Unix and Linux Security: LIDS

9. LIDS ACL Initialisation Script

It is not practical to enter a complete set of ACLs at the shell prompt; a better approach is to store ACLs in a shell-script. After initialising ACLs from such a script, the rules "compiled" and stored in /etc/lids/*.acl for future system boots.

(The script below is not /sbin/init script — see above for one of those.)

#!/bin/sh


# -----------------------------------------------------------------------------
# -- Check where we're running :

echo "  "
echo "    Is the kernel LIDS-enabled?"
echo "        Is \"lidsconf -I\" done?"
echo "            Is this a LIDS-free session?"
echo "  "

echo -n "    If yes, yes and yes, enter \"yes\" : "

read user_response

if [ ! "$user_response" = "yes" ]
then
    echo "Answer not equal to \"yes\", so exiting."
    exit 1
fi


# -----------------------------------------------------------------------------
# -- Clean out the bath before using it :

echo "  "
echo "     ...should be okay to ignore any "
echo "        \"lidsconf: the file does not exist in the acl file\""
echo "        message here..."
echo "  "

lidsconf -D SHUTDOWN
lidsconf -D POSTBOOT
lidsconf -D BOOT
lidsconf -D 
    # ...deletes all current ACLs (if there are currently no ACLs, may get 
    #    error "lidsconf: the file does not exist in the acl file" which
    #    can safely be ignored)

echo "     ...end ignore."
echo "  "


# -----------------------------------------------------------------------------
# -- ACLs, GLOBAL --- system-wide stuff :

lidsconf -A  -o /bin   -j READONLY
lidsconf -A  -o /boot  -j READONLY
lidsconf -A  -o /etc   -j READONLY
lidsconf -A  -o /lib   -j READONLY
lidsconf -A  -o /sbin  -j READONLY
lidsconf -A  -o /usr   -j READONLY


# -----------------------------------------------------------------------------
# -- ACLs, GLOBAL --- /etc :

lidsconf -A  -o /etc/lids    -j DENY
lidsconf -A  -o /etc/shadow  -j DENY

lidsconf -A  -s /bin/login      -o /etc/shadow  -j READONLY
lidsconf -A  -s /bin/su         -o /etc/shadow  -j READONLY
lidsconf -A  -s /sbin/sulogin   -o /etc/shadow  -j READONLY
lidsconf -A  -s /usr/sbin/sshd  -o /etc/shadow  -j READONLY


# -----------------------------------------------------------------------------
# -- ACLs, GLOBAL --- /var :

lidsconf -A  -o /var/log       -j APPEND
lidsconf -A  -o /var/log/wtmp  -j WRITE 

lidsconf -A  -o /usr/sbin/logrotate        -j READONLY
lidsconf -A  -o /etc/cron.daily/logrotate  -j READONLY

lidsconf -A  -s /etc/cron.daily/logrotate  -o /var/log  -i 1  -j WRITE



# -----------------------------------------------------------------------------
# -- ACLs, GLOBAL --- SETUID :

#
# ...check CAP_SETUID for POSTBOOT...
#
export CAP_SETUID_STATUS=`fgrep CAP_SETUID /etc/lids/lids.postboot.cap`
#
if [ ! "$CAP_SETUID_STATUS" = "-7:CAP_SETUID" ]
then
    echo "POSTBOOT CAP_SETUID (lids.postboot.cap) is not set \"-\" (off) "
    exit 1
else
    echo "POSTBOOT CAP_SETUID STATUS :  \"$CAP_SETUID_STATUS\"  is ok!"
fi


lidsconf -A  -s /bin/login      -o CAP_SETUID  -j GRANT
lidsconf -A  -s /bin/su         -o CAP_SETUID  -j GRANT
lidsconf -A  -s /usr/sbin/sshd  -o CAP_SETUID  -j GRANT
    # ...these can be POSTBOOT if there is a init script to issue "lidsadm -I"
    #    at the end of the boot sequence...


# -----------------------------------------------------------------------------
# -- ACLs, BOOT :

# 
# ...during BOOT state, /lib is READONLY except for /sbin/depmon, and
#    "protect our subject" during this time...
#
lidsconf -A BOOT  -o /sbin/depmod  -j READONLY
#
lidsconf -A BOOT                   -o /lib  -j READONLY
lidsconf -A BOOT  -s /sbin/depmod  -o /lib  -j WRITE


#
# ...allow???
#
lidsconf -A BOOT  -o /sbin/logsave  -j READONLY
#
lidsconf -A BOOT  -s /sbin/logsave -o /var/log/fsck/checkroot  -j WRITE
lidsconf -A BOOT  -s /sbin/logsave -o /var/log/fsck/checkfs    -j WRITE


# -----------------------------------------------------------------------------
# -- ACLs, SHUTDOWN :

lidsconf -A SHUTDOWN   -s /bin/mount -o /etc/mtab  -j WRITE


# -----------------------------------------------------------------------------
# -- compile and load :

echo "  "
echo "All ACLs added..."
echo "Compiling ACLs...  "
echo "  "
lidsconf -C
echo " ...ACLs compiled"
echo "  "
echo "Reloading CONF..."
lidsadm -S -- +RELOAD_CONF
echo " ...CONF reloaded"
echo "  "


# -----------------------------------------------------------------------------
# -- have a nice mug of tea :


# -----------------------------------------------------------------------------
# 
# -----------------------------------------------------------------------------

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/mc/public_html/_unix_security/_reml_grp/unix_sec_kernel_lids.reml
On: 19/5/2006 at 11:53:2
Options: reml2 -i noindex -l long -o html -p multiple