19. LIDS Man Pages: lidsconf
This man page is an updated/corrected version of that which comes
with lidstools v2.2.7.
NAME
lidsconf - configuration tool for the Linux Intrusion Detection System
SYNOPSIS
lidsconf -A [acl_type] [-s subject] [-R] -o object [-d] [-i level] -j ACTION
lidsconf -C
lidsconf -D [acl_type] [-s file] [-o file]
lidsconf -Z [acl_type]
lidsconf -U
lidsconf -L [acl_type] [-e]
lidsconf -P
lidsconf -S [acl_type]
lidsconf -v
lidsconf [-h|H]
DESCRIPTION
lidsconf is a configuration tool for the Linux Intrusion Detection System
(LIDS).
LIDS is a kernel patch to enhance the current Linux kernel. With LIDS, you can
protect important files, directories, and devices. You can also define ACLs
that restrict the access control on the entire system. For more information
about LIDS, please go to http://www.lids.org.
lidsconf is used to configure the access restriction information for LIDS. All
of the information is stored in
"/etc/lids/lids.conf","/etc/lids/lids.boot.conf","/etc/lids/lids.post-
boot.conf","/etc/lids/lids.shutdown.conf" based on the ACL type.
OPTIONS (ACL's)
ACL is short for "Access Control List". The ACL in LIDS defines how a subject
can access an object. The subject can be any program file on the system. The
object can be a file, directory, or a special option (MEM devices, RAW IO,
etc). The target defines the access type that the subject has on the object.
The synopsis of the ACL is
[-s subject] [-i TTL] -o object -j TARGET
When a subject is not specified, the ACL defines the object's default access.
acl_type
acl_type can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to
different acl states, if you do not provide an acl_type the default
value is "GLOBAL" which will apply for all states. For more information
on the LIDS STATEFUL ACL, please check the FAQ under the doc directory.
-s subject
A subject can be any program on the system, such as "/bin/login".
-o object [portscale]
An object can be a file, directory, or a special option (CAP_SYS_RAWIO,
CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SERVICE, you
must specify the port range. For example, "20-299,400-1002".
-i <inheritance level>
This specifies that the ACL is inheritable by the subject's children.
The inheritance level affects how far the ACL is inherited. An
inheritance level of "-1" means unlimited inheritance. An inheritance
level of 1 means that a child process spawned by the parent which is
not the same program as the parent will inherit the ACL, but a child
process spawned from the child (i.e. a grandchild of the orignal pro-
cess) won't. The Inheritance level will only affect the children which
are not the same program as its parent. If the child is the same pro-
gram as the parent, it will gain all the permission from its parent.
-j target
The target can be DENY, READ, APPEND, WRITE, or IGNORE for nor-
mal file access ACLs. For a special object, the target can only
be GRANT.
COMMANDS
These options specify the action to perform. Only one command can be
given on the commandline unless otherwise specified.
-A, --add [acl_type]
Add one or more rules to the end of the selected acl_type chain.
-C, --check
Check your LIDS rules and have them compiled. The output of this
command can help in making tighter rules or showing problems
with your current rulebase.
-D, --delete [acl_type]
Delete one or more rules from the selected acl_type.
-Z, --zero [acl_type]
Delete all acl's from the selected acl_type. If no acl_type is
given then the rules from the GLOBAL acl_type are deleted.
-U, --update
Update your acl's. If you change or move a file or directory,
it's inode will change. You the need to update your lids config
with this command
-L, --list [acl_type]
List the acl's in the selected acl_type.
-P, --passwd
Set a new LIDS password.
-S, --script
Write out a script to set your acl's.
-v, --version
Show the lidsconf version.
-h, --help
Show the lidsconf help.
-H, --morehelp
Show more help options.
AVAILABLE CAPABILITIES
The capabilities used in LIDS are shown below. You can use the
name to enable or disable the capability when sealing and
switching. You can also grant the capability to a program even
if the capability is disabled globally on the system.
.
.
For a list of AVAILABLE CAPABILITIES, see
Capabilities, above.
EXAMPLES
.
.
For a list of EXAMPLES, see Command-Line
Tools, above.
OTHER SOURCES OF INFORMATION.
Mailing List
To subscribe, unsubscribe, go to: http://lists.source-
forge.net/lists/listinfo/lids-user
To post a message to the list, send an e-mail to: lids-
user@lists.sourceforge.net
Current LIDS archive can be found at:
http://www.geocrawler.com/redir-sf.php3?list=lids-user
An outdated searchable archive can be found at:
http://groups.yahoo.com/group/lids
LIDS FAQ
The LIDS FAQ is located at:
http://www.lids.org/lids-faq/lids-faq.html
or
http://www.roedie.nl/lids-faq
BUGS
Any bugs found with LIDS itself should be sent to Xie, Phil, or the
mailing list (lids-user@lists.sourceforge.net). Please include your
.config file used to compile your kernel, and the lids.conf and
lids.cap files located in /etc/lids directory. Any errors found in
this man page should be sent to Sander Klein.
FILES
/etc/lids/lids.ini - LIDS Initial file.
/etc/lids/lids.cap - Defines the global capabilities.
/etc/lids/lids.boot.cap - Defines the BOOT capabilities.
/etc/lids/lids.postboot.cap - Defines the POSTBOOT capabilities.
/etc/lids/lids.shutdown.cap - Defines the SHUTDOWN capabilities.
/etc/lids/lids.pw - Contains the encrypted LIDS password.
SEE ALSO
lidsadm(8)
AUTHORS
Huagang Xie <xie@lids.org>
Philippe Biondi <biondi@cartel-securite.fr>
Manpage written by Sander Klein <roedie@roedie.nl>
DISTRIBUTION
The newest version of LIDS can be obtained from http://www.lids.org/ or
one of it's mirrors. LIDS is (C) 1999-2004 by Huagang
Xie(xie@lids.org).
About this document:
Produced from the SGML: /home/mc/public_html/_unix_security/_reml_grp/unix_sec_kernel_lids.reml
On: 19/5/2006 at 11:53:2
Options: reml2 -i noindex -l long -o html -p multiple