Unix and Linux Security: LIDS

12. LIDS and Patching

Daily (nightly) cron-driven patching does not sit well with LIDS. The only practical approach is to temporarily disable LIDS, patch and then immediately re-enable the system. The script below will does exactly this for a Debian system, but should NOT be used as is since it contains the LIDS password in plain text. Usage:

replace <password> with the actual LIDS password;
encrypt/compile the script using shc, the shell script compiler written by FJR Garcia;
run the encrypted/compiled script via cron to patch daily/nightly.

#!/bin/bash

#
# 1. Runs "apt-get update" and "apt-get --download-only upgrade" before
#    issuing "lidsadm -S -- -LIDS_GLOBAL", then "apt-get -u upgrade" and
#    finally "lidsadm -S -- +LIDS_GLOBAL", thus minimising the time
#    for which LIDS is disabled.  
#
# 2. Creates temporary expect scripts to temporarily disable and later
#    enable LIDS.
#

# -- update : ------------------------------------------------------------------
#
/usr/bin/apt-get update
    # ...writes to /var/cache/apt/pkgcache.bin
    #                             srcpkgcache.bin


# -- download : ----------------------------------------------------------------
#
/usr/bin/apt-get --download-only upgrade
    # ...writes to /var/cache/apt/archives/


# -- create expect script to enable LIDS : -------------------------------------
#
echo "#!/usr/bin/expect"                 >   /tmp/simonh.simonh
echo "  "                                >>  /tmp/simonh.simonh
echo "set timeout 5000  "                >>  /tmp/simonh.simonh
echo "  "                                >>  /tmp/simonh.simonh
echo "spawn lidsadm -S -- -LIDS_GLOBAL"  >>  /tmp/simonh.simonh
echo "expect \"password: \""             >>  /tmp/simonh.simonh
echo "send \"<password>\r\""             >>  /tmp/simonh.simonh
echo "expect \"changed.\""               >>  /tmp/simonh.simonh
echo "exit"                              >>  /tmp/simonh.simonh


# -- switch to "-LIDS_GLOBAL" : ------------------------------------------------
#
chmod 700 /tmp/simonh.simonh
/tmp/simonh.simonh
rm -f /tmp/simonh.simonh


# -- install : -----------------------------------------------------------------
#
/usr/bin/apt-get -y upgrade


# -- create expect script to disable LIDS : ------------------------------------
#
echo "#!/usr/bin/expect"                 >   /tmp/simonh.simonh
echo "  "                                >>  /tmp/simonh.simonh
echo "set timeout 5000  "                >>  /tmp/simonh.simonh
echo "  "                                >>  /tmp/simonh.simonh
echo "spawn lidsadm -S -- +LIDS_GLOBAL"  >>  /tmp/simonh.simonh
echo "expect \"password: \""             >>  /tmp/simonh.simonh
echo "send \"<password>\r\""             >>  /tmp/simonh.simonh
echo "expect \"changed.\""               >>  /tmp/simonh.simonh
echo "exit"                              >>  /tmp/simonh.simonh


# -- switch to "+LIDS_GLOBAL" : ------------------------------------------------
#
chmod 700 /tmp/simonh.simonh
/tmp/simonh.simonh
rm -f /tmp/simonh.simonh

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/mc/public_html/_unix_security/_reml_grp/unix_sec_kernel_lids.reml
On: 19/5/2006 at 11:53:2
Options: reml2 -i noindex -l long -o html -p multiple