The following is a sample configuration for basic system setup.
# Protect System Binaries # /sbin/lidsadm -A -o /sbin -j READ /sbin/lidsadm -A -o /bin -j READ # Protect all of /usr and /usr/local # (This assumes /usr/local is on a separate file system). # /sbin/lidsadm -A -o /usr -j READ /sbin/lidsadm -A -o /usr/local -j READ # Protect the System Libraries #(/usr/lib is protected above since /usr/lib generally isn't # on a separate file system than /usr) # /sbin/lidsadm -A -o /lib -j READ # Protect /opt # /sbin/lidsadm -A -o /opt -j READ # Protect System Configuration files # /sbin/lidsadm -A -o /etc -j READ /sbin/lidsadm -A -o /usr/local/etc -j READ /sbin/lidsadm -A -o /etc/shadow -j DENY /sbin/lidsadm -A -o /etc/lilo.conf -j DENY # Enable system authentication # /sbin/lidsadm -A -s /bin/login -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/bin/vlock -o /etc/shadow -j READ /sbin/lidsadm -A -s /bin/su -o /etc/shadow -j READ /sbin/lidsadm -A -s /bin/su \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /bin/su \ -o CAP_SETGID -j GRANT # Protect the boot partition # /sbin/lidsadm -A -o /boot -j READ # Protect root's home dir, but allow bash history # /sbin/lidsadm -A -o /root -j READ /sbin/lidsadm -A -s /bin/bash -o /root/.bash_history -j WRITE # Protect system logs # /sbin/lidsadm -A -o /var/log -j APPEND /sbin/lidsadm -A -s /bin/login -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /bin/login -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/wtmp -i 1 -j WRITE /sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \ -o /var/log/lastlog -i 1 -j WRITE # Startup # /sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime -j WRITE # Shutdown # /sbin/lidsadm -A -s /sbin/init -o CAP_INIT_KILL -j GRANT /sbin/lidsadm -A -s /sbin/init -o CAP_KILL -j GRANT # Give the following init script the proper privileges to kill processes and # unmount the file systems. However, anyone who can execute these scripts # by themselves can effectively kill your processes. It's better than # the alternative, however. # # Any ideas on how to get around this are welcome! # /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_INIT_KILL -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_KILL -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_NET_ADMIN -i 1 -j GRANT /sbin/lidsadm -A -s /etc/rc.d/init.d/halt \ -o CAP_SYS_ADMIN -i 1 -j GRANT # Other # /sbin/lidsadm -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT
This sample configuration assumes Apache was installed in /usr/local/apache
with a log directory of /var/log/httpd
and a configuration directory of /etc/httpd
. You can adjust the paths in the ACLs to match your own configuration. With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443).
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o CAP_SETGID -j GRANT # Config files /sbin/lidsadm -A -o /etc/httpd -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /etc/httpd -j READ # Server Root /sbin/lidsadm -A -o /usr/local/apache -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache -j READ # Log Files /sbin/lidsadm -A -o /var/log/httpd -j DENY /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /var/log/httpd -j APPEND /sbin/lidsadm -A -s /usr/local/apache/bin/httpd \ -o /usr/local/apache/logs -j WRITE
These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.
# setup /sbin/lidsadm -A -o /var/qmail -j READ /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/log/qmail -j WRITE /sbin/lidsadm -A -s /usr/local/bin/svc \ -o /var/qmail/supervise -j WRITE # queue access # /sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-send \ -o /var/qmail/queue -j WRITE /sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \ -o /var/qmail/queue -j WRITE # Access to local mail boxes /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETGID -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_READ_SEARCH -j GRANT # Remote delivery /sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT # supervise /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/log/supervise -j WRITE
The following ACLs were written for a djbdns setup based on Jeremy Rauch's Installing djbdns (DNScache) for Name Service parts 1 & 2. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.
# dnscache # /sbin/lidsadm -A -o /var/dnscache -j READ /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/dnscache/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/dnscache/log/main -j WRITE # tinydns # /bin/echo "tinydns" /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/supervise \ -o /var/dnscache/tinydns/log/supervise -j WRITE /sbin/lidsadm -A -s /usr/local/bin/multilog \ -o /var/dnscache/tinydns/log/main -j WRITE
The following ACLs assume courier-imap was installed into /usr/local/courier-imap
. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.
