps                                                 
# ]v Arp 𑗂邽                                                       
                                                                              
/sbin/lidsconf -A -o /usr/lib/heartbeat/send_arp                 -j READONLY  
/sbin/lidsconf -A -s /usr/lib/heartbeat/send_arp \                            
                  -o CAP_NET_RAW -i -1                           -j GRANT     
                                                                              
# For modifying the routing table when the IP address changes                 
# IP AhXύXɃ[eBOe[uC邽                       
                                                                              
/sbin/lidsconf -A -o /sbin/route                                 -j READONLY  
/sbin/lidsconf -A -s /sbin/route -o CAP_NET_ADMIN -i 0           -j GRANT     
                                                                              
#                                                                             
# Protect the heartbeat configuration and authentication key.                 
# heartbeat ̐ݒƔF؃L[ی삵܂                                      
#                                                                             
/sbin/lidsconf -A -o /etc/ha.d/ha.cf                             -j READONLY  
/sbin/lidsconf -A -o /etc/ha.d/haresources                       -j READONLY  
/sbin/lidsconf -A -o /etc/ha.d/authkeys                          -j DENY      
                                                                              
#                                                                             
# Only heartbeat can see the authkey                                          
# hertbeat ݂̂ authkey ǂ߂܂                                          
#                                                                             
/sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \                           
                  -o /etc/ha.d/authkeys                          -j READONLY  


 

7.12. Bind 9.x


/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_NET_BIND_SERVICE 53 -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETPCAP             -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SYS_CHROOT          -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SYS_RESOURCE        -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETUID              -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETGID              -j GRANT 


 

7.13. Sendmail


# Sendmail LIDS rules (using infinite inheritance for the sendmail                    
# children and delivery agents to work properly, but a lower inheritance              
# like 2 or 3 would probably work as well.)                                           
# Sendmail p LIDS [                                                             
# (sendmail ̎qzG[WFgK؂ɓ삷悤                            
# ̌pgĂ܂A2, 3 ̂Ⴂpł炭                         
# 悤ɓ삷ł傤B)                                                       
                                                                                      
# Lock down /etc/mail if it's not already done elseware                               
# ǂŊɂȂĂȂȂA/etc/mail ǂ߂悤ɂ܂                    
/sbin/lidsconf -A -o /etc/mail -j READONLY                                            
                                                                                      
/sbin/lidsconf -A -o /usr/sbin/sendmail -j READONLY                                   
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/shadow -j READONLY -i -1              
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/passwd -j READONLY -i -1              
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail   -j READONLY -i -1              
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases   -j WRITE -i -1         
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases.db   -j WRITE -i -1      
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETUID -j GRANT -i -1                  
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETGID -j GRANT -i -1                  
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SYS_ADMIN -j GRANT -i -1               
/sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_NET_BIND_SERVICE 25-25 -j GRANT -i -1  
                                                                                      
# Depending on how you have the log files secured                                     
# (The maillog will normally get rotated out and this                                 
# rule will stop working when that happens unless you                                 
# stop the log rotation.)                                                             
# Ot@Cǂ̂悤ɈSɂĂ邩ɂ                                    
# (mail O͒ʏ탍[e[gĂł傤B̃[                          
# Õ[e[V߂ȂAꂪN_ŋ@\                          
# ȂȂ܂B                                                                    
                                                                                      
/sbin/lidsconf -A -s /usr/sbin/sendmail -o /var/log/maillog -j APPEND -i -1           


 

7.14. Apcupsd


/sbin/lidsconf -A -o /etc/apcupsd                                        -j DENY      
/sbin/lidsconf -A -s /sbin/apcupsd -o /etc/apcupsd                       -j READONLY  
/sbin/lidsconf -A -s /sbin/apcupsd -o CAP_HIDDEN -i -1                   -j GRANT     


 

