  LIDS FAQ
  Steve Bremer, steve AT clublinux DOT org
  v.17, January 28th, 2002
  KURASHIKI Satoru (oukaATfxDOTsakuraDOTneDOTjp)
  v.17J, Mar 8th, 2002

  ́ALinux NmVXe (LIDS)  FAQ łB
  ______________________________________________________________________

  ڎ

  1. LIDS 
     1.1 LIDS Ƃ͉łH
     1.2 Ȃ LIDS ĝłH
     1.3 LIDS ͂ǂœ肷邱Ƃł܂H
     1.4 ǂ̃o[W Linux J[lT|[gĂ܂H
     1.5 LIDS ̃[OXg͂܂H
     1.6 A[JCu͂ǂȂĂ܂H
     1.7 쌠ƒӏ
     1.8 tB[hobN
     1.9 NWbg
     1.10 |
     1.11 ύX

  2. LIDS ̃CXg[
     2.1 LIDS J[lpb`͂ǂēĂ̂łH
     2.2 LIDS ̊Ǘ[eBeB (lidsadm  lidsconf) CXg[@́H
     2.3 ́H
     2.4 lidsadm RpC悤ƂAgcc  lidstext.h ȂAƂ܂B̖͂ǂĉ΂́H
     2.5 LIDS ̃o[W 0.9.14, 0.9.15, 1.0.6, 1.0.7 ɃAbvO[hƁAċNɃVXepjbN܂BǂĒ΁H
     2.6 Debian [Uւ̃cc
     2.7 LIDS ̃pb` RedHat ̃J[l 2.x.x-x ɂĂ悤ƂAG[ɂȂ܂B́H

  3. lidsadm  lidsconf
     3.1 lidsadm Ƃ͉łH
     3.2 lidsconf Ƃ͉łH
     3.3 lidsadm ŎgIvV͉܂H
     3.4 lidsconf ŎgIvV͉܂H

  4. LIDS ̊Ǘ
     4.1 LIDS ̃pX[hݒ肷ɂ͂ǂ΂łH
     4.2 xݒ肳ꂽ LIDS pX[hύXɂ͂ǂ΂悢łH
     4.3 LIDS t[ZbVƂ͉H ǂč΂́H
     4.4 LIDS t[ZbVǁALIDS ܂LɂȂĂ݂I ܂́H
     4.5 LIDS ɐݒt@C[hɂ͂ǂ΂́H
     4.6 āIII ̃VXeSɎgȂȂĂ܂܂I ǂ΂ł傤H
     4.7 VXeoCiύX/ړ܂Bt@CύX/ړƂ LIDS ɋɂ͂ǂ̂łH
     4.8 ႠAċN LIDS Sɖɂ@́H
     4.9 "J[l𕕈󂷂"Ƃ͂ǂƂłH
     4.10 LIDS VXȅԂɂ͂ǂ΂́H
     4.11 LIDS ̃|[gXLmݒ肷ɂ͂ǂ΂łH
     4.12 LIDS  ACL ɂ subject ƃIuWFNgƂ͂ȂłH
     4.13 /etc/lids/lids.cap CĐݒt@C[hȊOɃVXěL/ɂ邱Ƃ͂ł܂H
     4.14 LIDS  ACL Đݒ肵̂ɁAύXfĂȂ悤Ɍ܂B̂ł傤H
     4.15 lidsconf -L  ACL \ĂȂ̂łH
     4.16 R\[ɕ񍐂邽 LIDS ᔽǂɂČ点Ȃ́H
     4.17 LIDS ǵALD_PRELOAD ϐɒӂłH
     4.18 NA"read password file error" ƂbZ[W\܂B̖𒼂ɂ͂ǂ΂悢ł傤H
     4.19 LIDS L𒲂ׂɂ͂ǂ΂́H

  5. LIDS ̐ݒ
     5.1 t@Cǂ݂Ƃpɂĕی삷@́H
     5.2 OK, ႠfBNgǂ݂Ƃpɂɂ͂ǂ΁H
     5.3 Nt@C/fBNgBƂ͂ł܂H
     5.4 ǋLłȂ悤ɃOt@Cی삷@́H
     5.5 /etc/shadow t@Cǂނ̂ɁAȂ΁AǂĎ̓VXeɔF؂́H
     5.6 /etc ǂ݂Ƃpŕی삵Amount ͂ǂ /etc/mtab ֏݂̂ł傤H
     5.7 LIDS AN modules.dep t@Cɏ߂ȂAƕ܂B̂łH
     5.8 OǋLpŕی삵ĂƁAlogrotated ͂ǂăO[e[ĝł傤H
     5.9 ȂAPɃO[e[V[eBeBɃOt@ĈfBNgւ̏݋^@ŁA[e[g悤ɂĂ͂Ȃ̂łH
     5.10 LIDS LȎAVbg_E܂Ńt@CVXeA}Ego܂Bǂ΂悢ł傤H
     5.11 Ȃ|[ggT[rX root ŊJnłȂ̂łH
     5.12 Ȃ|[ggT[rX LFS JnłȂ̂łH
     5.13 𖳌/Lɂ@́H
     5.14 LIDS LɂȂĂ X Window System 삵Ȃ̂͂ȂłH
     5.15  ACL SĂɑ΂āȂ͈ŜǂĎ̐ݒcĂ΂悢̂ł傤H
     5.16 LIDS LƁA/etc/lids fBNg܂BǂƂłH
     5.17 NƃVbg_E̎ LIDS Ȃ悤ɁAinit  /etc/initrunlvl ւ̏݃ANZXɂ͂ǂ΂łH
     5.18 vZX́AevZX炻̃t@C ACL pł܂H
     5.19 āI LIDS ̂Ƃł́AvO xyz 삵Ȃ悤łBǂ̃t@C/ɃANZXKv̂AǂČ߂̂ł傤H
     5.20 /etc/shadow t@CXVK؂ȃp[~bV passwd ɗ^ɂ͂ǂ΂łH
     5.21 LIDS LɂȂĂƁAssh  scp 삵Ȃ͉̂̂łH
     5.22 OpenSSH NɊJn܂BLIDS  bash Bt@CɃANZX悤ƂĂAƃ|[goĂ܂B͂ǂΒ܂H
     5.23 BvZXĂ邽߁AVbg_EɃt@CVXêA}Egł܂Bǂ΂ kill ł܂H
     5.24 {IȐݒ肩n߂ȂłBǉ̕ی񋟂ĂāAɃVXe̋@\̂قƂǂʏʂɂĂĂ邨߂̃ZbgAbv͂܂H
     5.25 ƂɂăANZX𐧌邱Ƃ͂ł܂H
     5.26 vOoChł|[g𐧌ɂ͂ǂ΂́H
     5.27 /etc/mtab  /proc/mounts ւ̃V{bNNɂĂA[UNI[^͋@\܂H
     5.28 LIDS ی삵Ăt@CҏWƁALIDS ɕی삳ȂȂ悤łBȂłH

  6. ZLeBx̐ݒ
     6.1 lbg[NzɃZLeBx𑗂ɂ́Aǂ̃J[lݒIvVKvłH
     6.2 LIDS ̌x𑗂郁[T[o e-mail AhX̏́AǂŎw肷΂̂łH
     6.3 LIDS A qmail SMTP T[oɂ͌xzMĂȂ悤łB͒܂H

  7. ݒ̃Tv
     7.1 {IȃVXẽZbgAbv
     7.2 Apache
     7.3 qmail
     7.4 dnscache & tinydns (djbdns)
     7.5 Courier-imap
     7.6 MySQL
     7.7 OpenSSH
     7.8 OpenLDAP (slapd)
     7.9 Port Sentry
     7.10 Samba
     7.11 Linux HA heartbeat
     7.12 Bind 9.x
     7.13 Sendmail
     7.14 apcupsd
     7.15 pump
     7.16 snort
     7.17 getty
     7.18 login
     7.19 su
     7.20 exim
     7.21 qpopper
     7.22 proftp

  8. LIDS eNjJ
     8.1 LIDS  ext2 ȊÕt@CVXeł삵܂H
     8.2 LIDS  SMP ̃VXeœ삵܂H
     8.3 LIDS  Solar Designer  Openwall pb`Ƌ܂H
     8.4 LIDS ͔Ceȃn[hEFAœ삵܂H
     8.5 LIDS ̃o[W 0.x  1.x Ƃ̈Ⴂ͉łH

  ______________________________________________________________________

  1.  LIDS 

  1.1.  LIDS Ƃ͉łH

  LIDS ́AXie Huagang  Philippe Biondi ɂďꂽALinux J[l
  ւ̋łBf Linux J[lɂ͂ȂA̃ZLeB@
  \܂B́A| ϔCANZX (MAC)A|[gXL
  mAt@Cی (root ی삵܂)AvZXیȂǂłB

  1.2.  Ȃ LIDS ĝłH

  ݂ Linux ̋@\́A *nix ɗRA̖
  ܂B炭ABɂčő̖́Aroot AJEg "S\ł
  邱" łBvZX⃆[U root ĂāÃvZX
  [UVXeSɔj󂵂悤ƂANɂ~߂܂B
  ̂郆[U/N҂ɂ root ANZX́AXZȊǗ҂ɁA
  SJ炵˂܂BLIDS ́A root AJEggl
  VXeɑ΂卬ЂȂ悤Ȏdg݂łANZX
  Xg (ACL) Ă܂B ACL ɂALIDS ̓vZX
  ݂̂Ȃ炸t@Cی삷邱Ƃł̂łB

  1.3.  LIDS ͂ǂœ肷邱Ƃł܂H

  www.lids.org

  1.4.  ǂ̃o[W Linux J[lT|[gĂ܂H

  ݁ALIDS ͐V 2.4 J[l̑ɁAŐV 2.2.x J[lT|[
  gĂ܂B LIDS ̊J 2.4 J[lgčsĂ܂Bł
  AV@\͐ɂŎ܂BƂ͂A[Ũj[Y
  āA2.2 J[lɃobN|[g@\܂BZLeB
  C͑S 2.2 J[lɃobN|[g܂B

  1.5.  LIDS ̃[OXg͂܂H

  ܂Bł lids-users@lists.sourceforge.net  e-mail ΁A
  [OXgւ̓eɂȂ܂BA[OXgփ|Xg
  ꂽbZ[W󂯂Ƃ肽Ȃ΁Ao^Kv܂Bo^
  ́Ahttp://lists.sourceforge.net/lists/listinfo/lids-user ֍sAtH
  [𖄂߂ĂBƁAmFv͂܂̂ŁAɕԐMĂ
  B̃y[WAo^ƃ[OXgIvV̕ύX
  ܂B

  1.6.  A[JCu͂ǂȂĂ܂H

  [OXg̃A[JCu
  http://www.geocrawler.com/lists/3/SourceForge/9348/0/ ɂ܂BÂ
  A[JCu http://groups.yahoo.com/group/lids ɒuĂ܂B

  1.7.  쌠ƒӏ

  ́̕Acopyright(c) 2000, 2001 Steve Bremer  ŁAFREE Ȃ̂
  BGNU General Public License ̂ƂɍĔzz邱Ƃł܂B

