My test environment is RedHat7.2 kernel-2.4.7-10 first download package
Http://www.mirrors.wiretapped.net/security/neetwork-intrusion-detection/lids/download/
You can find the corresponding kernel's LIDS package because my kernel is 2.4.7, so the corresponding LIDS package LIDS-1.0.12-2.4.20.tar.gz should also correspond to 2.4.20 1. Download the LIDS package
http://www.mirrors.wiretapped.net/security/neetwork-intrusion-detection/lids/download/v2.4/2.4.7/lids-1.0.12-2.4.20.tar.gz
2. Download LidStools latest lidStools
http://www.mirrors.wiretapped.net/security/neetwork-intrusion-detection/lids/download/lidstools/lidstools-0.5.6.tar.gz
(Due to newer versions and other packages, you need this. So it doesn't use this. But use it in lids) 3. Download kernel source code
http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.20.tar.gz
Pass all files to / usr / src / down CD / USR / SRC / TAR ZXF Linux-2.4.20.tar.gz tar zxf lids-1.0.12-2.4.20.tar.gz Of course I just test, you can After you finish the Kernel patch, you will be safe after the LIDS CD Linux-2.4.20 Patch -p1 <../ lids-1.1.2.4.20 / lids-1.1.2-2.4.20.patch make menuconfig code maturity level Options -> [*] Prompt for development and / or incomplete code / drivers [*] Linux Intrusion Detection System support (EXPERIMENTAL) --- LIDS features (1024) Maximum protected objects to manage (NEW) (1024) Maximum ACL subjects to manage (NEW) (1024) Maximum ACL objects to manage (NEW) [] Hang up console when raising a security alert (NEW) [*] Security alert when execing unprotected programs before sealing LIDS (NEW) [] Do not execute unprotected programs before sealing LIDS (NEW) [*] Attempt not to flood logs (60) Authorised time between two identic logs (seconds) (NEW) [*] Allow switching LIDS protections [] Restrict mode switching to specified terminals (NEW) (3) Number of Attempts To Submit Password (New) (3) Time To Wait After A Fail (Seconds) (New) [] Allow Any Program To Switch Lids Protections (New) [*] Allow Reloading Config. File [*] Port Scanner Detector in Kernel [] Send Security Alerts Through Network (new) [] LIDS Debug (new) Of course if you use VMware test better First look at your SCSI type must be selected. My is BusLogic BT-958, but also other devices.
Haha quit saving make dep make clean make bzImage make modules make modules_install cp arch / i386 / boot / bzImage /boot/vmlinuz-2.4.20-lids vi /boot/grub/menu.lst in the end, add title Red Hat Linux (2.4 .20-lids) root (HD0, 0) kernel /Vmlinuz-2.4.20-lids Ro root = / dev / sda2 cd ../lids-1.1.2-2.4.20 TAR ZXF lidStools-0.4.3.tar. GZ CD LidStools ./configure kernel_dir = .. / .. / linux-2.4.20 make make install prompts you Enter Enter New Password: 123456 Reenter New Password: 123456 After configuring system Restart, don't forget to use the LIDSADM package kernel In the last /etc/rc.local Add the following command / sbin / lidsadm -i restart, if you want to turn off the LIDS system start, you can start the kernel in LILO. Run command / sbin / lidsadm -s - -lids Switch to the status that is not protected by the LIDS, then perform configuration scripts, run command / sbin / lidsadm- reload_conf, update the LIDS configuration, last lidsadm -s - LIDS Switch to the LIDS Protection Status Reloading the computer to bring the LIDS basically, there is still what does not understand the following Dongdong. Even referring to others. However, it has also changed because there are many mistakes and versions of the old problem. Wherever I forget it. What is the problem, everyone study together. Haha is not good at writing a technical article, please also criticize. Time is in a hurry. Please excuse me. It is not used to actually only in the research phase. But I feel very easy. I hope everyone will study ############################################################################################################################################# / x, PS AX GREP HTTP and other commands test the file, directory, and process of the LIDS protection; Test the detection function of the LIDS and the response function of the LIDS by scanner scanning. The best way is to imitate the activities made after the hacker successfully invading, such as rootkit, etc., etc. By default, LidTools will install the default configuration file to / etc / lids /. You must reconfigure it according to your needs. Lids.conf: This file is used to store LIDS ACLS information. It includes ACLs that define an object access type. Lids.cap: This file includes all the performance of the system, editing this file to configure these performance. Lids.net: This file is used to configure a warning message sent to the administrator mailbox. You can define SMTP servers, ports, and messages, etc. Only when the core is configured, the [*] Send Security Alerts Through Network (New) is available. Lids.pw: This file stores the password file generated by the 'lidm -p' command. When you configure the kernel, select [*] Allow Switching Lids Protections, you must have this file. 1. Configure files and directories for LIDS protection First, make sure which files you want to protect. In general, protect system binary files and system profiles, such as: / bin, / sbin /, / usr /, / etc /, / var / log /. Second, decide to protect the file in any way. LIDS provides four protection types.
