The following is a sample configuration for basic system setup.
# Protect System Binaries # /sbin/lidsconf -A -o /sbin -j READONLY /sbin/lidsconf -A -o /bin -j READONLY # Protect all of /usr and /usr/local # (This assumes /usr/local is on a separate file system). # /sbin/lidsconf -A -o /usr -j READONLY /sbin/lidsconf -A -o /usr/local -j READONLY # Protect the System Libraries #(/usr/lib is protected above since /usr/lib generally isn't # on a separate file system than /usr) # /sbin/lidsconf -A -o /lib -j READONLY # Protect /opt # /sbin/lidsconf -A -o /opt -j READONLY # Protect System Configuration files # /sbin/lidsconf -A -o /etc -j READONLY /sbin/lidsconf -A -o /usr/local/etc -j READONLY /sbin/lidsconf -A -o /etc/shadow -j DENY /sbin/lidsconf -A -o /etc/lilo.conf -j DENY # Enable system authentication # /sbin/lidsconf -A -s /bin/login -o /etc/shadow -j READONLY /sbin/lidsconf -A -s /usr/bin/vlock -o /etc/shadow -j READONLY /sbin/lidsconf -A -s /bin/su -o /etc/shadow -j READONLY /sbin/lidsconf -A -s /bin/su \ -o CAP_SETUID -j GRANT /sbin/lidsconf -A -s /bin/su \ -o CAP_SETGID -j GRANT # Protect the boot partition # /sbin/lidsconf -A -o /boot -j READONLY # Protect root's home dir, but allow bash history # /sbin/lidsconf -A -o /root -j READONLY /sbin/lidsconf -A -s /bin/bash -o /root/.bash_history -j WRITE # Protect system logs # /sbin/lidsconf -A -o /var/log -j APPEND /sbin/lidsconf -A -s /bin/login -o /var/log/wtmp -j WRITE /sbin/lidsconf -A -s /bin/login -o /var/log/lastlog -j WRITE /sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp -j WRITE /sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog -j WRITE /sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp -j WRITE /sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog -j WRITE /sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \ -o /var/log/wtmp -i 1 -j WRITE /sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \ -o /var/log/lastlog -i 1 -j WRITE # Startup # /sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime -j WRITE # Shutdown # /sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL -j GRANT /sbin/lidsconf -A -s /sbin/init -o CAP_KILL -j GRANT # Give the following init script the proper privileges to kill processes and # unmount the file systems. However, anyone who can execute these scripts # by themselves can effectively kill your processes. It's better than # the alternative, however. # # Any ideas on how to get around this are welcome! # /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \ -o CAP_INIT_KILL -i 1 -j GRANT /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \ -o CAP_KILL -i 1 -j GRANT /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \ -o CAP_NET_ADMIN -i 1 -j GRANT /sbin/lidsconf -A -s /etc/rc.d/init.d/halt \ -o CAP_SYS_ADMIN -i 1 -j GRANT # Other # /sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN -j GRANT |