  ̕ɂ́ASteve ̒m̌ɂāAmłBƂ͂l
  ԂłA̎XɂČoOȂǂ͂蓾܂B

  ǂȌlO[vA邢͑̎̂A̕ɂg
  ɂ邠Ȃ̃Rs[^ւ̔Q≽̑̐ӔC𕉂Ƃ͂
  ܂BȂ킿 |

       ҂ёSeíA̕ɂɊĂȂꂽs
       ɂȂQɂӔC𕉂܂B

  1.8.  tB[hobN

  ̕ɑ΂ĎARgAĂCȂACy steve
  AT clublinux DOT org ŎɃR^NgƂĂBǂ̂ł
  ̂łAłtB[hobN͊}܂I

  1.9.  NWbg

  ʂ̎ӈӂ |

  o  Xie Huagang - eNjJGfB^łALIDS ̍

     o  ``LIDS version''ɂĂ̎

     o  ``Subject/object''ɂĂ̎

  o  Philippe Biondi - LIDS ̍

  o  Andy Harrelson - @/Ԃ̊ďC

  o  Rob Willis - ``OpenSSH'', ``OpenLDAP'',  ``Port Sentry'' ̐
     

  o  Fred Mobach - Ђ߂ƒ

  o  David Ranch - ́Asgml ̃ev[gɁAނ̑f炵 Linux IP
     Masquerade HOWTO g܂B

  o  Austin Gonyou -

     o  FAQ ւ̗LvȃtB[hobN

     o  ``lidsadm ̃RpC̖'' ւ̐VC

     o  /etc/passwd t@C i m[hXVɂĂ ``x''

  o  Pavel Epifanov - ``lidsadm ̃RpC̖'' ւ̊ȒPȏC

  o   Justus Pendleton  - ``Samba'' ̐ݒTv

  o   Nenad Micic

     o  ``BvZX kill XNvg'' ̗

     o  Vbg_EɉBvZX kill ނ ``C vO''

     o  ``LD_PRELOAD x''

  o   Bill Phillips  - PDF o[WɂA̎Qƃ~X̎wE

  o   Szymon Juraszczyk

     o  ``LD_PRELOAD x''

  o  Lorn Kay

     o  Linux HA p ``n[gr[g̐ݒ''

     o  ``Sendmail'' ̐ݒ

  o  Bill McKenzie - ``Portsentry ̐ݒ''ɑ΂ǉ

  o  Sander Klein

     o  LIDS ``L''̃`FbNɊւ鎿

     o  ``Apcupsd'' ̐ݒ

     o  ``Pump'' ̐ݒ

     o  ``Snort'' ̐ݒ

     o  ``getty'' ̐ݒ

     o  ``login'' ̐ݒ

     o  ``su'' ̐ݒ

  o  David Spreen - ``Ԍ̌x''``crontab ւ̃ANZX''

  o  Thomas Linden - ``BIND 9.x ̐ݒ''

  o  Mathias Gygax - ``exim''  ``qpopper''  ``proftp'' ̃Tv
     

       Linux  Linus Torvalds ̓o^Wł

  1.10.  |

  ͂킩Ă|Ƃ݂̏̃XgłB

  o  Japanese -- http://www.linux.or.jp/JF/JFdocs/LIDS-FAQ.html

  1.11.  ύX

   FAQ ̍ŐVł http://www.clublinux.org/lids/ ɂ܂BoO
  ̑OɍŐVł`FbNĂB

  o  January 28th, 2002.  Version .17

     Changed "READ" to "READONLY".

  o  January 12th, 2002.  Version .16

     o  Various updates for the changes made in version 1.1.0.

     o  Minor corrections.

     o  Added sample configurations for ``exim'', ``qpopper'', and
        ``proftp''.

     o  Updated ``console logging'' question.

     o  Updated ``LD_PRELOAD'' warning.

     o  Updated ``file ACL inheritance'' question.

     o  Added ``file editing'' question.

  o  November 12th, 2001.  Version .15

     o  Added many new configurations
        (Sendmail,apcupsd,pump,snort,getty,login,su). Thanks to Sander
        Klein and Lorn Kay.

     o  Added ``Red Hat Kernel'' patch question.

     o  Added ``User quota'' question.

  o  August 26th, 2001.  Version .14

     o  Added ``LIDS enabled/disabled'' question.

     o  Improved ``basic configuration'' question.

     o  Added a notice for ``Debian'' users.

     o  Added ``time restriction'' question.

     o  Updated ``log rotation'' question to use ``new time restriction
        feature''.

     o  Updated ``non-Intel hardware'' question.

     o  Added ``translations'' section.

     o  Added ``port restriction'' question.

     o  Added ``BIND 9.x configuration''.

  o  May 20th, 2001.  Version .13

     o  Added ``heartbeat configuration'' for HA Linux.

     o  Added ``read password error'' question.

     o  Added ``basic configuration'' question.

     o  Minor additions to ``portsentry configuration''.

     o  Enhanced (yet again) ``passwd update'' question.

     o  Other minor corrections.

  o  April 1st, 2001.  Version .12

     o  Updated FAQ for new versions of LIDS (1.0.6+ and 0.9.14+).

     o  Added ``warning'' about LD_PRELOAD environment variable.

     o  Updated ``hardware'' question.

  o  March 10th, 2001.  Version .11

     o  Fixed several reference errors in the PDF version (there are
        still a few document conversion problems that need looked at).

     o  Clarified the ``Basic System Setup'' configuration.

     o  Updated the mailing list ``information''

     o  Updated ``passwd'' and ``log rotation'' questions.

  o  March 1st, 2001.  Version .10

     o  Added ``Samba'' configuration example.

     o  Added ``example'' on how to kill hidden processes at shutdown.

     o  Added ``ssh keygen question''.

     o  Enhanced ``passwd update'' question.

  o  February 10th, 2001.  Version .09

     o  Added ``ssh/scp'' question.

     o  Updated ``mailing list'' information.

     o  ``LIDS SMP status'' update.

  o  January 27th, 2001.  Version .08

     o  Modified ``Apache'' configuration so the server root is
        protected as DENY.

     o  Modified ``mysql'' and ``courier-imap'' so their default
        directories are protected as DENY.

     o  Modified ``ssh'' config to work with password authentication.

     o  Added question regarding ``ACL reconfiguration''.

  o  January 25th, 2001.  Version .07

     Added a much simpler fix to the ``lidsadm compile problem''.
     Clarified the ``sealing the kernel'' question (hopefully).  Minor
     corrections.

  o  January 24th, 2001.  Version .06

     o  Removed ACL example from ``/etc/mtab mount'' question because
        /etc/mtab is recreated at system boot and each time a file
        system is unmounted.

     o  Added alternative fix to the ``lidsadm compile problem''.

     o  Minor corrections.

  o  January 22nd, 2001.  Version .05

     Minor additions to Basic System Setup sample configuration.  Added
     section on configuring e-mail alerts.
  o  January 19th, 2001.  Version .04

     Minor correction to ``lidsadm compile problem'' question.

  o  January 17th, 2001.  Version .03

     Added information about the new file ACL inheritance "-i" option in
     LIDS-0.9.12.  Also updated the configuration examples to use the
     "-i" option when required.  Other minor updates including
     information about lidsadm compile problems, enabling/disabling
     capabilities, and how to setup ACLs for a new program.

  o  January 15th, 2001.  Version .02

     Minor corrections.

  o  January 15th, 2001.  Version .01

     Initial release.

  2.  LIDS ̃CXg[

  2.1.  LIDS J[lpb`͂ǂēĂ̂łH

  Xie  instructions  LIDS _E[hāAJ[lɃpb`
  @肱ł܂BƂ͂AKvȎ菇ɂĊȒPɂĂ
  Ƃɂ܂B̗ł́AJ[l\[X /usr/src/linux ɃCXg
  [ĂƑz肵Ă܂B

  o  ŏɁALIDS ̃pb` www.lids.org/download.html _E[h
     Kv܂BJ[lɍo[W肷悤ɒ
     ĂB

  o  ɁAtarball WJ܂ |

     $ tar zxvf lids-<lids ̃o[W>-<J[l̃o[W>.tar.gz

  o  ̃J[l\[X lids ̃pb`Kp܂ |

     $ cd /usr/src/linux
     $ patch -p1 < /path/to/lids/patch/lids-<lids ̃o[W>-<J[l̃o[W>.patch

  o  ꂩAJ[l̐ݒ܂BLinux J[l̍ăRpCɂ
     f炵񌹂ƂẮALinux Kernel HOW-TO. QƂĂ
     B

     LIDS pɁA̃J[lݒIvV܂BLIDS 
     邽߂ɂ́Aȉ̃IvVLɂȂĂ邱ƂmFĂ
      |

       [*]   Prompt for development and/or incomplete code/drivers
       [*]   Sysctl Support

  2.2.  LIDS ̊Ǘ[eBeB (lidsadm  lidsconf) CXg[
  @́H

  o  LIDS 1.1.0+

     (ӁF LIDS AbvO[hĂȂAŏ /etc/lids fB
     NgSăobNAbvĂ)

     LIDS ̃\[XfBNgŁA͂܂ |

     $ ./configure
     $ make
     $ su -
     # make install

   lidsadm  lidsconf  /sbin fBNgɃCXg[
  BɁA/etc/lids fBNgAftHg̐ݒt@C
  ɒu܂Bݒt@ĆAVXe̓K؂ i m[hy
  уfoCXōXV܂B܂A̎_ LIDS ̃pX[h
  悤ɋ߂܂B

  lidsadm ̎QƃIvV (-V) LɂȂȂA--disable-view
  w肵 configure sĂB

  o  LIDS 1.1.0 O

     1.1.0 Õo[Wɂ́Alidsconf [eBeB܂
     BLIDS VXêݒƊǗ lidsadm ɂĂȂĂ
     ܂B

     lidsadm [eBeB̃\[X LIDS ̃\[XfBNg
     Âł |

     lidsadm-<lids ̃o[W>

  (ӁFlidsadm AbvO[h悤ƂĂȂA܂ /etc/lids
  fBNĝ̂obNAbvȂ΂Ȃ܂I)

  lidsadm RpCăCXg[ɂ́AP |

  $ make
  $ su -
  # make install

  ƁAlidsadm ̃\[XfBNgł邾łB lidsadm 
  /sbin fBNgɃCXg[܂B܂A/etc/lids fBNg
  쐬AftHg̐ݒt@CɃRs[܂B

  lidsadm  view IvVgȂA

  $ make

  
  $ make VIEW=1

  ƒuĂB

  2.3.  ́H

  ċN LIDS ŋꂽJ[lɂOɁA܂ LIDS  ACL 
  肹˂΂Ȃ܂BȂ΁AċNƃVXeĝɂȂ
  ȂȂ܂BLIDS  ACL ݒ肷@ɂĂ ``ق''B

  2.4.  lidsadm RpC悤ƂAgcc  lidstext.h ȂA
  ܂B̖͂ǂĉ΂́H

  ́A/usr/include/linux  /usr/src/linux/include/linux ւ̃V{
  bNNł͂ȂVXeɂĔ܂BSȃG[bZ[W
  ͂ł |

   lidsadm.c:30: linux/lidsext.h: No such file or directory make: *** [lidsadm.o] Error 1

  ̖ɂ́Alidsadm ̃\[XfBNgɂ Makefile 
  ҏWāACFLAGS IvV -I/usr/src/linux/include Ă
  B

  ̎_ŁAʂ lidsadm RpCł͂łB

  2.5.  LIDS ̃o[W 0.9.14, 0.9.15, 1.0.6, 1.0.7  AbvO[
  h ƁAċNɃVXepjbN܂BǂĒ΁H

  /etc/lids/lids.conf t@C̏Ã[XŕύXĂ
  Blidsadm ̐Vo[WgāAt@Cč쐬Kv
  B

  2.6.  Debian [Uւ̃cc

  David Spreen  LIDS  Debian pbP[Wێ炵Ă܂BpbP[W
  ŗL LIDS ̐ݒ netzwurm@debian.org ĂɃ[ƊԂł
  BDebian ŗL̏C܂܂Ă邽߁ADebian [U LIDS 
  Debian pbP[Wg悤ɂނ͊߂Ă܂B

  2.7.  LIDS ̃pb` RedHat ̃J[l 2.x.x-x ɂĂ悤ƂAG
  [ɂȂ܂B́H

  LIDS  Linus J "ʂ" J[lgĊJĂ
  BRedHat  DebianASuse ܂ޑ̃fBXgr[Vł́AJ
  [lJX^}CYĂ܂B͈Ƃł͂܂񂪁A
  ̃J[l Linus ̂̂Ɠł͂ȂAƂƂ͒mĂĂ
  B(Debian [U ``'' ӂĂB)

  3.  lidsadm  lidsconf

  3.1.  lidsadm Ƃ͉łH

  lidsadm  LIDS ̊Ǘ[eBeBŁAgăVXe LIDS 
  Ǘ܂Bɂ́ALIDS L/ɂAJ[l𕕈󂵂
  ALIDS ̏󋵂肷邱Ƃ܂܂܂B

  3.2.  lidsconf Ƃ͉łH

  lidsconf  LIDS ̃ANZX䃊Xg (ACL) ݒ肷̂Ɏg܂B
  ALIDS ̃pX[hZbĝɂg܂B

  ӁFLIDS 1.1.0 Õo[Wł́A lidsconf sĂd
  S lidsadm Ȃ܂B

  3.3.  lidsadm ŎgIvV͉܂H

  p\ȃIvVꗗɂ́A͂Ă |

  # lidsadm -h

  ɂāAȉ̏o͂ԂĂ܂ |

  lidsadm version 1.1.1pre2-2.4.16 for LIDS project
         Huagang Xie<xie@gnuchina.org>
         Philippe Biondi <pbi@cartel-info.fr>