a. Reject anyone to access files and directories with the Deny logo, no one can see, and cannot be modified. Those very sensitive documents should add a Deny logo. For example, / etc / shadow file. -------------------------------------------------- ------------------------- Usage: lidsconf -a -o file_to_protaced -j deny # lidsconf -a--/ etc / shadow -j deny restart Or after reloading the configuration file, you will see: # ls / etc / shadow ls: / etc / shadow: no such file or directory -------------------- -------------------------------------------------- ---- Next, some settings require some unique programs to access these files, for example, when logging in to the system, / bin / login files need to read passwords from the / etc / shadow file with the Deny tag. -------------------------------------------------- ------------------------- Usage: lidsconf -a -s subject_program -o object_program -j readonly / write / append # lidsconf -a -s / Bin / login -o / etc / shadow -j readonly -------------------------------------- ------------------------------------- When you configure it and restart the system or reload the configuration file You can log in into the system, but you can't see / etc / shadow. This is an example of forcing access control. b. Read-only files Any user cannot change files with read-only tags. For example, / etc / passwd, / bin / passwd files generally belong to this class. -------------------------------------------------- ------------------------- Usage: lidsconf -a -o file_to_protect -j readonly example: 1. Protect the entire / sbin / directory, make it only read. # / sbin / lidsconf -a -o / sbin / -j readonly 2. Protection / etc / passwd file for read-only # / sbin / lidsconf -a--/ etc / passwd -j readonly -------- -------------------------------------------------- ---------------- C. Only the file that can be added can generally, the system log file should be defined as such. For example, / var / log / message, / var / log / secure. These files can only be opened with appended mode, and the user cannot modify the front part.
-------------------------------------------------- ------------------------- Usage: lidsconf -a -o filename_to_protect -j append example: 1. Protect System Log File # / sbin / lidsconf - A -O / VAR / log / message -j append # / sbin / limited -j append 2. Protect Apache httpd log file # / sbin / lidsconf -a -o / var / log / httpd -j append --------------------------------------------- ---------------------------- d. can write more than READONLY, APPEND, WRITE belongs to LIDS for mandatory access control (Mac). With this feature of LIDS, you can define which file can you take what kind of access mode. For example, define / home / httpd / to anyone deny, and define / usr / sbin / httpd from the directory readonly. In this case, the web server is like a general web server, just in / home / httpd / directory, and programs cannot be seen and modified. Even if the intruder uses HTTPD vulnerabilities to get root permissions, he can't see the file inside the root shell. Even if he rewrites the buffer, add some viral code in the HTTPD server, he can only read the files under / home / httpd and essentially unable to modify them. -------------------------------------------------- ------------------------- # lidsconf -a -o / home / httpd -j deny # lidsconf -a -s / usr / sbin / httpd -o / home / httpd -j readonly ----------------------------------------- ---------------------------------- A simple configuration: ---------- -------------------------------------------------- --------------- lidsconf -z lidsconf -a--/ boot -j readonly lidsconf -a-j / root -j readonly lidsconf - A -O / etc -j readonly lidsconf -a--/ sbin -j readonly lidsconf -a--/ usr / sbin -j readonly lidsconf -a-j--j readonly lidsconf -a-j / usr / bin - J Readonly lidsconf -a -o / usr / lib -j readonly ------------------------------------ --------------------------------------- LIDS configuration: You must configure the LIDS system to match Your safety needs. You can define protected files, protected processes, and more. First, update the INODE / DEV value of the default lids.conf.