7.15. Pump


/sbin/lidsconf -A -s /sbin/pump -o CAP_NET_BIND_SERVICE 68-68            -j GRANT 
/sbin/lidsconf -A -s /sbin/pump -o CAP_NET_RAW                           -j GRANT 
/sbin/lidsconf -A -s /sbin/pump -o CAP_HIDDEN                            -j GRANT 


 

7.16. Snort


/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_DAC_OVERRIDE                 -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_NET_RAW                      -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_HIDDEN                       -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETUID                       -j GRANT 
/sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETGID                       -j GRANT 


 

7.17. Getty


/sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_OVERRIDE                     -j GRANT 
/sbin/lidsconf -A -s /sbin/getty -o CAP_HIDDEN                           -j GRANT 


 

7.18. Login


/sbin/lidsconf -A -s /bin/login -o /etc/shadow                           -j READONLY  
/sbin/lidsconf -A -s /bin/login -o CAP_SETUID                            -j GRANT     
/sbin/lidsconf -A -s /bin/login -o CAP_SETGID                            -j GRANT     
/sbin/lidsconf -A -s /bin/login -o CAP_CHOWN                             -j GRANT     
/sbin/lidsconf -A -s /bin/login -o CAP_FSETID                            -j GRANT     


 

7.19. Su


/sbin/lidsconf -A -s /bin/su -o /etc/shadow                              -j READONLY  
/sbin/lidsconf -A -s /bin/su -o CAP_SETUID                               -j GRANT     
/sbin/lidsconf -A -s /bin/su -o CAP_SETGID                               -j GRANT     


 

7.20. Exim


/sbin/lidsconf -A -s /usr/sbin/exim -o CAP_SETGID -j GRANT          
/sbin/lidsconf -A -s /usr/sbin/exim -o CAP_SETUID -j GRANT          


 

7.21. Qpopper


/sbin/lidsconf -A -s /usr/sbin/in.qpopper -o /etc/shadow -j READONLY


 

7.22. Proftp


/sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SETGID -j GRANT      
/sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SETUID -j GRANT      
/sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SYS_CHROOT -j GRANT  
/sbin/lidsconf -A -s /usr/sbin/proftpd  -o /etc/shadow -j READONLY  


 

7.23. Aproxy


/sbin/lidsconf -A -s /path/to/aproxy -i 2 -o CAP_NET_BIND_SERVICE 25,110,119 -j GRANT 


 

7.24. Squid


/sbin/lidsconf -A -o /var/spool/squid -j DENY                                           
/sbin/lidsconf -A -s /usr/sbin/squid   -i 2 -o /var/spool/squid               -j WRITE  
/sbin/lidsconf -A -s /usr/sbin/squid   -i 2 -o /var/log/squid                 -j WRITE  
/sbin/lidsconf -A -s /etc/init.d/squid -i 2 -o /var/spool/squid               -j WRITE  
/sbin/lidsconf -A -s /usr/sbin/squid        -o CAP_NET_BIND_SERVICE 3128,3130 -j GRANT  


 

7.25. Innd


/sbin/lidsconf  -A -o /usr/local/news -j DENY                                         
                                                                                      
/sbin/lidsconf  -A -s /usr/local/news/bin/ctlinnd    -o /usr/local/news      -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/innd       -o /usr/local/news      -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/nnrpd      -o /usr/local/news      -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/nnrpd \                                     
                                          -o /usr/local/news/spool/overview  -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/rc.news    -o /usr/local/news      -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/shlock     -o /usr/local/news/run/ -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/innwatch   -o /usr/local/news/run/ -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/innconfval -o /usr/local/news/     -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/innmail    -o /usr/local/news/     -j WRITE 
/sbin/lidsconf  -A -s /usr/local/news/bin/inndstart  -o /usr/local/news/     -j WRITE 
                                                                                      