  Usage: lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
         lidsadm -V
         lidsadm -h

  Commands:
         -S  To submit a password to switch some protections
         -I  To switch some protections without submitting password (sealing time)
         -V  To view current LIDS state (caps/flags)
         -v  To show the version
         -h  To list this help

  Available capabilities:
             CAP_CHOWN chown(2)/chgrp(2)
      CAP_DAC_OVERRIDE DAC access
   CAP_DAC_READ_SEARCH DAC read
            CAP_FOWNER owner ID not equal user ID
            CAP_FSETID effective user ID not equal owner ID
              CAP_KILL real/effective ID not equal process ID
            CAP_SETGID set*gid(2)
            CAP_SETUID set*uid(2)
           CAP_SETPCAP transfer capability
   CAP_LINUX_IMMUTABLE immutable and append file attributes
  CAP_NET_BIND_SERVICE binding to ports below 1024
     CAP_NET_BROADCAST broadcasting/listening to multicast
         CAP_NET_ADMIN interface/firewall/routing changes
           CAP_NET_RAW raw sockets
          CAP_IPC_LOCK locking of shared memory segments
         CAP_IPC_OWNER IPC ownership checks
        CAP_SYS_MODULE insertion and removal of kernel modules
         CAP_SYS_RAWIO ioperm(2)/iopl(2) access
        CAP_SYS_CHROOT chroot(2)
        CAP_SYS_PTRACE ptrace(2)
         CAP_SYS_PACCT configuration of process accounting
         CAP_SYS_ADMIN tons of admin stuff
          CAP_SYS_BOOT reboot(2)
          CAP_SYS_NICE nice(2)
      CAP_SYS_RESOURCE setting resource limits
          CAP_SYS_TIME setting system time
    CAP_SYS_TTY_CONFIG tty configuration
             CAP_MKNOD mknod operation
             CAP_LEASE taking leases on files
            CAP_HIDDEN Hidden process
         CAP_INIT_KILL Kill init children

  Available flags:
           LIDS_GLOBAL de-/activate LIDS entirely
           RELOAD_CONF reload config. file and inode/dev of protected programs
                  LIDS de-/activate LIDS locally (the shell & childs)

  3.4.  lidsconf ŎgIvV͉܂H

  płIvVꗗɂ́A͂Ă |

  # lidsconf -h

  ɂāAȉ̏o͂ԂĂ܂ |

  lidsconf version 1.1.1pre2-2.4.16 for the LIDS project
         Huagang Xie<xie@gnuchina.org>
         Philippe Biondi <philippe.biondi@webmotion.net>

  Usage: lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION
         lidsconf -D [-s file] [-o file]
         lidsconf -Z
         lidsconf -U
         lidsconf -L [-e]
         lidsconf -P
         lidsconf -v
         lidsconf -h

  Commands:
         -A,--add To add an entry
         -D,--delete      To delete an entry
         -Z,--zero        To delete all entries
         -U,--update      To update dev/inode numbers
         -L,--list        To list all entries
         -P,--passwd      To encrypt a password with RipeMD-160
         -v,--version     To show the version
         -h,--help        To list this help

  subject: -s,--subject subj
         can be any program, must be a file
  object: -o,--object [obj]
         can be a file, directory or special device (e.g. MEM, HD, NET, IO,
                                                          HIDDEN, KILL)
  ACTION: -j,--jump
         DENY     deny access
         READONLY read only
         APPEND   append only
         WRITE    writable
         GRANT    grant capability to subject
         IGNORE   ignore any permissions set on this object
  OPTION:
        -d,--domain       The object is an EXEC Domain
        -i,--inheritance Inheritance level
        -t,--time Time dependency
        -e,--extended     Extended list

  Available capabilities:
             CAP_CHOWN chown(2)/chgrp(2)
      CAP_DAC_OVERRIDE DAC access
   CAP_DAC_READ_SEARCH DAC read
            CAP_FOWNER owner ID not equal user ID
            CAP_FSETID effective user ID not equal owner ID
              CAP_KILL real/effective ID not equal process ID
            CAP_SETGID set*gid(2)
            CAP_SETUID set*uid(2)
           CAP_SETPCAP transfer capability
   CAP_LINUX_IMMUTABLE immutable and append file attributes
  CAP_NET_BIND_SERVICE binding to ports below 1024
     CAP_NET_BROADCAST broadcasting/listening to multicast
         CAP_NET_ADMIN interface/firewall/routing changes
           CAP_NET_RAW raw sockets
          CAP_IPC_LOCK locking of shared memory segments
         CAP_IPC_OWNER IPC ownership checks
        CAP_SYS_MODULE insertion and removal of kernel modules
         CAP_SYS_RAWIO ioperm(2)/iopl(2) access
        CAP_SYS_CHROOT chroot(2)
        CAP_SYS_PTRACE ptrace(2)
         CAP_SYS_PACCT configuration of process accounting
         CAP_SYS_ADMIN tons of admin stuff
          CAP_SYS_BOOT reboot(2)
          CAP_SYS_NICE nice(2)
      CAP_SYS_RESOURCE setting resource limits
          CAP_SYS_TIME setting system time
    CAP_SYS_TTY_CONFIG tty configuration
             CAP_MKNOD mknod operation
             CAP_LEASE taking leases on files
            CAP_HIDDEN Hidden process
         CAP_INIT_KILL Kill init children

  4.  LIDS ̊Ǘ

  4.1.  LIDS ̃pX[hݒ肷ɂ͂ǂ΂łH

  ċN LIDS ŊgJ[lɂOɁAR}hvvgł
  悤ɓ͂܂ |

  # lidsadm -P

  ƁALIDS ̃pX[h߂܂ |

  MAKE
  enter password:
  Verifying enter password:

  ŁA/etc/lids/lids.pw t@C RipeMD-160 ňÍꂽpX[
  h܂܂B

  4.2.  xݒ肳ꂽ LIDS pX[hύXɂ͂ǂ΂悢ł
  H

  ŏɁA``LIDS t[ZbV'' 쐬ȂĂ͂Ȃ܂Bꂩ
  A``ŏ''悤 "-P" IvVgăpX[hݒ肵
   (݂̃pX[h͂܂)BLIDS pX[hĐݒ肵
  ŁALIDS  ``ݒt@C̃[h''Kv܂B

  4.3.  LIDS t[ZbVƂ͉H ǂč΂́H

  LIDS t[ZbV (LFS)  LIDS ̐󂯂Ȃ[ZbV
  łB̃IvV邽߁A LIDS ̃J[lōċNɃVXe
  Ǘ邱Ƃł܂B@\ɂ́ALIDS ŊgJ[
  lRpC鎞ɁÃIvVIĂKv܂
  |

    [*] Allow switching LIDS protections

  LFS ɂ́Avvgł̂悤ɓ͂܂ |

  # lidsadm -S -- -LIDS

  ƁALIDS pX[hu˂܂B̒[́A LIDS Ɨ
  Ă܂Bȉ̑܂ł́ALIDS Ɨ܂܂ł |

  o  LIDS ĂїLɂ(lidsadm -S -- +LIDS).

  o  ^[~i烍OAEg

  xɃANeBuɂł LFS  1 łBʂ̒[ɓĂ
  lidsadm -S -- -LIDS ͖ɂȂȂƂ͂ALFS ͂ 1 
  ܂B

  4.4.  LIDS t[ZbVǁALIDS ܂LɂȂĂ݂
  I ܂́H

  ́ALFS z[ōĂʂ̉z[Ɉړă}VǗ
  悤ƂƔ܂B邽߂ɂ́ALIDS LɂĂ݂āA
  ꂩxɂ܂ (vvgopX[h͂
  )B

  # lidsadm -S -- +LIDS
  # lidsadm -S -- -LIDS

  4.5.  LIDS ɐݒt@C[hɂ͂ǂ΂́H

  LIDS ɂ̐ݒt@C[hɂ́ALIDS ŊgJ[l
  ݒ肷鎞ɁÃIvVLɂKv܂B

    [*]  Allow switching LIDS protections
    (3)    Number of attempts to submit password
    (30)     Time to wait after a fail (seconds)
    [ ]    Allow remote users to switch LIDS protections
    [ ]    Allow any program to switch LIDS protections
    [*]    Allow reloading config. file   <----------------------------

  ӁFݒt@C[hł悤ɂɂ́ALIDS ̕ی؂芷
  悤ɂKv܂B

  LFS (邢 LIDS_GLOBAL 𖳌ɂ) ÃR}hs
   LIDS ɐݒt@C[h悤w܂ |

  # lidsadm -S -- +RELOAD_CONF

  ŁAȉ̐ݒt@C[h܂ |

  o   /etc/lids/lids.conf  -  LIDS ACL ̐ݒt@CłB

  o   /etc/lids/lids.cap   -  LIDS ̌t@CłB

  o   /etc/lids/lids.pw    -  LIDS ̃pX[ht@CłB

  o   /etc/lids/lids.net   -  LIDS ̃[ɂxݒ肷t@C
     łB

  4.6.  āIII ̃VXeSɎgȂȂĂ܂܂I 
  ΂ł傤H

  ċN LIDS ŋĂȂJ[lɂ邩ALIDS 𖳌ɂ
  LIDS ŋꂽJ[lNA݂邱Ƃł܂BLIDS 
  ɂċNɂ́Alilo vvg security=0 Ǝw肵܂B
  ΁ALIDS ŋꂽJ[l lids-kernel ƂƁAlilo v
  vgł̂悤ɓ͂̂ł |

  lilo: lids-kernel security=0

  ͊ȒPȕłB̂́ALIDS LɂVXeVbg
  _E邱ƂłBLIDS ̐ݒɂẮA܂Vbg_Eł
  Ȃ܂B

  x: K؂ɐݒ肳ĂȂԂ LIDS LɂȂJ[lċN
  ƁAt@CVXeȂAf[^邩m
  ܂B

  4.7.  VXeoCiύX/ړ܂Bt@CύX/ړ
   LIDS ɋɂ͂ǂ̂łH

  t@C݂ĂfoCXA邢̓t@C im[hԍς
  ɂ͂łA/etc/lids/lids.conf t@CK؂ȏōXVȂ
  ΂Ȃ܂BK^ȂƂɁAXie ͂̂߂̃IvVp
  ĂĂ܂ |

  # lidsadm -U

  ꂩA``ݒt@C[h''Kv܂B

  4.8.  ႠAċN LIDS Sɖɂ@́H

  LFS gȊOɂALIDS S̓Iɒ~邱Ƃ͂ł܂B
  ́AIvV݂ŃJ[lRpCĂꍇ̂݋@\܂B

  # lidsadm -S -- -LIDS_GLOBAL

  LIDS_GLOBAL ɂȂĂƁAVXe "ʏ" Linux VXe
  悤ɉғ܂BLIDS S̓IɍĂїLɂɂ́A΂̂Ƃ
   |

  # lidsadm -S -- +LIDS_GLOBAL

  ӁF LFS LɂĂȂAɂ LFS  e邱
  Ƃ͂܂B

  4.9.  "J[l𕕈󂷂"Ƃ͂ǂƂłH

  NvZX̍ŌɁAJ[l𕕈󂷂Kv܂BɂAV
  Xe /etc/lids/lids.cap t@Cł̃O[oȌZbg
  BAt@C ACL ̓J[l󂳂Ołs܂B
  J[l𕕈󂷂ɂ́Arc.local(SysV X^C init ̏ꍇ) ̍Ō
  ɁAĂ |