# / sbin / lidsconf -u then get a RIPEMD-160 encryption password: # / sbin / lidsconf -p By default, the LIDSADM will install the default configuration file to / etc / lids /. You must reconfigure it according to your needs. When the kernel is started, the configuration information reads the relevant information into the kernel to initialize the LIDS system. Lids.conf: This file is used to store LIDS ACLS information. It includes ACLs that define an object access type. Lids.cap: This file includes all the performance of the system, editing this file to configure these performance. Lids.net: This file is used to configure a warning message sent to the administrator mailbox. You can define SMTP servers, ports, and messages, etc. Only when the core is configured, the [*] Send Security Alerts Through Network (New) is available. Lids.pw: This file stores the password file generated by the 'lidm -p' command. When you configure the core, select [*] Allow Switching Lids Protections, you must have this document. 1. Configure files and directories for LIDS protection First, make sure which files you want to protect. In general, protect system binary files and system profiles, such as: / bin, / sbin /, / usr /, / etc /, / var / log /. Second, decide to protect the file in any way. LIDS provides four protection types. a. Reject anyone to access files and directories with the Deny logo, no one can see, and cannot be modified. Those very sensitive documents should add a Deny logo. For example, / etc / shadow file. -------------------------------------------------- ------------------------- Usage: lidsconf -a -o file_to_protaced -j deny # lidsconf -a--/ etc / shadow -j deny restart Or after reloading the configuration file, you will see: # ls / etc / shadow ls: / etc / shadow: no such file or directory -------------------- -------------------------------------------------- ---- Next, some settings require some unique programs to access these files, for example, when logging in to the system, / bin / login files need to read passwords from the / etc / shadow file with the Deny tag. -------------------------------------------------- ------------------------- Usage: lidsconf -a -s subject_program -o object_program -j readonly / write / append # lidsconf -a -s / Bin / login -o / etc / shadow -j readonly -------------------------------------- ------------------------------------- When you configure it and restart the system or reload the configuration file You can log in into the system, but you can't see / etc / shadow. This is an example of forcing access control. b. Read-only files Any user cannot change files with read-only tags. For example, / etc / passwd, / bin / passwd files generally belong to this class.
-------------------------------------------------- ------------------------- Usage: lidsconf -a -o file_to_protect -j readonly example: 1. Protect the entire / sbin / directory, make it only read. # / sbin / lidsconf -a -o / sbin / -j readonly 2. Protection / etc / passwd file for read-only # / sbin / lidsconf -a--/ etc / passwd -j readonly -------- -------------------------------------------------- ---------------- C. Only the file that can be added can generally, the system log file should be defined as such. For example, / var / log / message, / var / log / secure. These files can only be opened with appended mode, and the user cannot modify the front part. -------------------------------------------------- ------------------------- Usage: lidsconf -a -o filename_to_protect -j append example: 1. Protect System Log File # / sbin / lidsconf - A -O / VAR / log / message -j append # / sbin / limited -j append 2. Protect Apache httpd log file # / sbin / lidsconf -a -o / var / log / httpd -j append --------------------------------------------- ---------------------------- d. can write more than READONLY, APPEND, WRITE belongs to LIDS for mandatory access control (Mac). With this feature of LIDS, you can define which file can you take what kind of access mode. For example, define / home / httpd / to anyone deny, and define / usr / sbin / httpd from the directory readonly. In this case, the web server is like a general web server, just in / home / httpd / directory, and programs cannot be seen and modified. Even if the intruder uses HTTPD vulnerabilities to get root permissions, he can't see the file inside the root shell. Even if he rewrites the buffer, add some viral code in the HTTPD server, he can only read the files under / home / httpd and essentially unable to modify them.