/sbin/lidsconf  -A -s /usr/local/news/bin/inndstart \                                 
                                       -o CAP_NET_BIND_SERVICE 119 -j GRANT           
/sbin/lidsconf  -A -s /usr/local/news/bin/inndstart  -o CAP_SETGID -j GRANT           
/sbin/lidsconf  -A -s /usr/local/news/bin/inndstart  -o CAP_SETUID -j GRANT           
/sbin/lidsconf  -A -s /usr/local/news/bin/nnrpd      -o CAP_SETUID -j GRANT           
/sbin/lidsconf  -A -s /usr/local/news/bin/nnrpd      -o CAP_SETGID -j GRANT           


 

7.26. Postfix

LADebian GNU/Linux Woody (3.0) VXeőSĂ̌sɂȂ
鎞́Apostfix̐ݒłBCAP_HIDDEN p[ǵACӂłB

/sbin/lidsconf -A -o /etc/postfix               -j DENY             
/sbin/lidsconf -A -o /var/spool/postfix         -j DENY             
                                                                    
/sbin/lidsconf -A -s /etc/init.d/postfix \                          
                  -o /etc/postfix               -j READONLY -i 1    
/sbin/lidsconf -A -s /etc/init.d/postfix \                          
                  -o /var/spool/postfix         -j WRITE    -i 1    
/sbin/lidsconf -A -s /usr/sbin/postfix   \                          
                  -o /etc/postfix               -j READONLY -i 4    
/sbin/lidsconf -A -s /usr/sbin/postfix   \                          
                  -o /var/spool/postfix         -j WRITE    -i 4    
                                                                    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o CAP_SETGID                 -j GRANT    -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o CAP_SETUID                 -j GRANT    -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o CAP_HIDDEN                 -j GRANT    -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o CAP_DAC_OVERRIDE           -j GRANT    -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o CAP_SYS_CHROOT             -j GRANT    -i 1    
                                                                    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o /etc/aliases.db            -j READONLY -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o /var/spool/postfix         -j WRITE    -i 1    
/sbin/lidsconf -A -s /usr/lib/postfix/master \                      
                  -o /etc/postfix               -j READONLY -i 1    
                                                                    
/sbin/lidsconf -A -s /usr/sbin/postdrop \                           
                  -o /etc/postfix               -j READONLY         
/sbin/lidsconf -A -s /usr/sbin/postdrop \                           
                  -o /var/spool/postfix         -j WRITE            
                                                                    
/sbin/lidsconf -A -s /usr/sbin/sendmail \                           
                  -o /etc/postfix               -j READONLY         
/sbin/lidsconf -A -s /usr/sbin/sendmail \                           
                  -o /var/spool/postfix         -j WRITE            


 

Chapter 8. LIDS eNjJ

8.1. LIDS  ext2 ȊÕt@CVXeł삵܂H

͂BLIDS ̋҂ł Philippe Biondi ̌t؂܂| ""LIDS 
VFS C̍ŏ㕔œ삵܂̂ŁALinux T|[g邠 fs 
Ƃł܂B" "

 

8.2. LIDS  SMP ̃VXeœ삵܂H

SMP VXe LIDS s邱ƂɂẮAQ񍐂ȂĂ܂
B̑͏CĂ܂̂ŁAŐVo[WĂ݂̂
߂܂BXie  Philippe ̖͂̎ĈɁAɒ͂
܂̂ŁALIDS ̃[OXgɕ񍐂悤ɂĂB

XV (2/10/01)F̃[UALIDS-1.0.5 g SMP VXe
2.4.x J[lł܂Ƃ|[gȂĂ܂B 

 

8.3. LIDS  Solar Designer  Openwall pb`Ƌ܂H

vłBLIDS  Openwall pb`𗼕Kp΁A1 hunk s
 (J[l 2.2.18 p[X 0.9.11 ̎_)B̃G[͂Ȃ
ŁAVXẽZLeBɂ͉eȂƎv܂BƂ͂AG[
CɓȂȂAhttp://root-it.be/community/lids ւāALIDS +
Openwall pb`_E[hĂBWim Vandersmissen f
炵ƂɁAB̂߂Ƀpb`𓝍ăG[CĂĂ܂
BWim ͔ނ̃TCgŁAɂ LIDS ܂񂾓pb`񋟂
܂B