  /sbin/lidsadm -I

  "-I" IvV́AJ[l𕕈󂷂鎞̂ݎg܂B󂳂ꂽ
  ́AVXeɕύX邽߂ "-S" IvVgKv܂B

  xFNɃJ[l𕕈󂵂ȂꍇALIDS ŋꂽVXe
  ̉bSɎ󂯂邱Ƃ͂ł܂B

  4.10.  LIDS VXȅԂɂ͂ǂ΂́H

  "-V" IvVg߂ɂ́Alidsadm  make VIEW=1 ``(LQ)''
  ƂăRpCĂKv܂B

  R}hCŁA͂܂ |

  # lidsadm -V

  ƁA2.2.x J[l̏ꍇÂ悤ȏo͂܂ |

  VIEW
                       CAP_CHOWN 0
                CAP_DAC_OVERRIDE 0
             CAP_DAC_READ_SEARCH 0
                      CAP_FOWNER 0
                      CAP_FSETID 0
                        CAP_KILL 0
                      CAP_SETGID 0
                      CAP_SETUID 0
                     CAP_SETPCAP 0
             CAP_LINUX_IMMUTABLE 0
            CAP_NET_BIND_SERVICE 0
               CAP_NET_BROADCAST 0
                   CAP_NET_ADMIN 0
                     CAP_NET_RAW 0
                    CAP_IPC_LOCK 0
                   CAP_IPC_OWNER 0
                  CAP_SYS_MODULE 0
                   CAP_SYS_RAWIO 0
                  CAP_SYS_CHROOT 0
                  CAP_SYS_PTRACE 0
                   CAP_SYS_PACCT 0
                   CAP_SYS_ADMIN 0
                    CAP_SYS_BOOT 1
                    CAP_SYS_NICE 0
                CAP_SYS_RESOURCE 1
                    CAP_SYS_TIME 0
              CAP_SYS_TTY_CONFIG 0
                      CAP_HIDDEN 1
                   CAP_INIT_KILL 0
                     LIDS_GLOBAL 1
                                 0
                     RELOAD_CONF 0
                            LIDS 0

  L̏o͂ǂ݂Ƃ悤ɁÃVXeł LFS LɂȂĂ
  ܂BALIDS ̓O[oɗLɂȂĂ܂B 1 Ă
  ڂ͗LȂ̂ŁA0 Ă͖̂̂̂łBŌ 2 ̌
  āAroot ͒ʏ킱SĂ̌Ă܂BLIDS ̂
  ŁA̓̏󋵂ɂ root  CAP_SYS_BOOT, SAP_SYS_RESOURCE,
  CAP_HIDDEN (FCAP_HIDDEN ͒ʏ Linux J[l񋟂錠ł͂
  ܂) Ƃ݂̂Ă܂B

  4.11.  LIDS ̃|[gXLmݒ肷ɂ͂ǂ΂łH

  Kv܂BLIDS ŊgJ[lݒ肷ƂɃIvVI
  ł΁A|[gXLm͗LɂȂĂ܂B

     [*]  Port Scanner Detector in kernel

  4.12.  LIDS  ACL ɂ subject ƃIuWFNgƂ͂ȂłH

  subject ̓oCiVFXNvgƂALinux VXeŎs
  vÔƂłBIuWFNǵAsubject ANZX悤Ƃ
  ̂łBɂ́At@CAfBNgAƂ̂
  B

  4.13.  /etc/lids/lids.cap CĐݒt@C[hȊOɃV
  XěL/ɂ邱Ƃ͂ł܂H

  ł܂BA̕@ƃVXẽVbg_EɕύXۑ
  ܂B

  Lɂɂ |

  # lidsadm -S -- +CAP_SYS_ADMIN

  𖳌ɂɂ |

  # lidsadm -S -- -CAP_SYS_ADMIN

  4.14.  LIDS  ACL Đݒ肵̂ɁAύXfĂȂ悤Ɍ
  ܂B̂ł傤H

  LIDS Đݒ肷鎞ɂ́AׂƂ 2 ܂ |

  1. ݒt@C``[h''

  2. ύXɂĉe󂯂T[rX(Q)̍ċN

  4.15.  lidsconf -L  ACL \ĂȂ̂łH

  lidsconf -L  LFS ォ炩ALIDS_GLOBAL ɂȂĂ鎞Ɏg
  ΂Ȃ܂Bǂ̏ԂłȂȂÃG[bZ[W
  ƂɂȂ܂ |

  lidsconf: can not open conf file
  reason:: Permission denied
  LIST

  4.16.  R\[ɕ񍐂邽 LIDS ᔽǂɂČ点
  Ȃ́H

  ł܂Bsyslog ̏XNvgCāAklogd  "-c" IvV
  ŋN邱Ƃł܂B̃IvV́AR\[ɋL^
  VXebZ[W̃ftHgxݒ肷̂łBw肳ꂽ
  lႢlbZ[WR\[ɕ\܂
  (include/linux/kernel.hQ)B

  Ⴆ |

  klogd -c 4

  klogd Ƀx 4 ȉ̑SbZ[WR\[ɋL^悤Ɏw
  ܂B

  R\[̃OxύXɂ́A/proc/sys/kernel/printk ̒lC
  Ƃ@܂Bڍׂɂ
  ́A/usr/src/linux/Documentation/sysctl/kernel.txt Œ񋟂镶
  QƂĂB

  4.17.  LIDS ǵALD_PRELOAD ϐɒӂłH

  ͂Bsetuid ꂽvOɂāALD_PRELOAD ϐ "`"
  łAvOɂă[h郉CuɉeyڂƂ
  ł܂ (ŋ߂ glibc ̐Ǝ㐫ƂO͂܂)B

  肪̂́Asetuid ĂȂoCiɓʂȌt@C
  ANZX^ƂłBLD_PRELOAD ϐ̓Cu[h
  O "`" ł͂Ȃ߁Aӂ̂NgC̃Cu
  [h邱ƂłɁA̓IWĩvOɗ^ꂽ
  ƓʂȌ/t@CANZXƂɂȂĂ܂܂B

  XN炷߂ɉ\ȃIvV |

  o  ʂȌt@CANZXvO͑SĒʏ unix
     t@Cp[~bVŐ˂΂Ȃ܂BɂAS
     słȂ悤ɂ܂ (e.g. chmod o-rwx /path/to/program )B

  o  ʉƂẮAt@C setuid ŏL root ȊÕ[U
     ɕςƂ̂܂BƁAvO̎sO
     ɁALD_PRELOAD ϐ "`" ƂȂ܂B

  ZLeB̍XVF LIDS 1.1.1preX ȍ~ALD_PRELOAD ϐ
  LIDS ^SẴvOɑ΂āAIɖɂȂ
  ܂B́ALIDS 0.10.3 ɂobN|[gĂ܂B

  4.18.  NA"read password file error" ƂbZ[W\
  ܂B̖𒼂ɂ͂ǂ΂悢ł傤H

  ́Aŏ LIDS NOɁALIDS ̃pX[hݒ肵Yꂽ
  ɔ܂BCɂ́A}VċN (``gpłȂ
  VXe̋N''Q)A``LIDS pX[h''ݒ肵ĂB

  4.19.  LIDS L𒲂ׂɂ͂ǂ΂́H

  lidsadm  'make VIEW=1' ƂăRpCĂ΁A'lidsadm -V' 
  g LIDS LɂȂĂ邩m邱Ƃł܂B'LIDS_GLOBAL 0' 
  \΁ALIDS ͖ɂȂĂ܂B'LIDS 0' ƕ\΁AN
   LIDS t[ZbV gĂ܂B

  lidsadm  VIEW IvVŃRpCĂȂꍇ́ALIDS
  sׂ@͂݂܂B
  1. dmesg  'Linux Intrusion Detection System * for * doesn't start'
     ƂsȂׂ邱Ƃł܂B

  2. /etc/lids fBNg邩ׂ邱Ƃł܂BLIDS LȂ
     ΁Â͖]܂Ȃł傤AftHgł LIDS ͂
     fBNgB܂B

  3. {ȂłȂ͂̉łāALIDS sN
     Ƃł܂BȂ΁ALIDS ͓삵Ă܂B

  5.  LIDS ̐ݒ

  5.1.  t@Cǂ݂Ƃpɂĕی삷@́H

  # lidsconf -A -o /some/file     -j READONLY

  ɂALIDS LɂȂĂ΁A(root ܂) ҂
  /some/file ύX폜肷̂hƂł܂BLFS ɂ
  ȂAK؂ȃt@Cp[~bVAp[eBVǂ݂Ƃ
  p mount Ă̂łȂ΁AR /some/file ύX邱Ƃ
  ł܂B

  5.2.  OK, ႠfBNgǂ݂Ƃpɂɂ͂ǂ΁H

  ƓłAw肷̂ /some/directory łB

  # lidsconf -A -o /some/directory         -j READONLY

  IuWFNgfBNg̏ꍇALIDS ̓fBNĝ̂ƁAċA
  Iɂ̉̓t@CVXeɂ̂ی삵܂B(e.g. LIDS
   ACL ̓t@CVXe̋Ez܂I) ͊oĂׂ
  ɏdvȂƂŁAɂA͂炸VXëꕔی삳Ȃ
  ܂ɂĂƂȂȂ܂B

  ǂ݂ƂpƂĕی삵ĂƎvfBNǵA/etc ł
  B

  # lidsconf -A -o /etc -j READONLY

  5.3.  Nt@C/fBNgBƂ͂ł܂H

  # lidsconf -A -o /some/file_or_directory   -j DENY

  JԂ܂AŁAroot ANZXoȂȂ܂BɁA
  ꂪfBNgł΁ẢɂSẴt@CƃfBNg
  B܂ (At@CVXeɂ΁Ał)B

  5.4.  ǋLłȂ悤ɃOt@Cی삷@́H

  # lidsconf -A -o /some/log/file  -j APPEND

  ɂAɒNt@C̖ɏłA̓e
  ύXłȂ悤ɂȂ܂B

  VXeOǋLpƂĕی삷ȒPȕ@͂ł |

  # lidsconf -A -o /var/log  -j APPEND

  ɂA/var/log ȉɂSẴt@CǋLpƂĕی삳
  ܂BREAD  DENY ƓlɁÃ^[QbgċAIłB

  5.5.  /etc/shadow t@Cǂނ̂ɁAȂ΁AǂĎ
  ̓VXeɔF؂́H

  [UgVXeɔF؂ɂ́A̃vO
  /etc/shadow ւ̓ǂ݂Ƃp̃ANZXKv܂Bǂ݂Ƃ
  ANZX^悤ɍl邩mȂvOƂĂ | login,
  sshd, su, vlock Ȃǂ܂B

  login vO /etc/shadow ǂ߂悤ɂɂ́A ACL g
  ܂ |

  # lidsconf -A -s /bin/login -o /etc/shadow -j READONLY

  ̏ꍇA"-s" IvV subject ł /bin/login w肵Ă
  Bsubject ɑ΂āAIuWFNg (/etc/shadow ւ̓ǂ݂ƂpANZ
  X^Ă邱ƂɂȂ܂B

  5.6.  /etc ǂ݂Ƃpŕی삵Amount ͂ǂ /etc/mtab 
  ݂̂ł傤H

  ł܂B̖Cɂ́A/etc/mtab t@C폜
  āA/proc/mounts ւ̃V{bNNɒu@܂B
  @\邽߂ɂ́ANXNvgCāASĂ mount 
  umount R}h "-n" IvVg悤ɂKv܂B
  ɂAmount  umount  /etc/mtab t@CXVȂȂ܂B

  Ⴆ΁Â |

  mount -av -t nonfs,noproc

  NXNvg̒ɌȂÂ悤ɕύX܂ |

  mount -av -n -t nonfs,noproc

   mount R}h́ANXNvgŜɎU݂Ăł
  BSĂ߂܂邽߂ɁAgrep gĂB@ŁAS
  umount R}h̏CƎvł傤B

  5.7.  LIDS AN modules.dep t@Cɏ߂ȂAƕ
  ܂B̂łH

  ́A/lib ǂ݂ݐpŕی삳Ă鎞 (̂́A悢
  Ƃł) ܂B󂯂ƂG[́AɂȂ܂ |

       LIDS: depmod (3 12 inode 16119) pid 13203 user (0/0) on
       tty2: Try to open /lib/modules/2.2.18/modules.dep for writ-
       ing,flag=578

  ́AN /etc/rc.d/rc.sysinit NXNvgW[̈ˑ
  č\z悤Ƃ邩łBʏA͕Kv܂BƂ
  AW[ǉύX폜肵ȂAW[
  ˑ͕ωȂłBG[͖QłÂȂP
  /etc/rc.d/rc.sysinitXNvgŃW[̈ˑč\zĂs
  (depmod -a Ƃ̂TĂ) RgAEg邱Ƃ
  ܂B

  5.8.  OǋLpŕی삵ĂƁAlogrotated ͂ǂăO
  [e[ĝł傤H

  Ȃ܂BÕ[e[V́ALIDS_GLOBAL ɂȂĂ鎞
  ɁAO[e[V[eBeB蓮ŎsĂȂׂ̂
  BÕ[e[V𐶋N cron ̃Wu͖ɂׂ
  B(ʉɂĂ ``L'' QƂĂ)