-------------------------------------------------- ------------------------- # lidsconf -a -o / home / httpd -j deny # lidsconf -a -s / usr / sbin / httpd -o / home / httpd -j readonly ----------------------------------------- ---------------------------------- A simple configuration: ---------- -------------------------------------------------- --------------- lidsconf -z lidsconf -a--/ boot -j readonly lidsconf -a-j / root -j readonly lidsconf - A -O / etc -j readonly lidsconf -a--/ sbin -j readonly lidsconf -a--/ usr / sbin -j readonly lidsconf -a-j--j readonly lidsconf -a-j / usr / bin - J Readonly lidsconf -a -o / usr / lib -j readonly ------------------------------------ --------------------------------------- 2. Configure the LIDS Protection Process a. Do not kill The process LIDS can protect the Parent process is the process of init (pid = 1), and configure /etc/lids/lids.cap inside /etc/lids/lids.cap in accordance with the following command: -29: CAP_INIT_KILL B. Hidden Processes These processes can be seen, used The PS command or can not be seen in / proc. -------------------------------------------------- ------------------------- Example: lidsconf -a -s / usr / sbin / httpd -o cap_hidden -j grant -------- -------------------------------------------------- ------------------- 3. Protect the permissions here by setting permissions is your permissions you give. A root process has all performance, and there is a binding permissions issue. In a general core, when a permission is removed from the binding, the permissions cannot be enabled unless anyone is restarted. LIDS modification allows users to switch any of these permissions. Access to / proc / sys / kernel / cap_bset is captured, trigger security alarms. The permission value of the system is stored in /etc/lids/lids.cap. Edit it can meet your needs. For example: CAP_SYS_RAWIO item If we open, we can allow access / dev / port, / dev / mem, / dev / kmem, and access to the original block device (/ dev / [sh] D ??). When we cancel this permission, you can make all processes running on the system to access the original block devices, such as running LILO. However, some processes run require these privileges, such as XF86_svga.
For example, CAP_NET_ADMIN, this permission can get the following capabilities: interface configuration, IP firewall, camouflage and billing management, set the sockets debug option, modify the routing table, set any process or process group to the ownership of Sockets, for transparent Proxy Agent bundled address, set the service type, set a mixed mode, multicast, read and write the device's specified register, etc. For security reasons, we should cancel this permission and do not allow changes to network settings, which will also ban changes in firewall rules. The way to configure the lids.cap file is to set " " in front of the permissions name to make it valid, or set "-" to cancel it. Specific Function Description: CAP_CHOWN function: System defined in a _posix_chown_restricted function. This will cross the system file owner and group all the permissions CAP_DAC_OVERRIED function: If _posix_acl definition, you will cross all DAC access, including the ACL execution access, to troubleshoot the DAC's access CAP_DAC_READ_SEARCH function: if _posix_acl definition, The read restrictions of all the DAC will be read and search in all files and directorys, including ACL restrictions. Use CAP_LINUX_IMMUTABLE to limit the DAC access CAP_FOWNER function: Crossing the file says allows for allowable limits, such as the owner ID of the file must be like the user ID, except for CAP_FSETID. It does not cross the MAC and DAC limit CAP_FSETID function: When the S_ISUID and S_IGID bit setting files are set, the user's id must match the limit of the owner ID, set the S-ISGID bit, group ID must be and owner ID Matching restrictions, using Chown to set S_ISUID and S_ISGID-limiting CAP_FS_MASK function: used to respond to SUSER () or fsuser (). CAP_KILL Function: A function that must match the valid user ID when sending a signal when a frequency user ID is sent. The ability to match the CAP_SETGID function: Allow SetGID () function, allow setGroups () allows for forgery GID CAP_SETUID function in Socket: Allow SET * UID () Features allow forging PIDs in Socket CAP_SETPCAP feature: all licenses to all PIDs.
