Before you reboot into your LIDS enhanced kernel, enter the following at the command prompt:
# lidsadm -P
You will then be prompted for a LIDS password:
MAKE PASSWD enter password: Verifying enter password:
This will write your RipeMD-160 encrypted password to the /etc/lids/lids.pw file.
You must first create a LIDS free session. Then set your password using the "-P" option just like you did the first time (you will not be prompted for your current password). After resetting your LIDS password, you must tell LIDS to reload it's configuration files.
A LIDS free session (LFS) is a terminal session that is not restricted by LIDS. This option is available so you can administer your system without having to reboot into a non-LIDS kernel. In order for this to work, you must have selected this option when you compiled your LIDS enhanced kernel:
[*] Allow switching LIDS protectionsTo create an LFS, enter the following at the prompt:
# lidsadm -S -- -LIDS
You will then be prompted for your LIDS password. This terminal is now LIDS free. It will remain LIDS free until you:
(lidsadm -S -- +LIDS).You can only have one LFS active at any one time. Even though lidsadm -S -- -LIDS will not fail if entered on another terminal, you can have only one LFS.
This can happen if you create a LFS on a virtual console and then switch to another virtual console and try to administer your machine. To clear it up, try enabling LIDS and then disabling it again (entering passwords when prompted):
# lidsadm -S -- +LIDS # lidsadm -S -- -LIDS
In order for LIDS to be able to reload it's configuration files, you must enable this option when you configure your LIDS enhanced kernel:
[*] Allow switching LIDS protections (3) Number of attempts to submit password (30) Time to wait after a fail (seconds) [ ] Allow remote users to switch LIDS protections [ ] Allow any program to switch LIDS protections [*] Allow reloading config. file <--------------------NOTE: You must allow switching LIDS protections in order to enable reloading of configuration files.
The following instructs LIDS to reload it's configuration files:
# lidsadm -S -- +RELOAD_CONF
This will reload the following configuration files:
/etc/lids/lids.conf - LIDS ACL configuration file. /etc/lids/lids.cap - LIDS capabilities file. /etc/lids/lids.pw - LIDS password file. /etc/lids/lids.net - LIDS mail alert configuration file.
You can reboot into a non-LIDS enhanced kernel, or boot into your LIDS enhanced kernel with LIDS disabled to try and patch things up. To boot with LIDS disabled, specify security=0 at the lilo prompt. For example, if your LIDS enhanced kernel is called lids-kernel you would enter the following at the lilo prompt:
lilo: lids-kernel security=0
That's the easy part. The difficult part is getting your LIDS enabled system to shutdown. You may not be able to shutdown successfully depending on your LIDS configuration.
WARNING: Rebooting your LIDS enabled system when it is not properly configured can cause file system corruption and/or loss of data!!
Whenever the device that a file resides on, or a file's inode number changes, you must update your /etc/lids/lids.conf file with the proper information. Fortunately, Xie has provided us with an option just for this occasion:
# lidsadm -U
You must then reload the configuration files.
Besides using a LFS, LIDS can be turned off globally. This will only work if you compiled the option into your kernel.
# lidsadm -S -- -LIDS_GLOBAL
When LIDS_GLOBAL is disabled, your system will operate like a "normal" Linux system. To re-enable LIDS globally, perform the opposite:
#lidsadm -S -- +LIDS_GLOBAL
NOTE: This will not affect your LFS if you currently have one enabled.
At the end of the bootup process, you should seal the kernel. This effectively enables all of LIDS features in order to protect your system. To seal the kernel, put the following at the end of your rc.local (assuming SysV style init):
/sbin/lidsadm -I
WARNING: If you do not seal you kernel at boot time, you will not receive the full benefits of a LIDS enhanced system.
In order to use the "-V" option, you must have compiled lidsadm with make VIEW=1
(see above).
At the command line, enter:
# lidsadm -V
This will produce output similar to the following on a 2.2.x kernel:
VIEW
CAP_CHOWN 0
CAP_DAC_OVERRIDE 0
CAP_DAC_READ_SEARCH 0
CAP_FOWNER 0
CAP_FSETID 0
CAP_KILL 0
CAP_SETGID 0
CAP_SETUID 0
CAP_SETPCAP 0
CAP_LINUX_IMMUTABLE 0
CAP_NET_BIND_SERVICE 0
CAP_NET_BROADCAST 0
CAP_NET_ADMIN 0
CAP_NET_RAW 0
CAP_IPC_LOCK 0
CAP_IPC_OWNER 0
CAP_SYS_MODULE 0
CAP_SYS_RAWIO 0
CAP_SYS_CHROOT 0
CAP_SYS_PTRACE 0
CAP_SYS_PACCT 0
CAP_SYS_ADMIN 0
CAP_SYS_BOOT 1
CAP_SYS_NICE 0
CAP_SYS_RESOURCE 1
CAP_SYS_TIME 0
CAP_SYS_TTY_CONFIG 0
CAP_HIDDEN 1
CAP_INIT_KILL 0
LIDS_GLOBAL 1
0
RELOAD_CONF 0
LIDS 0
As you can see from the output above, this system has a LFS active. However, LIDS is enabled globally. The items with a "1" next to them are enabled, and those items with a "0" next to them are disabled. Except for the last two capabilities, root normally has all of the above capabilities. Thanks to LIDS, root only has capabilities CAP_SYS_BOOT, CAP_SYS_RESOURCE, and CAP_HIDDEN in this particular case (NOTE: CAP_HIDDEN isn't a capability provided by the standard Linux kernel).
You don't. As long as you selected the option when you configured your LIDS enhanced kernel, the port scan detector is enabled.
[*] Port Scanner Detector in kernel
The subject is a program that can run on a Linux system, such as a binary or shell script. The object is what the subject wants to access. This includes files, directories, capabilities, etc.