Linux Intrusion Detection System FAQ
PrevChapter 7. Sample ConfigurationsNext

7.1. Basic System Setup

The following is a sample configuration for basic system setup. 
# Protect System Binaries
#
/sbin/lidsconf -A -o /sbin                               -j READONLY
/sbin/lidsconf -A -o /bin                                -j READONLY

# Protect all of /usr and /usr/local
# (This assumes /usr/local is on a separate file system).
#
/sbin/lidsconf -A -o /usr                                -j READONLY
/sbin/lidsconf -A -o /usr/local                          -j READONLY

# Protect the System Libraries
#(/usr/lib is protected above since /usr/lib generally isn't
# on a separate file system than /usr)
#
/sbin/lidsconf -A -o /lib                                -j READONLY

# Protect /opt
#
/sbin/lidsconf -A -o /opt				-j READONLY

# Protect System Configuration files
#
/sbin/lidsconf -A -o /etc                                -j READONLY
/sbin/lidsconf -A -o /usr/local/etc                      -j READONLY
/sbin/lidsconf -A -o /etc/shadow                         -j DENY
/sbin/lidsconf -A -o /etc/lilo.conf                      -j DENY

# Enable system authentication
#
/sbin/lidsconf -A -s /bin/login -o /etc/shadow           -j READONLY
/sbin/lidsconf -A -s /usr/bin/vlock -o /etc/shadow       -j READONLY
/sbin/lidsconf -A -s /bin/su -o /etc/shadow              -j READONLY
/sbin/lidsconf -A -s /bin/su \
                  -o CAP_SETUID                          -j GRANT
/sbin/lidsconf -A -s /bin/su \
                  -o CAP_SETGID                          -j GRANT

# Protect the boot partition
#
/sbin/lidsconf -A -o /boot                               -j READONLY

# Protect root's home dir, but allow bash history
#
/sbin/lidsconf -A -o /root                               -j READONLY
/sbin/lidsconf -A -s /bin/bash -o /root/.bash_history    -j WRITE

# Protect system logs
#
/sbin/lidsconf -A -o /var/log                            -j APPEND
/sbin/lidsconf -A -s /bin/login -o /var/log/wtmp         -j WRITE
/sbin/lidsconf -A -s /bin/login -o /var/log/lastlog      -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/wtmp         -j WRITE
/sbin/lidsconf -A -s /sbin/init -o /var/log/lastlog      -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/wtmp         -j WRITE
/sbin/lidsconf -A -s /sbin/halt -o /var/log/lastlog      -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \
                  -o /var/log/wtmp -i 1                  -j WRITE
/sbin/lidsconf -A -s /etc/rc.d/rc.sysinit \
                  -o /var/log/lastlog -i 1               -j WRITE

# Startup
#
/sbin/lidsconf -A -s /sbin/hwclock -o /etc/adjtime       -j WRITE


# Shutdown
#
/sbin/lidsconf -A -s /sbin/init -o CAP_INIT_KILL         -j GRANT
/sbin/lidsconf -A -s /sbin/init -o CAP_KILL              -j GRANT

# Give the following init script the proper privileges to kill processes and
# unmount the file systems.  However, anyone who can execute these scripts
# by themselves can effectively kill your processes.  It's better than
# the alternative, however.
#
# Any ideas on how to get around this are welcome!
#
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                  -o CAP_INIT_KILL -i 1                  -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                  -o CAP_KILL -i 1                       -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                  -o CAP_NET_ADMIN -i 1                  -j GRANT
/sbin/lidsconf -A -s /etc/rc.d/init.d/halt \
                  -o CAP_SYS_ADMIN -i 1                  -j GRANT

# Other
#
/sbin/lidsconf -A -s /sbin/update -o CAP_SYS_ADMIN       -j GRANT

PrevHomeNext
Sample ConfigurationsUpApache