  5.9.  ȂAPɃO[e[V[eBeBɃOt@Ĉ
  fBNgւ̏݋^@ŁA[e[g悤
  ɂĂ͂Ȃ̂łH

  Ă\܂񂪁A߂܂BNVXeɐNAႦނ炪
  OύX邱ƂłȂĂAN̊ԂɏW߂ꂽO
  nォp܂ŁA(O[e[V[eBeB蓮Ŏs
  ) [e[gKvȂJԂƂł܂B́AxȃZ
  LeB̂߂Ɏxׂ㉿̈ꕔȂ̂łB

  O[e[V[eBeB /var/log ւ̏݃ANZX
  ʉƂẮAcron f[ /var/log ւ̏݋^A
  p\Ƃ@܂B

  lidsconf -A -s /usr/sbin/crond -i -o /var/log   -j WRITE

  ŁAN蓮ŃO[e[V[eBeBs邱Ƃ͂
  ܂񂪁Acron f[ɂĎsꂽ͓삷悤ɂȂ
  B

  xF cron f[ɐƎ㐫ꍇ́AN˂
  ƁAcron  /var/log ւ̏݌Ă邽߂ɃO|ł
  ܂܂B́A MAC pړI𖳈ׂɂ܂BȂɂ
  AƎ㐫΁AANZX͉I񂳂꓾̂łB
  IvV͎ȐӔĈƂɎg悤ɁI

  XVFV``Ԑ''@\̂߁Acrond  /var/log ɏ݌
  ĂȂA̎ԑтɐ̂߂܂BႦ
  ΁Alogrotated  crond ɂĖ 6:00 AM ɎsȂAcrond
  ̏݌ 1 Ԃɐ܂ |

  /sbin/lidsconf -A -s /usr/sbin/crond -i 2 -o /var/log -t 0600-0601 -j WRITE

  1 \ȒłȂȂAlogrotated sI܂ŁAԂ
  1 Â₵ĂB

  5.10.  LIDS LȎAVbg_E܂Ńt@CVXeA}E
  go܂Bǂ΂悢ł傤H

  ́ACAP_SYS_ADMIN ŜŖɂĂāAt@CVXe
  A}Eg邽߂̓K؂Ȍ shutdown XNvgɗ^ĂȂ
  ꍇɂ܂BႦ΁ARed Hat6.2 ł́A/etc/rc.d/init.d/halt XN
  vgt@CVXẽA}Egs܂B CAP_SYS_ADMIN
  ^Kv܂BāAt@CVXẽA}Eg
  \ɂȂ̂ł |

  # lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT

  ^[Qbg "GRANT"  LIDS  subject (̏
  A/etc/rc.d/init.d/halt)  CAP_SYS_ADMIN 悤ɓ`
  B "-i 1" IvV́AACL  "px"  1 ɃZbg܂B

  ɂA/etc/rc.d/init.d/halt XNvgsłNɂAt@
  CVXẽA}Eg\ɂȂ邱ƂɒӂĂB}V
  ɕIɃANZXłȂAVbg_EXNvgɌ^
  AVbg_ȆO LIDS_GLOBAL 𖳌ɂ邾̕
  ܂BƂ͂AdɃVXeVbg_E邱Ƃ
   UPS ĂȂALIDS_GLOBAL 𖳌ɂ킯ɂ͂Ȃ
  傤B

  5.11.  Ȃ|[ggT[rX root ŊJnłȂ̂łH

  |[g (1024 ȉ̂) őT[rX́A|[gɃoCh邽
  ߂ CAP_NET_BIND_SERVICE KvƂ܂B/etc/lids/lids.cap t@
  Cł̌S̓IɖɂĂȂAvOɂ̌
  ˂΂Ȃ܂B

  # lidsconf -A -s /usr/local/bin/apache -o CAP_NET_BIND_SERVICE -j GRANT

  邢́ALIDS_GLOBAL ȂƂɃT[rXJnĂB

  5.12.  Ȃ|[ggT[rX LFS JnłȂ̂łH

  LFS ́AP̒[ZbVɓKp܂Bf[́A[玩
  ؂藣߂ɁAg fork ܂BȂƁA͂͂[
   LFS ɂ͐ڑĂ炸A䂦 LIDS ɕی삳邱ƂɂȂ̂
  B

  5.13.  𖳌/Lɂ@́H

  /etc/lids/lids.cap t@C LIDS ŋꂽ Linux J[lŗp
  S̃XgێĂ܂B "+" ̂̂ALɂȂ
  Ă̂ŁA"-" ɂĂ̂́AȂ̂łB̏Ԃ
  ύXɂ́APɃeLXgt@CҏW "+"  "-" ɕςΌ
  ͖ɂȂ܂AtƗLɂȂ܂Bt@C̕ҏWI
  ALIDS ɐݒt@C ``[h''Kv܂B

  5.14.  LIDS LɂȂĂ X Window System 삵Ȃ̂͂Ȃ
  łH

  gpĂ X T[oɂ CAP_SYS_RAWIO KvłB

  # lidsconf -A -s /path/to/your/X_server -o CAP_SYS_RAWIO -j GRANT

  ĂB

  5.15.   ACL SĂɑ΂āȂ͈ŜǂĎ̐ݒc
  Ă΂悢̂ł傤H

  Ȃ]ޑSĂ ACL VXeɒǉVFXNvg쐬
  ̂߂܂B΁AVXeύXɁA͂炸
  ی삳Ȃ܂܂ɂĂƂ͂܂BXNvǵAÂ ACL 
  Ƃn߂΁A2 dɐݒ肷邱Ƃ܂B

  # lidsconf -Z

  ̃VFXNvgی삷ɂ́Aւ̃ANZX DENY  ACL
  A/etc/lids fBNg֔zuĎI DENY ŕی삳
  悤ɂł܂B

  5.16.  LIDS LƁA/etc/lids fBNg܂Bǂ
  ƂłH

  LIDS ͎I /etc/lids fBNg DENY ŕی삵܂B

  XVFLIDS 1.1.0 ȍ~ł́AftHg /etc/lids  DENY ĕی삷
  Ƃ͂ȂȂ܂BKvȂAgł ACL 쐬Ȃ΂
  ܂B

  5.17.  NƃVbg_E̎ LIDS Ȃ悤ɁAinit 
  /etc/initrunlvl ւ̏݃ANZXɂ͂ǂ΂łH

  sKɂAɂďo邱Ƃ͂܂Binit ͋N̓x
  ɂ̃t@Cč쐬̂ŁA im[hԍω̂łB
  ɂÃt@C LIDS ɂ͈ɂȂ܂B̃G[͖Q
  A/etc/initrunlvl ȂĂVXe͓K؂ɋ@\܂B

  5.18.  vZX́AevZX炻̃t@C ACL pł܂H

  ł܂Bo[W 0.9.12  2.2.18 ܂ł́AꂪftHg̓
  łB݂́AftHgł́Aq͂̐et@C ACL p
  BevZXqvZXփt@C ACL ڍsł悤ɂ
  ́A"-i <px>" IvVgKv܂B

  "px" (ʖ TTL) Ƃ́AACL p鐢㐔肵܂BTTL
   1 w肳΁AACL Ŏw肳ꂽ subject Ƃ̎qSĂ ACL p
  ܂BAq̎q (ʂ̌ ACL  subject ̑) 
  ACL p܂ (Ȃ悤ɂɂ́ATTL  2 ɂKv
  ܂)B

  ӁF ACL ɂAƓp̃[Kp
  B

  ZLeB̍XVF LIDS 1.1.1prex y 0.10.1 ȍ~ł́Aی삳ꂽ
  vÔ݂̐e ACL p邱Ƃł܂Bی삳Ă
  ȂvZX ACL ̌pƁAexploit ̌ƂȂ܂B

  5.19.  āI LIDS ̂Ƃł́AvO xyz 삵Ȃ悤łB
  ǂ̃t@C/ɃANZXKv̂AǂČ߂̂
  傤H

  ŏɂׂƂ́APɃvOsāALIDS ǂȈᔽ
  ʍĂ邩邱ƂłBƂ͂AxĂA\ȏ
  ͓܂BꂪŃAstrace găvOǂ
  āAǂ̃VXeR[sĂ̂邱Ƃł܂B
  ƁAĂ̏ꍇ͂ǂ̌ᔽĂ̂A悢𓾂邱Ƃ
  ܂B

  ӁFŜ CAP_SYS_PTRACE 𖳌ɂĂȂALIDS LȏԂ
  vO̒ǐՂł悤ɁAꎞI strace  CAP_SET_PTRACE 
  ^Kv܂B

  5.20.  /etc/shadow t@CXVK؂ȃp[~bV passwd 
  ^ɂ͂ǂ΂łH

  cOȂAȒPȉ݂͑܂B́Apasswd [eBeBp
  X[hύX邽т /etc/shadow t@Cč쐬邩łB
  ɂApasswd [eBeB𐬌ɎgxɁAႤ i m[h
  t@Cn܂̂łB

  VXeǗ҂ɂ́AȒPȉ@܂BLFS JnāALFS ̒
   passwd [eBeBĝłBpX[hύXKv̂郆
  [UꍇALDAP g΁A[ŨpX[hύXłN
  CAgF؎i񋟂Ă܂B

  WI unix VXet@CgāAUNIX F؂鎞ɁA[U
  ̃VXepX[hύXł悤ɂI܂BłA
  ߂͂ł܂B/usr/bin/passwd  /etc ւ̏݃ANZX^
  ΁Ał shadow t@C i m[hԍɊւ炸Cł
  悤ɂȂ܂B

  xFN /usr/bin/password AꂪgCu/PAM W[
  ̉ꂩɐƎ㐫𔭌΁A̐l͐ݓI /etc fBNgւ̏
  ݃ANZX𓾂邱Ƃł܂BƎ㐫΁AȂ̃ANZ
  XoƂł킯ŁA͂ MAC pړI
  ʂɂ̂łB̃IvV͎Ȃ̍ٗʂŎg悤ɂĂ
  B

  /usr/bin/passwd  /etc ւ̏݃ANZX^邱Ƃɂ̂
  A/etc ̉ɂāA/usr/bin/passwd Cł悤ɂȂ
  t@CƃfBNgSĂی삷 ACL 쐬邱Ƃ߂
  BɂAL̃XN܂ (mɍs΁A
  SɎ菜Ƃł܂)B

  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc                     -j WRITE
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/hosts.allow         -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/hosts.deny          -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc0.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc1.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc2.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc3.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc4.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc5.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/rc6.d               -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/init.d              -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/cron.d              -j READONLY
  /sbin/lidsconf -A -s /usr/bin/passwd -o /etc/pam.d               -j READONLY
  ..

