Before you reboot into your LIDS enhanced kernel, enter the following at the command prompt:
# lidsadm -P
You will then be prompted for a LIDS password:
MAKE enter password: Verifying enter password:
This will write your RipeMD-160 encrypted password to the /etc/lids/lids.pw file.
You must first create a LIDS free session. Then set your password using the "-P" option just like you did the first time (you will not be prompted for your current password). After resetting your LIDS password, you must tell LIDS to reload its configuration files.
A LIDS free session (LFS) is a terminal session that is not restricted by LIDS. This option is available so you can administer your system without having to reboot into a non-LIDS kernel. In order for this to work, you must have selected this option when you compiled your LIDS enhanced kernel:
[*] Allow switching LIDS protectionsTo create an LFS, enter the following at the prompt:
# lidsadm -S -- -LIDS
You will then be prompted for your LIDS password. This terminal is now LIDS free. It will remain LIDS free until you:
(lidsadm -S -- +LIDS).You can only have one LFS active at any one time. Even though lidsadm -S -- -LIDS will not fail if entered on another terminal, you can have only one LFS.
This can happen if you create an LFS on a virtual console and then switch to another virtual console and try to administer your machine. To clear it up, try enabling LIDS and then disabling it again (entering passwords when prompted):
# lidsadm -S -- +LIDS # lidsadm -S -- -LIDS
In order for LIDS to be able to reload its configuration files, you must enable this option when you configure your LIDS enhanced kernel:
[*] Allow switching LIDS protections (3) Number of attempts to submit password (30) Time to wait after a fail (seconds) [ ] Allow remote users to switch LIDS protections [ ] Allow any program to switch LIDS protections [*] Allow reloading config. file <----------------------------
NOTE: You must allow switching LIDS protections in order to enable reloading of configuration files.
From an LFS (or with LIDS_GLOBAL disabled), execute the following command to instruct LIDS to reload its configuration files:
# lidsadm -S -- +RELOAD_CONF
This will reload the following configuration files:
/etc/lids/lids.conf - LIDS ACL configuration file. /etc/lids/lids.cap - LIDS capabilities file. /etc/lids/lids.pw - LIDS password file. /etc/lids/lids.net - LIDS mail alert configuration file.
You can reboot into a non-LIDS enhanced kernel, or boot into your LIDS enhanced kernel with LIDS disabled to try and patch things up. To boot with LIDS disabled, specify security=0 at the lilo prompt. For example, if your LIDS enhanced kernel is called lids-kernel you would enter the following at the lilo prompt:
lilo: lids-kernel security=0
That's the easy part. The difficult part is getting your LIDS enabled system to shutdown. You may not be able to shutdown successfully depending on your LIDS configuration.
WARNING: Rebooting your LIDS enabled system when it is not properly configured can cause file system corruption and/or loss of data!!
Whenever the device that a file resides on, or a file's inode number changes, you must update your /etc/lids/lids.conf file with the proper information. Fortunately, Xie has provided us with an option just for this occasion:
# lidsadm -U
You must then reload the configuration files.
Besides using an LFS, LIDS can be turned off globally. This will only work if you compiled the option into your kernel.
# lidsadm -S -- -LIDS_GLOBAL
When LIDS_GLOBAL is disabled, your system will operate like a "normal" Linux system. To re-enable LIDS globally, perform the opposite:
#lidsadm -S -- +LIDS_GLOBAL
NOTE: This will not affect your LFS if you currently have one enabled.
At the end of the bootup process, you should seal the kernel. This sets the global capabilities on your system according to your /etc/lids/lids.cap file. File ACLs are enforced even before the kernel is sealed, however. To seal the kernel, put the following at the end of your rc.local (assuming SysV style init):
/sbin/lidsadm -I
The "-I" option is only used to seal the kernel. After it's sealed, you must use the "-S" option to make changes to your system.
WARNING: If you do not seal your kernel at boot time, you will not receive the full benefits of a LIDS enhanced system.
In order to use the "-V" option, you must have compiled lidsadm with make VIEW=1
(see above).
At the command line, enter:
# lidsadm -V
This will produce output similar to the following on a 2.2.x kernel:
VIEW
CAP_CHOWN 0
CAP_DAC_OVERRIDE 0
CAP_DAC_READ_SEARCH 0
CAP_FOWNER 0
CAP_FSETID 0
CAP_KILL 0
CAP_SETGID 0
CAP_SETUID 0
CAP_SETPCAP 0
CAP_LINUX_IMMUTABLE 0
CAP_NET_BIND_SERVICE 0
CAP_NET_BROADCAST 0
CAP_NET_ADMIN 0
CAP_NET_RAW 0
CAP_IPC_LOCK 0
CAP_IPC_OWNER 0
CAP_SYS_MODULE 0
CAP_SYS_RAWIO 0
CAP_SYS_CHROOT 0
CAP_SYS_PTRACE 0
CAP_SYS_PACCT 0
CAP_SYS_ADMIN 0
CAP_SYS_BOOT 1
CAP_SYS_NICE 0
CAP_SYS_RESOURCE 1
CAP_SYS_TIME 0
CAP_SYS_TTY_CONFIG 0
CAP_HIDDEN 1
CAP_INIT_KILL 0
LIDS_GLOBAL 1
0
RELOAD_CONF 0
LIDS 0
As you can see from the output above, this system has an LFS active. However, LIDS is enabled globally. The items with a "1" next to them are enabled, and those items with a "0" next to them are disabled. Except for the last two capabilities, root normally has all of the above capabilities. Thanks to LIDS, root only has capabilities CAP_SYS_BOOT, CAP_SYS_RESOURCE, and CAP_HIDDEN in this particular case (NOTE: CAP_HIDDEN isn't a capability provided by the standard Linux kernel).
You don't. As long as you selected the option when you configured your LIDS enhanced kernel, the port scan detector is enabled.
[*] Port Scanner Detector in kernel
The subject is a program that can run on a Linux system, such as a binary or shell script. The object is what the subject wants to access. This includes files, directories, capabilities, etc.
Yes. However, this method will not save the changes past system shutdown.
To enable a capability:
# lidsadm -S -- +CAP_SYS_ADMIN
To disable a capability:
# lidsadm -S -- -CAP_SYS_ADMIN
There are two things you should do when re-configuring LIDS:
lidsadm -L must be used from an LFS or when LIDS_GLOBAL is disabled. If neither of those conditions are true, you will see the following error message:
lidsadm: can not open conf file reason:: Permission denied LIST
Yes. The syslog init script can be modified to start klogd with the "-c" option. This options sets the default level of system messages that get logged to the console. Any message with a value less than the value specified will appear on the console (see include/linux/kernel.h).
For example:
klogd -c 4
Tells klogd to log all messages below level 4 will be logged to the console.
Yes. For setuid programs, the LD_PRELOAD env var is "cleansed" so that it can't affect the libraries loaded by a program (with the exception of recent glibc vulnerabilities).
Problems arise when you grant special capabilities or file access permissions to non-setuid binaries. Since the LD_PRELOAD env var isn't "cleansed" before loading libraries, someone with malicious intent could load a trojaned library and it would have the same special capabilities/file access permissions that were given to the original program.
Possible options to reduce your risk:
chmod o-rwx /path/to/program )
This happens when you forget to set the LIDS password before booting into LIDS the first time. To fix the problem, reboot your machine (see booting an unusable system) and set your LIDS password.