23. LIDS Files

23.1. Configuration Files

When lidsconf is used to add ACLs (lidsconf -A...) they are stored in the *.conf files 

    /etc/lids/lids.conf
             /lids.boot.conf
             /lids.postboot.conf
             /lids.shutdown.conf
if acl_type is specified, the rule is added to the corresponding .conf file, otherwise the rule is added to lids.conf and is considered GLOBAL, i.e, applies across all states. These files should NOT normally be manually edited. The following illustrates the contents of a .conf file: 
    subject   subj.    subject     RWDAG    inherit   object  object   object          ??
    inode     device   path/name                      inode   device   path/name
    .
    0       : 0      :            : 3    : 0       : 15937  : 780    : /var/log      : 0-0
    0       : 0      :            : 7    : 0       : 15939  : 780    : /var/log/wtmp : 0-0
    179884  : 778    : /bin/login : 1    : 0       : 33191  : 778    : /etc/shadow   : 0-0
    179885  : 778    : /bin/su    : 1    : 0       : 33191  : 778    : /etc/shadow   : 0-0
(subject inode and/or device equal to zero means "any file") and 
    subject   subj.    subject           RWDAG   inh.   obj.    cap.   cap.            ??
    inode     device   path/name                        inode   num.         
    .
    .
    179884  : 778    : /bin/login      : 16    :  0   : -1    :  7   : CAP_SETUID    : 0-0
    179885  : 778    : /bin/su         : 16    :  0   : -1    :  7   : CAP_SETUID    : 0-0
    31917   : 779    : /usr/sbin/exim4 : 16    : -1   : -1    : 31   : CAP_PROTECTED : 0-0
(capability-associated ACLS are given an object inode equal to -1).

The *.cap files 

    /etc/lids/lids.cap
             /lids.boot.cap
             /lids.postboot.cap
             /lids.shutdown.cap
specify whether each capability is switched off or on by default. Capability settings for a particular state override, i.e., those specified by lids.*.cap override global settings (in lids.cap).

When lidsconf is used to check and compile added ACLs (lidsconf -C) updated *.acl files are created from the .cap and .conf files. 

    /etc/lids/lids.boot.acl
    /etc/lids/lids.postboot.acl
    /etc/lids/lids.shutdown.acl
These files are read when the command lidsadm -S -- +RELOAD_CONF is issued

Some initial values for LIDS are stored in 

    /etc/lids.ini

Finally, an encrypted version of the LIDS password is stored in 

    /etc/lids.pw

23.2. Lids Tools

The LIDS Tools are installed, by default in /sbin: 

    /sbin/lidsconf
         /lidsadm

23.3. man Pages

The man pages install, by default, in /usr/local/share/: 

    /usr/local/share/man/man8/lidsadm.8
                              lidsconf.8
If necessary adjust your MANPATH environment variable to include this path, e.g.,: export MANPATH=$MANPATH:/usr/local/share/man.

23.4. Source Files

You should start with a "vanilla" source from www.kernel.org, rather than a tree from your distro, which traditionally unpacked in /usr/local 

    /usr/local/src/linux-2.xy.pq/
and the corresponding LIDS source 
    /usr/local/src/lids-2.2.2-2.xy.pq/
                  /lidstools-2.2.7

23.5. Boot Files

A minimum of your new kernel, and the corresponding System.map 

    /boot/vmlinuz-<version>
          System.map-<version>
optionally the corresponding config file for documentation purposes 
          config-<version>
and possibly, depending on your kernel configuration — is it modular, does it require extra drivers, e.g., scsi.o> — an initrd image 
         initrd.img-<version>
and some modules 
    /lib/modules/<version>//
Finally, so you can boot your LIDS-enabled kernel, a GRUB entry, 
    /boot/grub/menu.lst


...previouscont's...


About this document:

Produced from the SGML: /home/mc/public_html/_unix_security/_reml_grp/unix_sec_kernel_lids.reml
On: 19/5/2006 at 11:53:2
Options: reml2 -i noindex -l long -o html -p multiple