Or put all the license deleted CAP_LINUX_IMMUTABLE features: Allow changes to the S_IMMUTABLE and S_APPEND file attributes CAP_NET_BIND_SERVICE function: Allow the TCP / UDP socket CAP_NET_BROADCAST function to be bound 1024: Allow broadcast, listening multi-point transfer CAP_NET_ADMIN function: Allow configuration interfaces Allow management IP Firewall IP Camouflage and Account Allows Configuration Socket Debug options Allows the Routing Table Allows the Group Properties of the process on the SOCKET to allow the binding transparent agent to allow configuration of the TOS (Service Type) Allow the configuration of the hybrid mode to allow the drive state to allow the drive status to allow the drive state Transfer CAP_NET_RAW function: Allow use of the RAW socket to allow the Packet Socket CAP_IPC_LOCK function: Allow the trivial shared memory segment to allow mlock and mlockAll CAP_IPC_OWNER function: Cross the IPC ownership Check CAP_SYS_MODULE Function: Insert or delete kernel modules CAP_SYS_RAWIO function: Allow IOPERM / IOPL and / DEV / PROT access Allow / DEV / MEM and / DEV / KMEM access Allow block devices access (/ dev / [sh] D ??) CAP_SYS_CHROOT function: allow chroot () CAP_SYS_PTRACE function: Allow PTRACE () any process cap_sys_pacct function: Allow configuration process account CAP_SYS_ADMIN function: Allow configuration security keys Allow management random devices Allow Device Management Allow Configuration Derlared Logs Allow Configuration Dominer Name Allow Configuration Host Name Allow Call BDFLUSH () Commands allow Mount () and umount () command allows the configuration of the root ioctls smb connection permission allows VM86_REQUEST_IRQ allows the interrogator to allow nfsservctl pci in alpha configuration allows irix_prctl mips on m68k allow flush all semaphores can remove cache to replace with CAP_CHOWN "chown "IPC message queue, flag and shared memory allows locks or unlock shared memory segments Allow switch SWAP Allows Cacup PIDS to allow settings block devices to refresh Allow settings Soft disk drive to allow switching DMA switches Allow management MD devices Allow management IDE driver Allow access NVRAM device allows management APM_BIOS, serial port or BTTV TV The device allows a command to generate a command on the ISDN CAPI to allow DDI debug IOCTL to allow DDI debug IOCTL to allow the QIC-117 command to allow launching or disabling SCSI control and sending the SCSI command to allow configuration encryption ports to CAP_SYS_BOOT function on the loop file system. : Allows the use of the reboot () command CAP_SYS_NICE function: Allow or set up the priority of other processes allowed to use Fiso and real-time arrangements and configure CAP_SYS_RESOURCE functions in their own process: over resource restrictions, set resource restrictions, over quota limit, EXT2 files The system allows for real-time clock interrupts that are greater than 64 Hz, over the maximum number of control terminals, cross the maximum number of key CAP_SYS_TIME functions: Allow processing system clock Allow _stime Allow setting real-time clock CAP_SYS_TTY_TTTY_CONFIG function: Allow configuration terminal devices to allow vhangup () terminals, can also be used Permission tag dedicated process. The privilege of the tag process allows the process to have the performance of the system.
For example, cancel CAP_SYS_RAWIO permissions in file lids.cap, but you need this permissions when you start X Server. So, you can set this: # lidsconf -a -s / usr / x11r6 / bin / xf86_svga -o cap_sys_rawio -j Grant enables XF86_svga to have CAP_SYS_RAWIO, while other programs cannot get CAP_SYS_RAWIO.. So select the function you need to delete: You must delete CAP_SYS_MODULE, CAP_SYS_RAWIO, and CAP_SYS_ADMIN to protect the system from a small system attack. The best have prohibited CAP_NET_ADMIN, CAP_SYS_PTRACE, CAP_LINUX_IMMUTABLE, CAP_KILL, CAP_SYS_RESOURCE, CAP_SYS_TIME and CAP_SYS_TTY_CONFIG LIDS to improve network security by permission settings, such as anti-sniferring, prohibit bundling ports below 1024, prohibit changes to the firewall and routing rules. 4. The kernel scan detection LIDS provides a scan monitor in the kernel, detects who is scan your system. It can detect HALF-OPEN scan, SYN secret scan, secret Fin, Xmas or NULL scan, such as NMAP, Satan's popular scanning tool can be detected. It can still work even if the original socket cannot work because it does not have any sockets. In this case, some SnIffering-based user detectors cannot work. If you want to take advantage of the function of LIDS, you can choose to compile the kernel. 5. Intrusion Response System When the LIDS detects activities that violate the defined rules, the following responses can be made: a. Record related information. When someone destroys these rules, LIDS_Security_Log records related information, and the record works the ability to have anti_logging_flood. You can set this option when compiling the kernel. B. Record information through the Mail server. LIDS can send the log to your mailbox. You can define the IP, export email address of the mail server in /etc/lids/lids.net.
