Next Previous Contents

7. Sample Configurations

7.1 Basic System Setup

The following is a sample configuration for basic system setup.

# Protect System Binaries
#
/sbin/lidsadm -A -o /sbin                               -j READ
/sbin/lidsadm -A -o /bin                                -j READ

# Protect all of /usr and /usr/local
# (This assumes /usr/local is on a separate file system).
#
/sbin/lidsadm -A -o /usr                                -j READ
/sbin/lidsadm -A -o /usr/local                          -j READ

# Protect the System Libraries
#(/usr/lib is protected above since /usr/lib generally isn't
# on a separate file system than /usr)
#
/sbin/lidsadm -A -o /lib                                -j READ

# Protect /opt
#
/sbin/lidsadm -A -o /opt                                -j READ

# Protect System Configuration files
#
/sbin/lidsadm -A -o /etc                                -j READ
/sbin/lidsadm -A -o /usr/local/etc                      -j READ
/sbin/lidsadm -A -o /etc/shadow                         -j DENY
/sbin/lidsadm -A -o /etc/lilo.conf                      -j DENY

# Enable system authentication
#
/sbin/lidsadm -A -s /bin/login -o /etc/shadow           -j READ
/sbin/lidsadm -A -s /usr/bin/vlock -o /etc/shadow       -j READ
/sbin/lidsadm -A -s /bin/su -o /etc/shadow              -j READ
/sbin/lidsadm -A -s /bin/su \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /bin/su \
                 -o CAP_SETGID                          -j GRANT

# Protect the boot partition
#
/sbin/lidsadm -A -o /boot                               -j READ

# Protect root's home dir, but allow bash history
#
/sbin/lidsadm -A -o /root                               -j READ
/sbin/lidsadm -A -s /bin/bash -o /root/.bash_history    -j WRITE

# Protect system logs
#
/sbin/lidsadm -A -o /var/log                            -j APPEND
/sbin/lidsadm -A -s /bin/login -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /bin/login -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp         -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog      -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
                 -o /var/log/wtmp -i 1                  -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
                 -o /var/log/lastlog -i 1               -j WRITE

# Startup
#
/sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime       -j WRITE


# Shutdown
#
/sbin/lidsadm -A -s /sbin/init -o CAP_INIT_KILL         -j GRANT
/sbin/lidsadm -A -s /sbin/init -o CAP_KILL              -j GRANT

# Give the following init script the proper privileges to kill processes and
# unmount the file systems.  However, anyone who can execute these scripts
# by themselves can effectively kill your processes.  It's better than
# the alternative, however.
#
# Any ideas on how to get around this are welcome!
#
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_INIT_KILL -i 1                  -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_KILL -i 1                       -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_NET_ADMIN -i 1                  -j GRANT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
                 -o CAP_SYS_ADMIN -i 1                  -j GRANT

# Other
#
/sbin/lidsadm -A -s /sbin/update -o CAP_SYS_ADMIN       -j GRANT

7.2 Apache

This sample configuration assumes Apache was installed in /usr/local/apache with a log directory of /var/log/httpd and a configuration directory of /etc/httpd. You can adjust the paths in the ACLs to match your own configuration. With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443).

/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o CAP_SETGID                          -j GRANT

# Config files
/sbin/lidsadm -A -o /etc/httpd                          -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /etc/httpd                          -j READ

# Server Root
/sbin/lidsadm -A -o /usr/local/apache                   -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /usr/local/apache                   -j READ

# Log Files
/sbin/lidsadm -A -o /var/log/httpd                      -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /var/log/httpd                      -j APPEND
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
                 -o /usr/local/apache/logs              -j WRITE

7.3 qmail

These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.

# setup
/sbin/lidsadm -A -o /var/qmail                          -j READ
/sbin/lidsadm -A -s /usr/local/bin/multilog \
                 -o /var/log/qmail                      -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/svc \
                 -o /var/qmail/supervise                -j WRITE

# queue access
#
/sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-send \
                 -o /var/qmail/queue                    -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \
                 -o /var/qmail/queue                    -j WRITE

# Access to local mail boxes
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_SETGID                          -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_DAC_OVERRIDE                    -j GRANT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
                 -o CAP_DAC_READ_SEARCH                 -j GRANT


# Remote delivery
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
                 -o CAP_NET_BIND_SERVICE -i -1          -j GRANT

# supervise

/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-smtpd/supervise     -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-send/supervise      -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/qmail/supervise/qmail-send/log/supervise  -j WRITE

7.4 dnscache & tinydns (djbdns)

The following ACLs were written for a djbdns setup based on Jeremy Rauch's Installing djbdns (DNScache) for Name Service parts 1 & 2. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.

# dnscache
#
/sbin/lidsadm -A -o /var/dnscache                        -j READ
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/dnscache/supervise     -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/dnscache/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/multilog \
                 -o /var/dnscache/dnscache/log/main      -j WRITE

# tinydns
#
/bin/echo "tinydns"

/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/tinydns/supervise      -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
                 -o /var/dnscache/tinydns/log/supervise  -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/multilog \
                 -o /var/dnscache/tinydns/log/main       -j WRITE

7.5 Courier-imap

The following ACLs assume courier-imap was installed into /usr/local/courier-imap. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.

