The user-space tools for configuring and administering a LIDS-enabled kernel are lidsconf and lidsadm.

8.1. lidsconf

All the information contained in this section is available from the man page for lidsconf (man 8 lidsconf) or from command-line help (standard: lidsconf -h, or more information: lidsconf -H).

lidsconf -A BOOT -o /var/log/message -j APPEND

Protects /var/log/message as append only in BOOT state.

lidsconf -A POSTBOOT -o /sbin/test -j IGNORE

Specifies that the read-only protection of /sbin doesn't apply to /sbin/test in POSTBOOT state.

lidsconf -A POSTBOOT -o /etc/shadow -j DENY

Make /etc/shadow hidden from everyone only in BOOT state. Nothing can see the file (open, stat,..).

lidsconf -A POSTBOOT -s /bin/login -o /etc/shadow -j READ

Allows the /bin/login program to read the /etc/passwd even though it has been defined as hidden above. In this case, only /bin/login can read /etc/passwd. No other program or user can see the file (/etc/passwd).

lidsconf -A -s /usr/sbin/httpd -o /home/httpd -j READ

Protects the server root of a web server (/home/httpd) as DENY...

lidsconf -A -s /usr/sbin/httpd -o CAP_NET_BIND_SERVICE 80 -i -1 -j GRANT

...and allow only the httpd binary (/usr/sbin/httpd) to read the server root (/home/httpd), and the httpd can only bind to port 80.

lidsconf -A SHUTDOWN -s /bin/program -i 2 -o CAP_NET_ADMIN -j GRANT

Grant the /bin/program the capability of CAP_NET_ADMIN, and the inheritance level is 2 only in SHUTDOWN state.

lidsconf -A -s /usr/X11/bin/XF86_SVGA -o CAP_SYS_RAWIO -j GRANT

Grants the program XF86_SVGA the capability of CAP_SYS_RAWIO if the CAP_SYS_RAWIO has been disabled in /etc/lids/lids.cap.

8.1.2. Usage

    lidsconf -A [acl_type] [-s subject] -o object [-d] [-i level] -j ACTION
    lidsconf -C
    lidsconf -D [acl_type] [-s file] [-o file] 
    lidsconf -Z [acl_type]
    lidsconf -U
    lidsconf -L [acl_type] [-e]
    lidsconf -P
    lidsconf -S [acl_type]
    lidsconf -v
    lidsconf -[h|H]

    -A, --add To add an entry
    -C, --check       To check all entries
    -D, --delete      To delete an entry
    -Z, --zero        To delete all entries 
    -U, --update      To update dev/inode numbers
    -L, --list        To list all entries 
    -P, --passwd      To set a new password
    -S, --script      To write a script for all entries
    -v, --version     To show the version
    -h, --help        To list this help 
    -H, --morehelp    To list this help with CAP/SOCKET name

    -s, --subject subj
              can be any program, must be a file

    -o, --object [obj]
              can be a file, directory or Capability, Socket Name

    -j, --jump

       DENY      deny access
       READONLY  read only
       APPEND    append only
       WRITE     writable
       GRANT     grant capability to subject
       IGNORE    ignore any permissions set on this object
       DISABLE   disable some extension feature

      -i, --inheritance  Inheritance level
      -e, --extended     Extended list

8.2. lidsadm

All the information contained in this section is available from the man page for lidsadm (man 8 lidsadm) or from command-line help (lidsconf -h).

lidsadm -I

Seal the kernel with the default capabilities set in /etc/lids/lids.cap. You should edit that file manually.

lidsadm -S -- -LIDS

Switch to a LIDS-free session.

lidsadm -S -- -LIDS_GLOBAL

Switch LIDS off across the system — your system is no longer protected by LIDS.

lidsadm -S -- +SHUTDOWN

Switch to hte SHUTDOWN state.

lidsadm -S -- +ACL_DISCOVERY

Turn on the ACL discovery mode.

8.2.2. Usage

    lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
    lidsadm -V
    lidsadm -h

    -S  To submit a password to switch some protections
    -I  To switch some protections without submitting password (sealing time)
    -V  To view current LIDS state (caps/flags)
    -v  To show the version
    -h  To list this help 

    LIDS           de-/activate LIDS locally (the shell & childs)
    LIDS_GLOBAL    de-/activate LIDS entirely
    RELOAD_CONF    reload config. file and inode/dev of protected programs
    POSTBOOT       de-/activate LIDS learning mode
    SHUTDOWN       de-/activate LIDS learning mode
    ACL_DISCOVERY  de-/activate LIDS learning mode