 

8.4. LIDS ͔Ceȃn[hEFAœ삵܂H

́AmFł`ŁAʂ̃n[hEFAvbgtH[ŐƂ
b͕Ă܂B LIDS ʂ̃A[LeN`œ삳ȂA
݂Ȃɂ̓w͂m点悤ɂ܂傤B

XVF Johannes Helje LIDS  SUN IPX ̃yAɃCXg[邱Ƃ
܂Bނ́A2.2.18 J[l Debian gĂ܂B 

XVF Joseph P. Garcia ( jpgarcia@execpc.com <jpgarcia@execpc.com>) 
LIDS  PowerPC x[XPowerBook G3 ɃCXg[悤Ƃ܂A
܂܂łBɁȀڍׂނ̃[p܂|

́A30O PowerPC x[X  Macintosh PowerBook G3 (mlmuv powermac)  LIDS ƂĂ܂B  
Nɂ BootX u[g[_gALinuxPPC 2000 Q4 x[Xɂ Linux                                                    
J[l 2.4.7pre3  glibc2.2.3Agcc2.95.4 gĂ܂B                                                                  
                                                                                                                              
LIDS ̃VXeŎgƂ̖ژ_́AقƂǕĂ܂B                                                     
pb`KpāAݒ LIDS 𖳌ɂĂ΃J[l͂Ɠ܂B                                                  
킸ł LIDS LɂƁACONFIG_LIDS  security=0 łA                                                        
̃J[l͋N܂Bʏ̃[`́ABootX  MacOS NAA                                                     
n[hEFAZbgAbv (n[hfBXNXs_EƂ) A                                                        
J[lʂNA 'BootX text' ŊȒPȐݒ\Aꂩ                                                        
t[obt@R\[ւ̏o͂ƂƂɋNAƂ̂łB                                                          
LIDS LɂƁAJ[l͉ʂ̃NAs܂B                                                                   
sR[h𒭂߂Ă݂܂A̋yԔ͈͂ł́A                                                              
݂Ă邾łBꂪǂقǊjSɋ߂͂킩܂B                                                          
                                                                                                                              
                                                                                                                              
̒mALIDS ͂ƌɂȂ܂ŃANeBuɂ͂ȂȂ͂łB                                                       
łA LIDS sAɂ͗łȂ{IȃR[hύXA                                                        
J[l̃VXeŋN̂W@\ɂċNĂ                                                          
̂ł傤B                                                                                                                  
                                                                                                                              
                                                                                                                              
_ɂāAPowerPC  LIDS 𓮂ƂĂƂb                                                          
m܂BNA܂܂L PowerPC A[LeN`p                                                         
LIDS T|[g˂΂ȂȂmȂȂA̍\zCeXg鎞Ԃ΁AłołB             
                                                                                                                              
                                                                                                                              
ł́AŁABootX  text IvV𖳌ɂĂ݂āA                                                        
邩Ă݂悤ƎvĂ܂BYt̂́ȀCsO                                                        
J[lRtBO (bz2) łB                                                                                               
                                                                                                                              
                                                                                                                              
̂Ɋӂ܂B                                                                                                    


XVF Joseph P. Garcia ́A PowerPC  LIDS 𓮂ɐ܂
Bނ̓J[lݒ̒ŁA LIDS Ǘ object  1024  512 Ɍ
炵łB

 

8.5. LIDS ̃o[W 0.x, 1.x  2.x Ƃ̈Ⴂ͉łH

LIDS 0.x  Linux J[l 2.2.x ALIDS 1.x  Linux J[l 2.4.x
ALIDS 2.x  Linux J[l 2.5.x łB 