  ́AǂȂɑz͂痂ƂŊSȃXgł͂܂񂪁A
  ɂ͂Ȃ܂B/etc  passwd ɃANZXȂt@C
  fBNgǉƂ͂łAی삷V ACL 
  ˂΂ȂȂƂAɓĂĂB

  i m[h̍XVɊւ郁F

  /etc/shadow  /etc/passwd ւ̃ANZX ACL `
  ALIDS ``i m[hXV''Ƃm点Aꂩݒt@C
  ``[h''̂YȂ悤ɂȂ΂Ȃ܂BȂƁA
  肪邱ƂɂȂ܂B

  Ⴆ΁F/etc/passwd  DENY ŕی삳ĂA/bin/login 
  /etc/passwd ǂ߂̂Ƃ܂BpX[hύXAi m[hX
  VȂ΁AN񃍃OC悤Ƃɖ肪
  B/bin/login  /etc/passwd ǂ݂ނƂłAOCs\
  ɂȂ܂B邢͂ɍAP <ENTER> L[ŃOC
  ł悤ɂȂĂ܂̂łB

  5.21.  LIDS LɂȂĂƁAssh  scp 삵Ȃ͉̂̂ł
  H

  ftHgł́Assh/scp ͊ÕRlNV쐬鎞ɁA\[X|
  [gƂē|[ggƂ܂Bɂ́ACAP_NET_BIND_SERVICE
  KvłBłA\[X|[gƂ 1023 ȏ̃|[gg悤
  ɋ邽߁Assh_config ł̃IvVw肷邱Ƃł܂ |

  UsePrivilegedPort No

  邢́Assh (scp  ssh ĝŁA삵܂) 
  CAP_NET_BIND_SERVICE 邱Ƃł܂ |

  lidsconf -A -s /usr/bin/ssh -o CAP_NET_BIND_SERVICE      -j GRANT

  5.22.  OpenSSH NɊJn܂BLIDS  bash  Bt@C
  ɃANZX悤ƂĂAƃ|[goĂ܂B͂ǂ
  ܂H

  ́AftHg|V[ DENY Ƃ 閧ی삵Ă鎞ɔ
  ܂Bopenssh-server  RPM Œ񋟂 init XNvg /etc/ssh
  ɔ閧t@C邩`FbN܂BXNvg͔łȂ
  ꍇA𐶐邽߂ ssh-keygen s܂BBeckeygenthe 
  ۂɂ͂ɂ̂ŁAssh-keygen ͎sāANXNvg͏I
  ܂B

  Cɂ́ANXNvg献t@C̃`FbN폜܂
  |

  start)
        # Create keys if necessary
        #do_rsa_keygen;  <------------ Comment out these lines
        #do_dsa_keygen;

        echo -n "Starting sshd: "
        if [ ! -f $PID_FILE ] ; then
                sshd
                RETVAL=$?
                if [ "$RETVAL" = "0" ] ; then
                        success "sshd startup"
                        touch /var/lock/subsys/sshd
                else
                        failure "sshd startup"
                fi
        fi
        echo
        ;;

  ӁFꂪӖ̂́Asshd NOɁA蓮Ŕ閧
  KvAƂƂłBȂ΁AN͎s܂B

  5.23.  BvZXĂ邽߁AVbg_EɃt@CVXe
  ̂A}Egł܂Bǂ΂ kill ł܂
  H

  BvZXłÃvZX id (pid) 킩 kill ł܂B
  ̃VXeł́ANɊJnꂽSvZX pid A/var (
  /var/run g܂) ̉̂ǂɕۑ܂BVbg_EXN
  vgCāÃt@C pid ǂ݁AK؂ȃVOi𑗂
  悤ɂł܂B

  Ⴆ΁AVXe pid  /var/run/<vZX>.pid ɕۑĂ
  Aȉ̍sVbg_EXNvgɒǉ邱Ƃł܂ |

  for p in `ls /var/run/*.pid`
  do
     kill -15 `cat $p`
  done
  sleep 5
  sync;sync;sync

  for p in `ls /var/run/*.pid`
  do
     kill -9 `cat $p`
  done
  sleep 5
  sync;sync;sync

  ̍s܂ރVbg_EXNvgɁACAP_KILL  CAP_INIT_KILL
  Ȃ΂Ȃ܂B/var/run fBNg init XNv
  gQȊȎSĂB̂A炭悢lłB

  ʉƂẮASẴvZXɁATERM  KILL ̃VOiPɑƂ
  ̂܂B

  MAX_PROC=65535
  trap : 1 2 15
  I=1;while (( $I < $MAX_PROC ));do
          I=$(($I+1));
          if (( $$ != $I ));then
                  kill -15 $I;
          fi;
  done
  sleep 5
  sync;sync;sync;
  I=1;
  while (( $I < $MAX_PROC ));do
          I=$(($I+1));
          if (( $$ != $I ));then
                  kill -9 $I;
          fi;
  done
  sync;sync;sync

  Nenad Micic ̓Vbg_EɉBvZX kill Ǝ C v
  O ܂B

  5.24.  {IȐݒ肩n߂ȂłBǉ̕ی񋟂Ă
  āAɃVXe̋@\̂قƂǂʏʂɂĂĂ邨߂
  ZbgAbv͂܂H

  ̃J[lIvVI悤ɂĂ |

    ...
    [*]    Security alert when execing unprotected programs before sealing
    [*]      Do not execute unprotected programs before sealing lids
    ...
    [*]    Allow switching LIDS protections
    ...
    [*]      Allow reloading config. file

  o_ƂĂ悢̂́Ainit XNvgVXeoCiACu
  ی삷̂ł傤 (fBXgɂĂ͕ω邱Ƃɒ) |

  /sbin/lidsconf -A -o /etc/rc0.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc1.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc2.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc3.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc4.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc5.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/rc6.d                  -j READONLY
  /sbin/lidsconf -A -o /etc/init.d                 -j READONLY
  /sbin/lidsconf -A -o /etc/rc                     -j READONLY
  /sbin/lidsconf -A -o /etc/rc.local               -j READONLY
  /sbin/lidsconf -A -o /etc/rc.sysconfig           -j READONLY

  /sbin/lidsconf -A -o /bin                        -j READONLY
  /sbin/lidsconf -A -o /sbin                       -j READONLY
  /sbin/lidsconf -A -o /lib                        -j READONLY

  /sbin/lidsconf -A -o /usr/bin                    -j READONLY
  /sbin/lidsconf -A -o /usr/sbin                   -j READONLY
  /sbin/lidsconf -A -o /usr/lib                    -j READONLY

  /usr/local ʂ̃p[eBVɂȂAȉ ACL Ă
  |

  /sbin/lidsconf -A -o /usr/local/bin              -j READONLY
  /sbin/lidsconf -A -o /usr/local/sbin             -j READONLY
  /sbin/lidsconf -A -o /usr/local/lib              -j READONLY

  /etc/lids/lids.cap t@CŁACAP_SYS_RAWIO  CAP_SYS_PTRACE 
  ɂׂłBCAP_SYS_RAWIO 𖳌ɂȂ΁AfoCXɒڏ
  ނƂŁANłL̃t@Cی𖳎łĂ܂܂B

  X Window System sĂȂALIDS ̉ X 𓮍삳邱Ƃɂ
  āA``L'' QƂ悤ɂĂB

  5.25.  ƂɂăANZX𐧌邱Ƃ͂ł܂H

  ł܂BLIDS o[W 0.10.1 for 2.2.19 ƃo[W 1.0.10 for
  2.4.5 ł̐V@\ŁAACL ̋LڂԐł悤ɂ܂BႦ
  ΁AOC 9:00 AM  6:00 PM (18:00) ܂ł̎Ԃ̂݋ɂ |

  /sbin/lidsconf -A -s /bin/login -o /etc/shadow -t 0900-1800 -j READ

  ŁA/bin/login  /etc/shadow t@Cw肳ꂽԑтɂ̂ݓǂ
  Ƃł̂ŁA̎ԑшȊÔ郍OC݂͎̎s܂B
  ے̂߂ "!" ZqgƂł܂ (Ⴆ΁AACL Xg
  ԑшȊȎSANZXeAȂ)B

  crond ɎԐꂽ^ȂA(root ܂)S crontab
  BAcrond ݂̂ǂ߂悤ɂ邱Ƃɂ߂܂B
  Ȃ΁A crontab āAǂ̎ԂɉĐĤɂ
  ΂ANĂ܂m܂B[Û̂ł
  AVXe crontab 邱ƂYȂłB

  Ⴆ΁A͉Bׂł |

  /var/spool/cron/
  /etc/crontab
  /etc/cron.hourly/
  /etc/cron.daily/
  /etc/cron.weekly/
  /etc/cron.monthly/
  /etc/cron.d/

  xF̐V@\̓VXe̎ɈˑĂ̂ŁAVXe̎
  ύXǂȃvO (Ⴆ /sbin/hwclock) 
  ACAP_SYS_RAWIO ^ׂł͂܂BɂāANVX
  e̎ύXāAԐ蔲Ă܂܂B

  5.26.  vOoChł|[g𐧌ɂ͂ǂ΂
  ́H

  o[W 0.10.1 for 2.2.19 ƃo[W 1.0.11 for 2.4.6 ́Av
  OoChł|[g𐧌ł܂BvO
  CAP_NET_BIND_SERVICE ^ꍇɂ́AvOoChł
  |[g (Q) ̌Ɏw肵܂B̂悤ɂ܂ |
  /sbin/lidsconf -A -s /bin/httpd -o CAP_NET_BIND_SERVICE 80-80 -j GRANT

  ܂́ASSL p 443 |[goChKvȂ |

  /sbin/lidsconf -A -s /bin/httpd -o CAP_NET_BIND_SERVICE 80-80,443-443 -j GRANT

  vO|[g͈̔͂KvƂȂÂ悤ɂĂ݂ĉ |

  /sbin/lidsconf -A -s /path/to/program -o CAP_NET_BIND_SERVICE 423-867 -j GRANT

  5.27.  /etc/mtab  /proc/mounts ւ̃V{bNNɂĂA[
  UNI[^͋@\܂H

  ͂A"-a" IvV quotaon Jn΂悢̂łB

  5.28.  LIDS ی삵Ăt@CҏWƁALIDS ɕی삳Ȃ
  悤łBȂłH

  ̃GfB^ (Ⴆ vi) ́AҏW̃t@Ce|t@C
  Rs[܂BύX͑SẴe|t@Cɑ΂ĂȂ̂łB
  GfB^IƁAe|t@CIWĩt@C㏑
  ܂BɂăIWit@C i m[hςÃt@C
  Ɋ֌WĂȑO LIDS ACL ͂@\ȂȂ̂łB͂
   |

  /sbin/lidsconf -U

  lids.conf ̃t@C i m[hXVĂB

  6.  ZLeBx̐ݒ

  6.1.  lbg[NzɃZLeBx𑗂ɂ́Aǂ̃J[lݒI
  vVKvłH

  [*]   Send security alerts through network
  [ ]      Hide klids kernel thread
  (3)      Number of connection tries before giving up
  (30)     Sleep time after a failed connection
  (16)     Message queue size
  [*]      Use generic mailer pseudo-script

  ŏ̃IvVŁAZLeBxg悤ɂȂ܂B2 Ԗڂ̃I
  vVł́Ax𑗂vZXBƂł܂B[ł̒ʒm
  삷܂ł́ÃIvV͖Ȃ܂܂ɂĂƂ߂
  BȂȂA̓G[bZ[W̃OW邩łBŌ
  IvV́AxbZ[WȂ̃[T[oɑ邽
  ɁA LIDS 񋟂ʓIȃ[XNvgg悤ALIDS Ɏw
  ̂łB͍̂ƂB̃IvVłB

  6.2.  LIDS ̌x𑗂郁[T[o e-mail AhX̏́Aǂ
  w肷΂̂łH

  ZLeBx𑗐M̂ɕKvȑSĂ̏́A/etc/lids/lids.net
  t@CŐݒ肳Kv܂BeIvV̐́Aݒt@C
  ̂̂Œ񋟂܂Be-mail AhXw肷鎞́A e-mail Ah
  X̑OɁAǂȃXy[XcȂ悤ɋCĂBɂ
  Azɖ肪\܂BႦ΁Aɋ 2 
  MAIL_TO ̗́A@\܂ |

  "MAIL_TO= steve@somedomain.org"
  "MAIL_TO=steve@somedomain.org "

  ӁFdṕAɑXy[Xo邽߂ɎgĂ
  Bۂ̐ݒt@Cɂ͊܂߂Ă͂܂B

  /etc/lids/lids.net t@CɕύXśALIDS ɐݒt@C
  ``[h'' w悤ɂĂB

  6.3.  LIDS A qmail SMTP T[oɂ͌xzMĂȂ悤
  B͒܂H

  ܂BLIDS ̃o[W 0.9.12 ȑOƁALIDS  e-mail x
  qmail SMTP T[oŋ@\ɂ̓pb`KvłBpb`͂ɂ
  ܂ | http://www.egroups.com/message/lids/1896.