/sbin/lidsadm -A -o /usr/local/courier-imap                     -j DENY

/sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \
                 -o /etc/shadow                                 -j READ
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \
                 -o /etc/shadow                                 -j READ
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
                 -o /usr/local/courier-imap                     -j READ

/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
                 -o CAP_SETUID -i 3                             -j GRANT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
                 -o CAP_SETGID -i 3                             -j GRANT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
                 -o CAP_DAC_OVERRIDE -i 3                       -j GRANT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
                 -o CAP_DAC_READ_SEARCH -i 3                    -j GRANT

7.6 MySQL

The following ACLs assume MySQL was installed into /usr/local/mysql.

/sbin/lidsadm -A -o /usr/local/mysql/var                -j APPEND

/sbin/lidsadm -A -o /usr/local/mysql                    -j DENY
/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \
                 -o /usr/local/mysql                    -j READ
/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \
                 -o /usr/local/mysql/var                -j WRITE

7.7 OpenSSH

The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.


/sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow       -j READ

/sbin/lidsadm -A -o /etc/ssh/sshd_config                -j DENY
/sbin/lidsadm -A -o /etc/ssh/ssh_host_key               -j DENY
/sbin/lidsadm -A -o /etc/ssh/ssh_host_dsa_key           -j DENY

/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o /etc/ssh/sshd_config                -j READ
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o /etc/ssh/ssh_host_key               -j READ
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o /etc/ssh/ssh_host_dsa_key           -j READ

/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o /var/log/wtmp                       -j WRITE
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o /var/log/lastlog                    -j WRITE

/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_SETUID                          -j GRANT
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_SETGID                          -j GRANT
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_FOWNER                          -j GRANT
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_CHOWN                           -j GRANT
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_DAC_OVERRIDE                    -j GRANT
/sbin/lidsadm -A -s /usr/sbin/sshd \
                 -o CAP_NET_BIND_SERVICE                -j GRANT

7.8 OpenLDAP (slapd)

The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability.

/sbin/lidsadm -A -s /usr/local/libexec/slapd \
                 -o /usr/local/ldapdb                   -j WRITE
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
                 -o CAP_NET_BIND_SERVICE                -j GRANT
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
                 -o CAP_INIT_KILL                       -j GRANT
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
                 -o CAP_SYS_MODULE                      -j GRANT

7.9 Port Sentry

The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability. Depending on what you want portsentry to do, you may or may not need all of the following ACLs.

/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o /usr/local/psionic/portsentry               -j WRITE
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o /var/log                                    -j WRITE
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o CAP_NET_BIND_SERVICE                        -j GRANT

# For portsentry to be able to update the firewall:
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o CAP_NET_RAW -i 1                            -j GRANT

# For portsentry to be able to update /etc/hosts.allow and/or /etc/hosts.deny:
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o /etc/hosts.allow                            -j WRITE
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
                 -o /etc/hosts.deny                             -j WRITE

7.10 Samba

With this configuration, Samba must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to ports 137 & 139.

/sbin/lidsadm -A -o /etc/samba -j READ
/sbin/lidsadm -A -o /var/samba -j READ
/sbin/lidsadm -A -s /usr/sbin/smbd -o /var/samba -j WRITE
/sbin/lidsadm -A -s /usr/sbin/nmbd -o /var/samba -j WRITE

# smbd needs write access to smbpasswd to chmod it.  i think it
# also needs access to MACHINE.SID
/sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/samba -j WRITE
/sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/shadow -j READ

/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT
/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT
/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT

# LIDS complains about smbd trying to chroot to /
# everything still seems to work without it, though
# (and isn't chrooting to / kinda pointless anyway?)
#/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT
/sbin/lidsadm -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT

7.11 Linux HA heartbeat

/sbin/lidsadm -A -o /usr/lib/heartbeat/heartbeat                -j READ
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_NET_BIND_SERVICE -i -1                  -j GRANT
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_SYS_RAWIO -i -1                         -j GRANT
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_NET_BROADCAST -i -1                     -j GRANT
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_NET_ADMIN -i -1                         -j GRANT
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_NET_RAW -i -1                           -j GRANT
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o CAP_SYS_ADMIN -i -1                         -j GRANT

# For sending Gratuitous Arps

/sbin/lidsadm -A -o /usr/lib/heartbeat/send_arp                 -j READ
/sbin/lidsadm -A -s /usr/lib/heartbeat/send_arp \
                 -o CAP_NET_RAW -i -1                           -j GRANT

# For modifying the routing table when the IP address changes

/sbin/lidsadm -A -o /sbin/route                                 -j READ
/sbin/lidsadm -A -s /sbin/route -o CAP_NET_ADMIN -i 0           -j GRANT

#
# Protect the heartbeat configuration and authentication key.
#
/sbin/lidsadm -A -o /etc/ha.d/ha.cf                             -j READ
/sbin/lidsadm -A -o /etc/ha.d/haresources                       -j READ
/sbin/lidsadm -A -o /etc/ha.d/authkeys                          -j DENY

#
# Only heartbeat can see the authkey
#
/sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \
                 -o /etc/ha.d/authkeys                          -j READ


Next Previous Contents