Booting into your LIDS-enabled kernel you should see some LIDS-related messages in /var/log/messages (or similar, depending on your syslog configuration)...
Apr 18 16:11:00 pinback kernel: LIDS: Initializing sysctl
Apr 18 16:11:00 pinback kernel: LIDS: Initializing LIDS ACLs
Apr 18 16:11:00 pinback kernel: LIDS: user space is 32 bit
Apr 18 16:11:00 pinback kernel: LIDS: lidsadm inode 0x9fb7 dev 0x3:a
Apr 18 16:11:00 pinback kernel: LIDS: ACL Discovery: OFF, Effective \
Capability: 7fffffff, Total ACLs Count: 15
Apr 18 16:11:00 pinback kernel: LIDS: GLOBAL and BOOT state configuration \
files loaded
Apr 18 16:11:00 pinback kernel: LIDS: Entering BOOT state
Apr 18 16:11:00 pinback kernel: LIDS: Linux Intrusion Detection System \
2.2.2 started
It's worth examining these messages line by line to see what's going on.
Immediately after booting the LIDS-enabled kernel is not yet fully functional: while LIDS File ACLs are enforced, LIDS Capability ACLs are not and the kernel is not "sealed" — modules may still be loaded or unloaded. To seal the kernel and enforce LIDS Capability ACLs issue the command
lidsadm -I
In /var/log/messages (or similar, depending on your syslog
configuration) you will see
Apr 18 16:23:36 pinback kernel: LIDS: Initializing LIDS ACLs
Apr 18 16:23:36 pinback kernel: LIDS: user space is 32 bit
Apr 18 16:23:36 pinback kernel: LIDS: ACL Discovery: \
OFF, Effective Capability: 3684ce7f, Total ACLs Count: 14
Apr 18 16:23:36 pinback kernel: LIDS: Attaching ACLs to Processes
Apr 18 16:23:36 pinback kernel: LIDS: GLOBAL and POSTBOOT state Config. \
files loaded
Apr 18 16:23:36 pinback kernel: LIDS: Switching to POSTBOOT state
It's again worth examining these messages line by line to see what's going on — we omit those we have seen before (above).
| ...previous | up (conts) | next... |