3. LIDS Installation

3.1. Patching Kernel Source and Building

LIDS functionality comes from changes to the standard Linux kernel. Binary LIDS-enabled kernels are not available, so installation requires the patching of kernel source code, then building/compiling and installation of the new kernel.

The definitive documentation of building and installing a Linux kernel is given in The Kernel HOWTO. If you are not familiar with the procedure, you are strongly encouraged to read it!

3.2. Required Filesystem Attributes

Question: Do we need the filesystem attributes at install time (when installing the LIDS Tools — for setting the LIDS password) or only when booted into a LIDS kernel?

On a most Unix/Linux filesystems files are uniquely identified by an inode which contains metadata for the file, e.g., ownership and access control information. A standard Unix/Linux permission check uses only information present within the inode.

LIDS makes use of Extended Attributes — xattrs. Not all kernels are compiled with support for xattrs; for LIDS to function correctly your LIDs-enabled kernel must be so compiled (see below).

3.2.1. Ext2/3

To obtain xattr functionality on Ext2/3 filesystems necessary for correct LIDS operation, ensure your kernel is compiled with 

    CONFIG_EXT2_FS=y
    CONFIG_EXT2_FS_XATTR=y
    CONFIG_EXT2_FS_POSIX_ACL=y 
    CONFIG_EXT2_FS_SECURITY=y

    CONFIG_EXT3_FS=y
    CONFIG_EXT3_FS_XATTR=y
    CONFIG_EXT3_FS_POSIX_ACL=y
    CONFIG_EXT3_FS_SECURITY=y
and then mount filesystems with the acl option, i.e., /etc/fstab: 
    proc            /proc           proc    defaults,acl        0   0
    /dev/hda10      /               ext3    defaults,acl,errors=remount-ro 0       1
    /dev/hda9       /boot           ext3    defaults,acl        0   2
    /dev/hda14      /scratch        ext3    defaults,acl        0   2
    /dev/hda13      /tmp            ext3    defaults,acl        0   2
    /dev/hda11      /usr            ext3    defaults,acl        0   2
    /dev/hda12      /var            ext3    defaults,acl        0   2
    /dev/hda3       none            swap    sw                  0   0
    /dev/hdc        /media/cdrom0   udf,iso9660 ro,user,noauto  0   0
    /dev/fd0        /media/floppy0  auto    rw,user,noauto      0   0

3.2.2. ReiserFS and XFS

Hans Reiser has said that there will never be official support for xattr on ReiserFS v3 — though a patch is available — but ReiserFS v4 will support xattr.

XFS supports xattr — to do this efficiently, use an inode size of 512 rather than the standard 256.

3.3. Other Kernel Configuration Requirements

The Kconfig (e.g., /usr/local/src/linux-2.6.14/security/lids/Kconfig) which comes with the LIDS kernel patch contains 

    depends on EXPERIMENTAL && SYSCTL && SECURITY && SECURITY_SECLVL!=y 
                            && SECURITY_ROOTPLUG!=y && SECURITY_SELINUX!=y
                            && SECURITY_CAPABILITIES!=y
therefore, in make config|menuconfig|xconfig, choose: 
    Code maturity level options 
        "Prompt for development and/or..."  = yes

    General setup
        "Sysctl support" = yes

    Security options
        "Enable different security models" = yes
        "Default Linux Capabilities"       = no
        "BSD Secure Levels"                = no
        "NSA SELinux Support"              = no

    Cryptographic Options
        "SHA256 digest algorithm" = yes
i.e., in .config: 
    CONFIG_EXPERIMENTAL=y

    CONFIG_SYSCTL=y

    CONFIG_SECURITY=y
    # CONFIG_SECURITY_NETWORK is not set
    # CONFIG_SECURITY_CAPABILITIES is not set
    # CONFIG_SECURITY_SECLVL is not set
    # CONFIG_SECURITY_SELINUX is not set

    CONFIG_CRYPTO=y
    CONFIG_CRYPTO_SHA256=y

3.4. LIDS Kernel Configuration

    CONFIG_LIDS=y

    CONFIG_LIDS_NO_FLOOD_LOG=y
    CONFIG_LIDS_ALLOW_SWITCH=y
    CONFIG_LIDS_ALLOW_LFS=y
    CONFIG_LIDS_RESTRICT_MODE_SWITCH=y
    CONFIG_LIDS_MODE_SWITCH_CONSOLE=y
    CONFIG_LIDS_MODE_SWITCH_SERIAL=y
    CONFIG_LIDS_MODE_SWITCH_PTY=y

3.5. Installation Recipe

If you are not familiar with the Linux kernel-building procedure, read the HOWTO.

