The following is a sample configuration for basic system setup.
# Protect System Binaries
#
/sbin/lidsadm -A -o /sbin -j READ
/sbin/lidsadm -A -o /bin -j READ
# Protect all of /usr and /usr/local
#
/sbin/lidsadm -A -o /usr -j READ
/sbin/lidsadm -A -o /usr/local -j READ
# Protect the System Libraries (/usr/lib is protected above)
#
/sbin/lidsadm -A -o /lib -j READ
# Protect System Configuration files
#
/sbin/lidsadm -A -o /etc -j READ
/sbin/lidsadm -A -o /usr/local/etc -j READ
/sbin/lidsadm -A -o /etc/shadow -j DENY
/sbin/lidsadm -A -o /etc/lilo.conf -j DENY
# Enable system authentication
#
/sbin/lidsadm -A -s /bin/login -o /etc/shadow -j READ
/sbin/lidsadm -A -s /usr/bin/vlock -o /etc/shadow -j READ
/sbin/lidsadm -A -s /bin/su -o /etc/shadow -j READ
/sbin/lidsadm -A -s /bin/su \
-t -o CAP_SETUID -j NO_INHERIT
/sbin/lidsadm -A -s /bin/su \
-t -o CAP_SETGID -j NO_INHERIT
# Protect the boot partition
#
/sbin/lidsadm -A -o /boot -j READ
# Protect root's home dir, but allow bash history
#
/sbin/lidsadm -A -o /root -j READ
/sbin/lidsadm -A -s /bin/bash -o /root/.bash_history -j WRITE
# Protect system logs
#
/sbin/lidsadm -A -o /var/log -j APPEND
/sbin/lidsadm -A -s /bin/login -o /var/log/wtmp -j WRITE
/sbin/lidsadm -A -s /bin/login -o /var/log/lastlog -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/wtmp -j WRITE
/sbin/lidsadm -A -s /sbin/init -o /var/log/lastlog -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/wtmp -j WRITE
/sbin/lidsadm -A -s /sbin/halt -o /var/log/lastlog -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
-o /var/log/wtmp -j WRITE
/sbin/lidsadm -A -s /etc/rc.d/rc.sysinit \
-o /var/log/lastlog -j WRITE
# Startup
#
/sbin/lidsadm -A -s /sbin/hwclock -o /etc/adjtime -j WRITE
# Shutdown
#
/sbin/lidsadm -A -s /sbin/init -t -o CAP_INIT_KILL -j NO_INHERIT
/sbin/lidsadm -A -s /sbin/init -t -o CAP_KILL -j NO_INHERIT
# Give the following init script the proper privileges to kill processes and
# unmount the file systems. However, anyone who can execute these scripts
# by themselves can effectively kill your processes. It's better than
# the alternative however.
#
# Any ideas on how to get around this are welcome!
#
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
-t -o CAP_INIT_KILL -j INHERIT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
-t -o CAP_KILL -j INHERIT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
-t -o CAP_NET_ADMIN -j INHERIT
/sbin/lidsadm -A -s /etc/rc.d/init.d/halt \
-t -o CAP_SYS_ADMIN -j INHERIT
# Other
#
/sbin/lidsadm -A -s /sbin/update -t -o CAP_SYS_ADMIN -j INHERIT
This sample configuration assumes Apache was installed in /usr/local/apache with a log directory of /var/log/httpd and a configuration directory of /etc/httpd. You can adjust the paths in the ACLs to match your own configuration. With this configuration, Apache must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 80 (and possibly 443).
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-t -o CAP_SETUID -j NO_INHERIT
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-t -o CAP_SETGID -j NO_INHERIT
# Config files
/sbin/lidsadm -A -o /etc/httpd -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-o /etc/httpd -j READ
# Server Root
/sbin/lidsadm -A -o /usr/local/apache -j READ
/sbin/lidsadm -A -o /usr/local/apache/bin -j READ
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-o /usr/local/apache -j READ
# Log Files
/sbin/lidsadm -A -o /var/log/httpd -j DENY
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-o /var/log/httpd -j APPEND
/sbin/lidsadm -A -s /usr/local/apache/bin/httpd \
-o /usr/local/apache/logs -j WRITE
These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.