/sbin/lidsadm -A -o /usr/local/courier-imap -j DENY /sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \ -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \ -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o /usr/local/courier-imap -j READ /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETUID -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_SETGID -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_OVERRIDE -i 3 -j GRANT /sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \ -o CAP_DAC_READ_SEARCH -i 3 -j GRANT
The following ACLs assume MySQL was installed into /usr/local/mysql
.
/sbin/lidsadm -A -o /usr/local/mysql/var -j APPEND /sbin/lidsadm -A -o /usr/local/mysql -j DENY /sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql -j READ /sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \ -o /usr/local/mysql/var -j WRITE
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -j READ /sbin/lidsadm -A -o /etc/ssh/sshd_config -j DENY /sbin/lidsadm -A -o /etc/ssh/ssh_host_key -j DENY /sbin/lidsadm -A -o /etc/ssh/ssh_host_dsa_key -j DENY /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/sshd_config -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_key -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /etc/ssh/ssh_host_dsa_key -j READ /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/wtmp -j WRITE /sbin/lidsadm -A -s /usr/sbin/sshd \ -o /var/log/lastlog -j WRITE /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_SETGID -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_FOWNER -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_CHOWN -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsadm -A -s /usr/sbin/sshd \ -o CAP_NET_BIND_SERVICE -j GRANT
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o /usr/local/ldapdb -j WRITE /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_NET_BIND_SERVICE -j GRANT /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_INIT_KILL -j GRANT /sbin/lidsadm -A -s /usr/local/libexec/slapd \ -o CAP_SYS_MODULE -j GRANT
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability. Depending on what you want portsentry to do, you may or may not need all of the following ACLs.
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /usr/local/psionic/portsentry -j WRITE /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /var/log -j WRITE /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o CAP_NET_BIND_SERVICE -j GRANT # For portsentry to be able to update the firewall: /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o CAP_NET_RAW -i 1 -j GRANT # For portsentry to be able to update /etc/hosts.allow and/or /etc/hosts.deny: /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /etc/hosts.allow -j WRITE /sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \ -o /etc/hosts.deny -j WRITE
With this configuration, Samba must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to ports 137 & 139.
/sbin/lidsadm -A -o /etc/samba -j READ /sbin/lidsadm -A -o /var/samba -j READ /sbin/lidsadm -A -s /usr/sbin/smbd -o /var/samba -j WRITE /sbin/lidsadm -A -s /usr/sbin/nmbd -o /var/samba -j WRITE # smbd needs write access to smbpasswd to chmod it. i think it # also needs access to MACHINE.SID /sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/samba -j WRITE /sbin/lidsadm -A -s /usr/sbin/smbd -o /etc/shadow -j READ /sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT /sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT /sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT # LIDS complains about smbd trying to chroot to / # everything still seems to work without it, though # (and isn't chrooting to / kinda pointless anyway?) #/sbin/lidsadm -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT /sbin/lidsadm -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT
/sbin/lidsadm -A -o /usr/lib/heartbeat/heartbeat -j READ /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_SYS_RAWIO -i -1 -j GRANT /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_BROADCAST -i -1 -j GRANT /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_ADMIN -i -1 -j GRANT /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_NET_RAW -i -1 -j GRANT /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o CAP_SYS_ADMIN -i -1 -j GRANT # For sending Gratuitous Arps /sbin/lidsadm -A -o /usr/lib/heartbeat/send_arp -j READ /sbin/lidsadm -A -s /usr/lib/heartbeat/send_arp \ -o CAP_NET_RAW -i -1 -j GRANT # For modifying the routing table when the IP address changes /sbin/lidsadm -A -o /sbin/route -j READ /sbin/lidsadm -A -s /sbin/route -o CAP_NET_ADMIN -i 0 -j GRANT # # Protect the heartbeat configuration and authentication key. # /sbin/lidsadm -A -o /etc/ha.d/ha.cf -j READ /sbin/lidsadm -A -o /etc/ha.d/haresources -j READ /sbin/lidsadm -A -o /etc/ha.d/authkeys -j DENY # # Only heartbeat can see the authkey # /sbin/lidsadm -A -s /usr/lib/heartbeat/heartbeat \ -o /etc/ha.d/authkeys -j READ