  7.  ݒ̃Tv

  7.1.  {IȃVXẽZbgAbv

  ̂̂́A{IȃVXeZbgAbvݒ̃TvłB

  # Protect System Binaries
  # VXeoCi̕ی
  #
  /sbin/lidsconf -A -o /sbin                               -j READONLY
  /sbin/lidsconf -A -o /bin                                -j READONLY

  # Protect all of /usr and /usr/local
  # (This assumes /usr/local is on a separate file system).
  # /usr  /usr/local ̕ی
  # (ł /usr/local ͕ʂ̃t@CVXeɂƑz肵Ă܂)
  #
  /sbin/lidsconf -A -o /usr                                -j READONLY
  /sbin/lidsconf -A -o /usr/local                          -j READONLY

  # Protect the System Libraries
  #(/usr/lib is protected above since /usr/lib generally isn't
  # on a separate file system than /usr)
  # VXeCu̕ی
  # (/usr/lib ͕ /usr ƕʂ̃t@CVXeɂ͂Ȃ̂ŁA
  #  łɏŕی삳Ă܂)
  #
  /sbin/lidsconf -A -o /lib                                -j READONLY

  # Protect /opt
  # /opt ی
  #
  /sbin/lidsconf -A -o /opt                               -j READONLY

  # Protect System Configuration files
  # VXe̐ݒt@Cی
  #
  /sbin/lidsconf -A -o /etc                                -j READONLY
  /sbin/lidsconf -A -o /usr/local/etc                      -j READONLY
  /sbin/lidsconf -A -o /etc/shadow                         -j DENY
  /sbin/lidsconf -A -o /etc/lilo.conf                      -j DENY

  # Enable system authentication
  # VXe̔F؂L
  #
  /sbin/lidsconf -A -s /bin/login -o /etc/shadow           -j READONLY
  /sbin/lidsconf -A -s /usr/bin/vlock -o /etc/shadow       -j READONLY
  /sbin/lidsconf -A -s /bin/su -o /etc/shadow              -j READONLY
  /sbin/lidsconf -A -s /bin/su \
                   -o CAP_SETUID                          -j GRANT
  /sbin/lidsconf -A -s /bin/su \
                   -o CAP_SETGID                          -j GRANT

  # Protect the boot partition
  # boot p[eBV̕ی
  #
  /sbin/lidsconf -A -o /boot                               -j READONLY

  # Protect root's home dir, but allow bash history
  # root ̃z[fBNgی삷邪Abash ̗͋
  #
  /sbin/lidsconf -A -o /root                               -j READONLY
  /sbin/lidsconf -A -s /bin/bash -o /root/.bash_history    -j WRITE

  # Protect system logs
  # VXeO̕ی
  #
  /sbin/lidsconf -A -o /var/log                            -j APPEND
  /sbin/lidsconf -A -s /bin/login -o /var/log/wtmp         -j WRITE
  /sbin/lidsconf -A -s /bin/login -o /var/log/lastlog      -j WRITE
  /sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp         -j WRITE
  /sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog      -j WRITE
  /sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp         -j WRITE
  /sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog      -j WRITE
  /sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \
                   -o /var/log/wtmp -i 1                  -j WRITE
  /sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \
                   -o /var/log/lastlog -i 1               -j WRITE

  # Startup
  #
  /sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime       -j WRITE

  # Shutdown
  #
  /sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL         -j GRANT
  /sbin/lidsconf -A -s /sbin/init -o CAP_KILL              -j GRANT

  # Give the following init script the proper privileges to kill processes and
  # unmount the file systems.  However, anyone who can execute these scripts
  # by themselves can effectively kill your processes.  It's better than
  # the alternative, however.
  # ̋NXNvgɁAvZX kill  t@CVXe
  # A}Eg邽߂̓K؂Ȍ^ĂBƂ͂A
  # XNvgŎsl݂͂ȁAʓIɃvZX kill 邱Ƃ
  # ł܂BłA̕@̓}VȂ͂łB
  #
  # Any ideas on how to get around this are welcome!
  # ACfA}܂!
  #
  /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                   -o CAP_INIT_KILL -i 1                  -j GRANT
  /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                   -o CAP_KILL -i 1                       -j GRANT
  /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                   -o CAP_NET_ADMIN -i 1                  -j GRANT
  /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                   -o CAP_SYS_ADMIN -i 1                  -j GRANT

  # Other
  #
  /sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN       -j GRANT

  7.2.  Apache

  ̐ݒTvł́AApache  /usr/local/apache ɁAOfBNg
   /var/log/httpd ɁAݒfBNg /etc/httpd ɃCXg[
  Ă邱ƂOɂĂ܂BACL ̃pXAe̐ݒɍ悤ɒ
  ȂĂ͂Ȃ܂B̐ݒł́A|[g 80 (Ƃɂ 443 )
  oChł悤ɁAApache ̓J[l𕕈󂷂O
  ALIDS_GLOBAL ȎɋNKv܂B

  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o CAP_SETUID                          -j GRANT
  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o CAP_SETGID                          -j GRANT

  # Config files
  /sbin/lidsconf -A -o /etc/httpd                          -j DENY
  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o /etc/httpd                          -j READONLY

  # Server Root
  /sbin/lidsconf -A -o /usr/local/apache                   -j DENY
  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o /usr/local/apache                   -j READONLY

  # Log Files
  /sbin/lidsconf -A -o /var/log/httpd                      -j DENY
  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o /var/log/httpd                      -j APPEND
  /sbin/lidsconf -A -s /usr/local/apache/bin/httpd \
                   -o /usr/local/apache/logs              -j WRITE

  7.3.  qmail

   ACL ́ADave Sill  Life with qmail ɂăCXg[
   qmail ̃ZbgAbvɏĂ܂B̐ݒł́Atcpserver
  |[g 25 oChł悤ɁAqmail ̓J[l𕕈󂷂O
  ALIDS_GLOBAL ȎɋNKv܂B

  # setup
  /sbin/lidsconf -A -o /var/qmail                          -j READONLY
  /sbin/lidsconf -A -s /usr/local/bin/multilog \
                   -o /var/log/qmail                      -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/svc \
                   -o /var/qmail/supervise                -j WRITE

  # queue access
  # L[ւ̃ANZX
  #
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-inject \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-queue \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-clean \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-send \
                   -o /var/qmail/queue                    -j WRITE
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-remote \
                   -o /var/qmail/queue                    -j WRITE

  # Access to local mail boxes
  # [J[{bNXւ̃ANZX
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
                   -o CAP_SETUID                          -j GRANT
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
                   -o CAP_SETGID                          -j GRANT
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
                   -o CAP_DAC_OVERRIDE                    -j GRANT
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \
                   -o CAP_DAC_READ_SEARCH                 -j GRANT

  # Remote delivery
  # [gz
  /sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \
                   -o CAP_NET_BIND_SERVICE -i -1          -j GRANT

  # supervise

  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/qmail/supervise/qmail-smtpd/supervise     -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/qmail/supervise/qmail-send/supervise      -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/qmail/supervise/qmail-send/log/supervise  -j WRITE

  7.4.  dnscache & tinydns (djbdns)

   ACL ́AJeremy Rauch  Installing djbdns (DNScache) for Name
  Service ̃p[g 1 & 2 Ƃɂ djbdns ̃ZbgAbvɏ
  Ă܂B

  # dnscache
  #
  /sbin/lidsconf -A -o /var/dnscache                        -j READONLY
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/dnscache/dnscache/supervise     -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/dnscache/dnscache/log/supervise -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/multilog \
                   -o /var/dnscache/dnscache/log/main      -j WRITE

  # tinydns
  #
  /bin/echo "tinydns"

  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/dnscache/tinydns/supervise      -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/supervise \
                   -o /var/dnscache/tinydns/log/supervise  -j WRITE
  /sbin/lidsconf -A -s /usr/local/bin/multilog \
                   -o /var/dnscache/tinydns/log/main       -j WRITE

  7.5.  Courier-imap

   ACL ́Acourier-imap  /usr/local/courier-imap ɃCXg[
  Ă邱ƂOɂĂ܂B̐ݒł́A|[g 143 oC
  hł悤ɁAcourier-imap ̓J[l𕕈󂷂OALIDS_GLOBAL 
  ȎɋNKv܂B

  /sbin/lidsconf -A -o /usr/local/courier-imap                     -j DENY

  /sbin/lidsconf -A -s /usr/local/courier-imap/sbin/imaplogin \
                   -o /etc/shadow                                 -j READONLY
  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/authlib/authpam \
                   -o /etc/shadow                                 -j READONLY
  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
                   -o /usr/local/courier-imap                     -j READONLY

  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
                   -o CAP_SETUID -i 3                             -j GRANT
  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
                   -o CAP_SETGID -i 3                             -j GRANT
  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
                   -o CAP_DAC_OVERRIDE -i 3                       -j GRANT
  /sbin/lidsconf -A -s /usr/local/courier-imap/libexec/couriertcpd \
                   -o CAP_DAC_READ_SEARCH -i 3                    -j GRANT

  7.6.  MySQL

   ACL ́AMySQL  /usr/local/mysql ɃCXg[Ă邱
  ƂOɂĂ܂B

  /sbin/lidsconf -A -o /usr/local/mysql/var                -j APPEND

  /sbin/lidsconf -A -o /usr/local/mysql                    -j DENY
  /sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld \
                   -o /usr/local/mysql                    -j READONLY
  /sbin/lidsconf -A -s /usr/local/mysql/libexec/mysqld \
                   -o /usr/local/mysql/var                -j WRITE

  7.7.  OpenSSH

  ̐ݒ́Asshd  CAP_NET_BIND_SERVICE ^Ă܂̂ŁA
  NALIDS_GLOBAL LȎɋ@\܂B

  /sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow       -j READONLY

  /sbin/lidsconf -A -o /etc/ssh/sshd_config                -j DENY
  /sbin/lidsconf -A -o /etc/ssh/ssh_host_key               -j DENY
  /sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key           -j DENY

  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o /etc/ssh/sshd_config                -j READONLY
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o /etc/ssh/ssh_host_key               -j READONLY
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o /etc/ssh/ssh_host_dsa_key           -j READONLY

  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o /var/log/wtmp                       -j WRITE
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o /var/log/lastlog                    -j WRITE

  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_SETUID                          -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_SETGID                          -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_FOWNER                          -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_CHOWN                           -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_DAC_OVERRIDE                    -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/sshd \
                   -o CAP_NET_BIND_SERVICE                -j GRANT

  7.8.  OpenLDAP (slapd)

  ̐ݒ́Aslapd  CAP_NET_BIND_SERVICE ^Ă܂̂ŁA
  NALIDS_GLOBAL LȎɋ@\܂B

  /sbin/lidsconf -A -s /usr/local/libexec/slapd \
                   -o /usr/local/ldapdb                   -j WRITE
  /sbin/lidsconf -A -s /usr/local/libexec/slapd \
                   -o CAP_NET_BIND_SERVICE                -j GRANT
  /sbin/lidsconf -A -s /usr/local/libexec/slapd \
                   -o CAP_INIT_KILL                       -j GRANT
  /sbin/lidsconf -A -s /usr/local/libexec/slapd \
                   -o CAP_SYS_MODULE                      -j GRANT

  7.9.  Port Sentry

  ̐ݒ́Aportsentry  CAP_NET_BIND_SERVICE ^Ă܂
  ̂ŁANALIDS_GLOBAL LȎɋ@\܂Bportsentry ɂ点
  悤ƎvĂeɂāA ACL SĂ͕Kvsv
  肷邩܂B

  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o /usr/local/psionic/portsentry               -j WRITE
  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o /var/log                                    -j WRITE
  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o CAP_NET_BIND_SERVICE                        -j GRANT

  # For portsentry to be able to update the firewall:
  # portsentry t@CAEH[XV邽߁F
  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o CAP_NET_RAW -i 1                            -j GRANT

  # For portsentry to be able to update /etc/hosts.allow and/or /etc/hosts.deny:
  # portsentry  /etc/hosts.allow /etc/hosts.deny XV邽߁F
  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o /etc/hosts.allow                            -j WRITE
  /sbin/lidsconf -A -s /usr/local/psionic/portsentry/portsentry \
                   -o /etc/hosts.deny                             -j WRITE

  7.10.  Samba

  ̐ݒł́A|[g 137 & 139 oChł悤ɁASamba ̓J[l
  𕕈󂷂OALIDS_GLOBAL ɂȂĂ鎞ɋNKv
  ܂B

  /sbin/lidsconf -A -o /etc/samba -j READONLY
  /sbin/lidsconf -A -o /var/samba -j READONLY
  /sbin/lidsconf -A -s /usr/sbin/smbd -o /var/samba -j WRITE
  /sbin/lidsconf -A -s /usr/sbin/nmbd -o /var/samba -j WRITE

  # smbd needs write access to smbpasswd to chmod it.  i think it
  # also needs access to MACHINE.SID
  # smbd  chmod 邽߂ smbpasswd ւ̏݌KvłB
  # MACHINE.SID ɂlɕKvƎv܂B
  /sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/samba -j WRITE
  /sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/shadow -j READONLY

  /sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT

  # LIDS complains about smbd trying to chroot to /
  # everything still seems to work without it, though
  # (and isn't chrooting to / kinda pointless anyway?)
  # LIDS  smbd  /   chroot 悤Ƃ|܂B
  # AȂłSĂ܂@\Ă悤ɂ͌܂B
  # ( /  chroot Ă͂Ȃ̂ɁAƖʂȂH)
  #/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT

  7.11.  Linux HA heartbeat

  /sbin/lidsconf -A -o /usr/lib/heartbeat/heartbeat                -j READONLY
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_NET_BIND_SERVICE -i -1                  -j GRANT
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_SYS_RAWIO -i -1                         -j GRANT
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_NET_BROADCAST -i -1                     -j GRANT
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_NET_ADMIN -i -1                         -j GRANT
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_NET_RAW -i -1                           -j GRANT
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o CAP_SYS_ADMIN -i -1                         -j GRANT

  # For sending Gratuitous Arps
  # ]v<!--(gratuitous)--> Arp 𑗂邽
  /sbin/lidsconf -A -o /usr/lib/heartbeat/send_arp                 -j READONLY
  /sbin/lidsconf -A -s /usr/lib/heartbeat/send_arp \
                   -o CAP_NET_RAW -i -1                           -j GRANT

  # For modifying the routing table when the IP address changes
  # IP AhXύXɃ[eBOe[uC邽
  /sbin/lidsconf -A -o /sbin/route                                 -j READONLY
  /sbin/lidsconf -A -s /sbin/route -o CAP_NET_ADMIN -i 0           -j GRANT

  #
  # Protect the heartbeat configuration and authentication key.
  # heartbeat ̐ݒƔF؃L[ی삵܂
  #
  /sbin/lidsconf -A -o /etc/ha.d/ha.cf                             -j READONLY

  /sbin/lidsconf -A -o /etc/ha.d/haresources                       -j READONLY
  /sbin/lidsconf -A -o /etc/ha.d/authkeys                          -j DENY

  #
  # Only heartbeat can see the authkey
  # hertbeat ݂̂ authkey ǂ߂܂
  #
  /sbin/lidsconf -A -s /usr/lib/heartbeat/heartbeat \
                   -o /etc/ha.d/authkeys                          -j READONLY

  7.12.  Bind 9.x

  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_NET_BIND_SERVICE 53 -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETPCAP             -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SYS_CHROOT          -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SYS_RESOURCE        -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETUID              -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/named  -o CAP_SETGID              -j GRANT

  7.13.  Sendmail

  # Sendmail LIDS rules (using infinite inheritance for the sendmail
  # children and delivery agents to work properly, but a lower inheritance
  # like 2 or 3 would probably work as well.)
  # Sendmail p LIDS [
  # (sendmail ̎qzG[WFgK؂ɓ삷悤
  # ̌pgĂ܂A2, 3 ̂Ⴂpł炭
  # 悤ɓ삷ł傤B)

  # Lock down /etc/mail if it's not already done elseware
  # ǂŊɂȂĂȂȂA/etc/mail ǂ߂悤ɂ܂<!--(lock down)-->

  /sbin/lidsconf -A -o /etc/mail -j READONLY

  /sbin/lidsconf -A -o /usr/sbin/sendmail -j READONLY
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/shadow -j READONLY -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/passwd -j READONLY -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail   -j READONLY -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases   -j WRITE -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /etc/mail/aliases.db   -j WRITE -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETUID -j GRANT -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SETGID -j GRANT -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_SYS_ADMIN -j GRANT -i -1
  /sbin/lidsconf -A -s /usr/sbin/sendmail -o CAP_NET_BIND_SERVICE 25-25 -j GRANT -i -1

  # Depending on how you have the log files secured
  # (The maillog will normally get rotated out and this
  # rule will stop working when that happens unless you
  # stop the log rotation.)
  # Ot@Cǂ̂悤ɈSɂĂ邩ɂ
  # (mail O͒ʏ탍[e[gĂł傤B̃[
  # Õ[e[V߂ȂAꂪN_ŋ@\
  # ȂȂ܂B

  /sbin/lidsconf -A -s /usr/sbin/sendmail -o /var/log/maillog -j APPEND -i -1

  7.14.  apcupsd

  /sbin/lidsconf -A -o /etc/apcupsd                                        -j DENY
  /sbin/lidsconf -A -s /sbin/apcupsd -o /etc/apcupsd                       -j READONLY
  /sbin/lidsconf -A -s /sbin/apcupsd -o CAP_HIDDEN -i -1                   -j GRANT

  7.15.  pump

  /sbin/lidsconf -A -s /sbin/pump -o CAP_NET_BIND_SERVICE 68-68            -j GRANT
  /sbin/lidsconf -A -s /sbin/pump -o CAP_NET_RAW                           -j GRANT
  /sbin/lidsconf -A -s /sbin/pump -o CAP_HIDDEN                            -j GRANT

  7.16.  snort

  /sbin/lidsconf -A -s /usr/sbin/snort -o CAP_DAC_OVERRIDE                 -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/snort -o CAP_NET_RAW                      -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/snort -o CAP_HIDDEN                       -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETUID                       -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/snort -o CAP_SETGID                       -j GRANT

  7.17.  getty

  /sbin/lidsconf -A -s /sbin/getty -o CAP_DAC_OVERRIDE                     -j GRANT
  /sbin/lidsconf -A -s /sbin/getty -o CAP_HIDDEN                           -j GRANT

  7.18.  login

  /sbin/lidsconf -A -s /bin/login -o /etc/shadow                           -j READONLY
  /sbin/lidsconf -A -s /bin/login -o CAP_SETUID                            -j GRANT
  /sbin/lidsconf -A -s /bin/login -o CAP_SETGID                            -j GRANT
  /sbin/lidsconf -A -s /bin/login -o CAP_CHOWN                             -j GRANT
  /sbin/lidsconf -A -s /bin/login -o CAP_FSETID                            -j GRANT

  7.19.  su

  /sbin/lidsconf -A -s /bin/su -o /etc/shadow                              -j READONLY
  /sbin/lidsconf -A -s /bin/su -o CAP_SETUID                               -j GRANT
  /sbin/lidsconf -A -s /bin/su -o CAP_SETGID                               -j GRANT

  7.20.  exim

  /sbin/lidsconf -A -s /usr/sbin/exim -o CAP_SETGID -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/exim -o CAP_SETUID -j GRANT

  7.21.  qpopper

  /sbin/lidsconf -A -s /usr/sbin/in.qpopper -o /etc/shadow -j READONLY

  7.22.  proftp

  /sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SETGID -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SETUID -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/proftpd  -o CAP_SYS_CHROOT -j GRANT
  /sbin/lidsconf -A -s /usr/sbin/proftpd  -o /etc/shadow -j READONLY

  8.  LIDS eNjJ

  8.1.  LIDS  ext2 ȊÕt@CVXeł삵܂H

  ͂BLIDS ̋҂ł Philippe Biondi ̌t؂܂ |

       "LIDS  VFS C̍ŏ㕔œ삵܂̂ŁALinux T|[
       g邠 fs Ƃł܂B"

  8.2.  LIDS  SMP ̃VXeœ삵܂H

  SMP VXe LIDS s邱ƂɂẮAQ񍐂ȂĂ
  B̑͏CĂ܂̂ŁAŐVo[WĂ݂̂
  ߂܂BXie  Philippe ̖͂̎ĈɁAɒ͂
  Ă܂̂ŁALIDS ̃[OXgɕ񍐂悤ɂĂB

  XV (2/10/01)F ̃[UALIDS-1.0.5 g SMP VXe
  2.4.x J[lł܂Ƃ|[gȂĂ܂B

  8.3.  LIDS  Solar Designer  Openwall pb`Ƌ܂H

  vłBLIDS  Openwall pb`𗼕Kp΁A1 hunk s
   (J[l 2.2.18 p[X 0.9.11 ̎_)B̃G[͂Ȃ
  ̂ŁAVXẽZLeBɂ͉eȂƎv܂BƂ͂AG[
  CɓȂȂAhttp://root-it.be/community/lids ւāALIDS +
  Openwall pb`_E[hĂBWim Vandersmissen f
  炵ƂɁAB̂߂Ƀpb`𓝍ăG[CĂĂ
  BWim ͔ނ̃TCgŁAɂ LIDS ܂񂾓pb`񋟂
  Ă܂B

  8.4.  LIDS ͔Ceȃn[hEFAœ삵܂H

  ́AmFł`ŁAʂ̃n[hEFAvbgtH[ŐƂ
  b͕Ă܂B LIDS ʂ̃A[LeN`œ삳ȂA
  ݂Ȃɂ̓w͂m点悤ɂ܂傤B

  XVF Johannes Helje LIDS  SUN IPX ̃yAɐɃCXg[
  ܂Bނ́A2.2.18 J[l Debian gĂ܂B

  XVF Joseph P. Garcia (jpgarcia@execpc.com)  LIDS  PowerPC x[
  X PowerBook G3 ɃCXg[悤Ƃ܂A܂܂
  BɁȀڍׂނ̃[p܂ |

  <!--I am currently pursuing trying out LIDS on my 30-month old powerpc-based
  Macintosh PowerBook G3. ('oldworld' powermac for those who know what that
  is)  I use the BootX boot loader to boot Linux, loosely based on LinuxPPC
  2000 Q4, using kernel 2.4.7pre3, glibc 2.2.3, and gcc 2.95.4.-->
  ́A30O PowerPC x[X  Macintosh PowerBook G3 (mlmuv powermac)  LIDS ƂĂ܂B
  Nɂ BootX u[g[_gALinuxPPC 2000 Q4 x[Xɂ Linux 
  J[l 2.4.7pre3  glibc2.2.3Agcc2.95.4 gĂ܂B

  <!--My attempts to use LIDS on my system have yielded little results.  With the
  patch applied and LIDS disabled via config, the kernel works fine.  With
  LIDS enabled in any degree, even just CONFIG_LIDS and security=0, my kernel
  does not boot.  The normal routine is BootX cleans out MacOS, sets up
  hardware (like harddrive spin down), the kernel clears the screen, shows
  simple settings via 'BootX text', and begins booting with output on a
  framebuffer console.  With LIDS enabled, the kernel doesn't even clear the
  screen.  I looked at the code that does this, and to my best understanding,
  it just writes memory.  I can't tell just how far it gets.-->
  LIDS ̃VXeŎgƂ̖ژ_́AقƂǕĂ܂B
  pb`KpāAݒ LIDS 𖳌ɂĂ΃J[l͂Ɠ܂B
  킸ł LIDS LɂƁACONFIG_LIDS  security=0 łA
  ̃J[l͋N܂Bʏ̃[`́ABootX  MacOS NAA
  n[hEFAZbgAbv (n[hfBXNXs_EƂ) A
  J[lʂNA 'BootX text' ŊȒPȐݒ\Aꂩ
  t[obt@R\[ւ̏o͂ƂƂɋNAƂ̂łB
  LIDS LɂƁAJ[l͉ʂ̃NAs܂B
  sR[h𒭂߂Ă݂܂A̋yԔ͈͂ł́A
  ݂Ă邾łBꂪǂقǊjSɋ߂͂킩܂B

  <!--As far as i know, lids should not be active until much later.  So this
  would either be caused by a fundamental code modification LIDS performs
  that I do not understand, or a possible feature that prevents the kernel to
  boot normally on my system.-->
  ̒mALIDS ͂ƌɂȂ܂ŃANeBuɂ͂ȂȂ͂łB
  łA LIDS sAɂ͗łȂ{IȃR[hύXA
  J[l̃VXeŋN̂W@\ɂċNĂ
  ̂ł傤B

  <!--I am unaware of any other efforts to run LIDS on powerpc at this time.
  I am willing to lend my time when available to test theories and
  modifications people may have to add support to LIDS for the
  increasingly popular PowerPC architecure.-->
  _ɂāAPowerPC  LIDS 𓮂ƂĂƂb
  m܂BNA܂܂L PowerPC A[LeN`p
  LIDS T|[g˂΂ȂȂmȂȂA̍\zCeXg鎞Ԃ΁A
  łołB

  <!--As it stands, after writing this, I think I will try disabling the BootX
  text option and see what happens.  Attached is my kernel config (bz2)
  before this modification.-->
  ł́AŁABootX  text IvV𖳌ɂĂ݂āA
  邩Ă݂悤ƎvĂ܂BYt̂́ȀCsO
  J[lRtBO (bz2) łB

  <!--Thank you all for your time and consideration.-->
  ̂Ɋӂ܂B

  8.5.  LIDS ̃o[W 0.x  1.x Ƃ̈Ⴂ͉łH

  LIDS 0.x  Linux J[l 2.2.x łALIDS 1.x  Linux J[l
   2.4.x łB