# setup
/sbin/lidsadm -A -o /var/qmail -j READ
/sbin/lidsadm -A -s /usr/local/bin/multilog \
-o /var/log/qmail -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/svc \
-o /var/qmail/supervise -j WRITE
# queue access
#
/sbin/lidsadm -A -s /var/qmail/bin/qmail-inject \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-queue \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-clean \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-send \
-o /var/qmail/queue -j WRITE
/sbin/lidsadm -A -s /var/qmail/bin/qmail-remote \
-o /var/qmail/queue -j WRITE
# Access to local mail boxes
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
-t -o CAP_SETUID -j INHERIT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
-t -o CAP_SETGID -j INHERIT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
-t -o CAP_DAC_OVERRIDE -j INHERIT
/sbin/lidsadm -A -s /var/qmail/bin/qmail-lspawn \
-t -o CAP_DAC_READ_SEARCH -j INHERIT
# Remote delivery
/sbin/lidsadm -A -s /var/qmail/bin/qmail-rspawn \
-t -o CAP_NET_BIND_SERVICE -j INHERIT
# supervise
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-send/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/qmail/supervise/qmail-send/log/supervise -j WRITE
The following ACLs were written for a djbdns setup based on Jeremy Rauch's Installing djbdns (DNScache) for Name Service parts 1 & 2. With this configuration, dnscache and tinydns must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so they can bind to port 53.
# dnscache
#
/sbin/lidsadm -A -o /var/dnscache -j READ
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/dnscache/dnscache/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/dnscache/dnscache/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/multilog \
-o /var/dnscache/dnscache/log/main -j WRITE
# tinydns
#
/bin/echo "tinydns"
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/dnscache/tinydns/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/supervise \
-o /var/dnscache/tinydns/log/supervise -j WRITE
/sbin/lidsadm -A -s /usr/local/bin/multilog \
-o /var/dnscache/tinydns/log/main -j WRITE
The following ACLs assume courier-imap was installed into /usr/local/courier-imap. With this configuration, courier-imap must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 143.
/sbin/lidsadm -A -o /usr/local/courier-imap -j READ
/sbin/lidsadm -A -s /usr/local/courier-imap/sbin/imaplogin \
-o /etc/shadow -j READ
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/authlib/authpam \
-o /etc/shadow -j READ
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
-t -o CAP_SETUID -j INHERIT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
-t -o CAP_SETGID -j INHERIT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
-t -o CAP_DAC_OVERRIDE -j INHERIT
/sbin/lidsadm -A -s /usr/local/courier-imap/libexec/couriertcpd \
-t -o CAP_DAC_READ_SEARCH -j INHERIT
The following ACLs assume MySQL was installed into /usr/local/mysql. With this configuration, MySQL must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to port 3306.
/sbin/lidsadm -A -o /usr/local/mysql/var -j APPEND
/sbin/lidsadm -A -o /usr/local/mysql -j READ
/sbin/lidsadm -A -o /usr/local/mysql/libexec -j READ
/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \
-o /usr/local/mysql -j READ
/sbin/lidsadm -A -s /usr/local/mysql/libexec/mysqld \
-o /usr/local/mysql/var -j WRITE
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsadm -A -s /usr/sbin/sshd -o /etc/shadow -j READ
/sbin/lidsadm -A -o /usr/local/etc/sshd_config -j DENY
/sbin/lidsadm -A -o /usr/local/etc/ssh_host_key -j DENY
/sbin/lidsadm -A -o /usr/local/etc/ssh_host_dsa_key -j DENY
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-o /usr/local/etc/sshd_config -j READ
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-o /usr/local/etc/ssh_host_key -j READ
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-o /usr/local/etc/ssh_host_dsa_key -j READ
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-t -o CAP_SETUID -j NO_INHERIT
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-t -o CAP_SETGID -j NO_INHERIT
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-t -o CAP_NET_BIND_SERVICE -j NO_INHERIT
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-o /var/log/wtmp -j WRITE
/sbin/lidsadm -A -s /usr/local/sbin/sshd \
-o /var/log/lastlog -j WRITE
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives slapd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
-o /usr/local/ldapdb -j WRITE
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
-t -o CAP_NET_BIND_SERVICE -j INHERIT
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
-t -o CAP_INIT_KILL -j INHERIT
/sbin/lidsadm -A -s /usr/local/libexec/slapd \
-t -o CAP_SYS_MODULE -j INHERIT
The following configuration will work after boot and while LIDS_GLOBAL is on because it gives portsentry the CAP_NET_BIND_SERVICE capability.
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
-o /usr/local/psionic/portsentry -j WRITE
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
-o /var/log -j WRITE
/sbin/lidsadm -A -s /usr/local/psionic/portsentry/portsentry \
-t -o CAP_NET_BIND_SERVICE -j INHERIT