as follows: ------------------------------------------------ --------------------------- mail_switch = 1 # mail_relay = hex ip: port # ip11.1 of the machine That Will Be Directly Connected By LIDS # for relaying its mails Port is usually 25, but who knows ... MAIL_RELAY = 192.168.100.171:. 25 # MAIL_SOURCE = source machine:. # name of the source machine, used for the ehlo identification # Note that a bad name Here Could Make The Mail Relay Refuse Your # mails. mail_source = lids.xfocus.net ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------------------------------------------------------------------------------------------- : *. Launch When updating the file when starting: Some files need to be written when the system is started, but will be protected by LIDS, these files are generally saved in the / var directory, but there are some exceptions: modules.Dep: In addition to increasing or Deleting the module, you don't need to change when you start, you can disable it from updating when starting. MTAB: An option with -n generates a connection from / etc / mtab to / proc / mounts when starting. If the / etc / directory is protected, then in the startup may fail because the MTAB is not writable, the startup failed, there is a need to add the mount plus the -n option in the startup script, or separately for several important directories or files under / etc. protection. *. Shutdown or reconciliation may cause a shutdown by the lids.conf configuration, it is unable to use the UMOUNT file system, resulting in restarting the hard disk file system. So in lids.conf must configure HALT: / sbin / lidsconf -a -s /etc/rc.d/init.d/halt -o cap_init_kill -i 1 -j grant / sbin / lidsconf -a -s / etc /rc.d/init.d/halt -o cap_kill -i 1 -j grant / sbin / lidsconf -a -s /etc/rc.d/init.d/halt -o cap_net_admin -i 1 -j GRANT / SBIN / lidsconf -a -s /etc/rc.d/init.d/halt -o cap_sys_admin -i 1 -j grant *. For hidden processes, because the process hides so when it is turned off, the hidden process cannot be stopped, causing not correct The UMOUNT file system will check the hard disk when the drive is restarted, so that the startup time is long, so after the hidden process, the stop script of the hidden process is modified.
For example, after hiding the HTTPD process, you need to modify the /etc/rc.d/init.d/httpd kill hidden process ... stop () {echo -n "shutting down http:" Kill -15 `CAT / VAR / RUN / httpd.pid` Sleep 5 #killProc httpd return = $? echo [$ RETVAL = 0] && rm -f / var / lock/httpd.pid} ... lid/httpd.pid} ... LIDS test: 1. Functional test: Configuration script: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------- #!