Most (all?) LIDS-related documentation talks about modular kernels. LIDS-patched kernels may be monolithic.

3.5.1. Patch a Vanilla Kernel Source

Download a "vanilla" kernel source from www.kernel.org and patch it with the corresponding LIDS patch:

  1. Unpack linux-x.y.z.tar.gz into <DIR>linux-x.y.z where DIR is usually /usr/local/src/.

  2. Unpack lids-p.q.r-x.y.z.tar.gz into <DIR>lids-p.q.r-x.y.z — make sure you are using kernel and patch sources which correspond, i.e., that x, y and z match.

  3. cd into the kernel source directory and patch with patch -p1 < <DIR>/lids-p.q.r-x.y.z.
Ensure there are no errors — you should see something like: 
    patching file security/lids/include/linux/lidsif.h
    patching file security/lids/include/linux/lidsext.h
    patching file security/lids/include/linux/lids.h
    patching file security/lids/include/linux/lids_sysctl.h
    patching file security/lids/lids_lsm.c
    patching file security/lids/lids_acl.c
    patching file security/lids/lids_cap.c
    patching file security/lids/lids_init.c
    patching file security/lids/lids_logs.c
    patching file security/lids/lids_sysctl.c
    patching file security/lids/Kconfig
    patching file security/lids/Makefile
    patching file security/lids/Makefile.in
    patching file security/Makefile
    patching file security/Kconfig
    patching file Makefile

3.5.2. Configure the Patched Source

Next, configure the kernel:

  1. make config|menuconfig|xconfig

  2. Configure filesystem extended attributes as described above — unless the above filesystem requirements are met, LIDS will not work properly. Question: Do we need acl-mounted filesystems at LIDS Tools installation time, or only when running a LIDS kernel?

    1. Configure EXPERIMENTAL, SYSCTL and SHA256 into the kernel, as described above.
    2. Configure the SECURITY options in to the kernel as described above.
    3. Configure the LIDS options in to the kernel as described above.

Now build your kernel and if necessary your modules, and install — do not reboot into this new kernel yet.

3.5.3. Build the Tools

The final installation step is to build the LIDS Tools. Download and unpack into <DIR>/lidstools-u.v.w, then:

  1. cd into <DIR>/lidstools-u.v.w
  2. ./configure KERNEL_DIR=C<DIR>/linux-x.y.z
  3. make
  4. make install
N.B. The configure script currently (as of v2.2.7) installs lidsadm and lidsconf in /sbin, ignoring any --prefix options — Question: Check this!.

3.5.3.1. LIDS Password

As part of the make install you will be asked for a LIDS password. This is used to make changes to your LIDS configuration and also to start LIDS-free sessions, or to switch off LIDS entirely (or switch it back on). Do not forget this!

3.5.4. Configure GRUB

The last step before booting your newly-installed LIDS-enabled kernel is to configure your bootloader. It is a good idea to have a couple of choices — here are the Grub entries (for kernels which do not require initrds, e.g., monolithic kernels): 

    title           Vanilla 2.6.14-lids (lids=0)
    root            (hd0,8)
    kernel          /vmlinuz-2.6.14-lids lids=0 root=/dev/hda10 

    title           Vanilla 2.6.14-lids
    root            (hd0,8)
    kernel          /vmlinuz-2.6.14-lids root=/dev/hda10
Notice that the first contains the kernel option lids=0: this turns LIDS off completely — this can be used if your configuration gets so messed up you cannot do anything, or you forget your LIDS password.


...previousup (conts)next...


About this document:

Produced from the SGML: /home/mc/public_html/_unix_security/_reml_grp/unix_sec_kernel_lids.reml
On: 19/5/2006 at 11:53:2
Options: reml2 -i noindex -l long -o html -p multiple