/ bin / sh # flush old rules / sbin / lidsconf -z # protect / etc / lids / sbin / lidsconf -a--/ etc / lids -j deny # protect system binaries / sbin / limited J Readonly / Sbin / Lidsconf -a -o / bin -j readonly # protect all of / usr and usr / local / sbin / limited / us / usr -j readonly / sbin / lidsconf -a--/ usr / Local -j readonly # protect the system libraries / sbin / lidsconf -a -o / lib -j readonly # protect system configuration files / sbin / lidsconf -a -o /etc/rc.d -j readonly / sbin / lidsconf -a -o /etc/rc0.d -j readonly / sbin / lidsconf -a -o /etc/rc1.d -j readonly / sbin / lidsconf -a -o /etc/rc2.d -j readonly / sbin / lidsconf - A -O /etc/rc3.d -j readonly / sbin / lidsconf -a -o /etc/rc4.d -j ready / sbin / lidsconf -a -o /etc/rc5.d -j readonly / sbin / lidsconf -A -o /etc/rc6.d -j readonly / sbin / lidsconf -a -o /etc/init.d -j readonly / sbin / lidsconf -a -o /etc/rc.local -j readOrthly / sbin / Lidsconf -a -o /etc/rc.system -j readonly / sbin / lidsconf -a--/ etc / sysconfig -j readonly / sbin / lidsconf -a--/ etc / host S -J Readonly / sbin / lidsconf -a -o /etc/hosts.allow -j readonly / sbin / lidsconf -a -o /etc/hosts.dey -j readonly / sbin / lidsconf -a-d / etc / passwd -j readonly / sbin / lidsconf -a -o / etc / shadow -j deny / sbin / lidsconf -a -o /etc/lilo.conf -j deny # enable system authentication / sbin / lidsconf -a -s / bin / Login -o / etc / shadow -j readonly / sbin / lidsconf -a -s / bin / su -o / etc / shadow -j readonly / sbin / lidsconf -a -s / bin / su -o cap_setuid -j GRANT / SBIN / LIDSCONF -A -S / BIN / Su -O CAP_SETGID -J GRANT / SBIN / LIDSCONF -A -S / BIN / LOGIN -O CAP_SETUID -J GRANT / SBIN / LIDSCONF -A -S / BIN / LOGIN -O CAP_SETGID -j grant / sbin / lidsconf -a -s / bin / login -o cap_chown -j grant / sbin / lidsconf -a -s / bin / login -o cap_fsetid -j grant # protect the boot partition / sbin / limited
Sconf -a -o / boot -j readonly # Protect Root's Home Dir, But Allow Bash History / Sbin / Lidsconf -a -o / Root -j Readonly / Sbin / Lidsconf -A -S / BIN / BASH -O / ROOT / .bash_history -j write # protect system logs / sbin / lidsconf -a -o / var / log -j append / sbin / lidsconf -a--/ var / log / dmesg -j write / sbin / lidsconf -a -s / BIN / LOGIN -O / VAR / LOG / WTMP -J WRITE / SBIN / LIDSCONF -A -S / BIN / LOGIN -O / VAR / LOG / LastLog -j Write / Sbin / Lidsconf -a-S / SBIN / INIT - O / var / log / wtmp -j write / sbin / lidsconf -a -s / sbin / init-in / var / log / lastlog -j write / sbin / lidsconf -a -s / sbin / halt -o / var / LOG / WTMP -J WRITE / SBIN / LIDSCONF -A -S / SBIN / HALT -O / VAR / LOG / LastLog -j Write / Sbin / Lidsconf -a -s /etc/rc.d/rc.system -o / VAR / log / wtmp -i 1 -j write / sbin / lidsconf -a -s /etc/rc.d/rc.sysinit -o / var / log / lastlog -i 1 -j write # shutdown / sbin / lidsconf - A -S / SBIN / INIT -O CAP_IN / IT_KILL -J GRANT / SBIN / LIDSCONF -A -S / SBIN / INIT -O CAP_KILL -J GRANT # Give The Following Init Script The Proper Priviles to Kill Processes and # unmo unt the file systems. However, anyone who can execute these scripts # by themselves can effectively kill your processes. It's better than # the alternative, however. / sbin / lidsconf -A -s /etc/rc.d/init.d/ Halt -o cap_init_kill -i 1 -j grant / sbin / lidsconf -a -s /etc/rc.d/init.d/halt -o cap_kill -i 1 -j grant / sbin / lidsconf -a -s / etc / Rc.d / init.d / halt -o cap_net_admin -i 1 -j grant / sbin / lidsconf -a -s /etc/rc.d/init.d/halt -o cap_sys_admin -i 1 -j GRANT / SBIN / Lidsconf -a -s /etc/rc.d/init.d/halt -o cap_sys_rawio -i 1 -j grant # other / sbin / lidsconf -a -s / sbin / update -o cap_sys_admin -j grant / sbin / lidsconf -A -s / sbin / consolepe -o cap_sys_admin -j grant #Protect and hide httpd / sbin / lidsconf -a -o / etc / httpd -j deny / sbin / lidsconf
