次のページ 前のページ 目次へ

3. lidsadm と lidsconf

3.1 lidsadm とは何ですか?

lidsadm は LIDS の管理ユーティリティで、これを使ってシステムの LIDS を管理します。これには、LIDS を有効/無効にしたり、カーネルを封印したり、LIDS の状況を見たりすることが含まれます。

3.2 lidsconf とは何ですか?

lidsconf は LIDS のアクセス制御リスト (ACL) を設定するのに使います。また、LIDS のパスワードをセットするのにも使います。

注意:LIDS 1.1.0 より前のバージョンでは、現在 lidsconf が行っている仕事も全て lidsadm がこなします。

3.3 lidsadm で使えるオプションは何がありますか?

利用可能なオプションを一覧するには、こう入力してください −

# lidsadm -h

これによって、以下の出力が返ってきます −


lidsadm version 1.1.1pre2-2.4.16 for LIDS project
       Huagang Xie<xie@gnuchina.org>
       Philippe Biondi <pbi@cartel-info.fr>

Usage: lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]
       lidsadm -V
       lidsadm -h

Commands:
       -S  To submit a password to switch some protections
       -I  To switch some protections without submitting password (sealing time)
       -V  To view current LIDS state (caps/flags)
       -v  To show the version
       -h  To list this help

Available capabilities:
           CAP_CHOWN chown(2)/chgrp(2)
    CAP_DAC_OVERRIDE DAC access
 CAP_DAC_READ_SEARCH DAC read
          CAP_FOWNER owner ID not equal user ID
          CAP_FSETID effective user ID not equal owner ID
            CAP_KILL real/effective ID not equal process ID
          CAP_SETGID set*gid(2)
          CAP_SETUID set*uid(2)
         CAP_SETPCAP transfer capability
 CAP_LINUX_IMMUTABLE immutable and append file attributes
CAP_NET_BIND_SERVICE binding to ports below 1024
   CAP_NET_BROADCAST broadcasting/listening to multicast
       CAP_NET_ADMIN interface/firewall/routing changes
         CAP_NET_RAW raw sockets
        CAP_IPC_LOCK locking of shared memory segments
       CAP_IPC_OWNER IPC ownership checks
      CAP_SYS_MODULE insertion and removal of kernel modules
       CAP_SYS_RAWIO ioperm(2)/iopl(2) access
      CAP_SYS_CHROOT chroot(2)
      CAP_SYS_PTRACE ptrace(2)
       CAP_SYS_PACCT configuration of process accounting
       CAP_SYS_ADMIN tons of admin stuff
        CAP_SYS_BOOT reboot(2)
        CAP_SYS_NICE nice(2)
    CAP_SYS_RESOURCE setting resource limits
        CAP_SYS_TIME setting system time
  CAP_SYS_TTY_CONFIG tty configuration
           CAP_MKNOD mknod operation
           CAP_LEASE taking leases on files
          CAP_HIDDEN Hidden process
       CAP_INIT_KILL Kill init children

Available flags:
         LIDS_GLOBAL de-/activate LIDS entirely
         RELOAD_CONF reload config. file and inode/dev of protected programs
                LIDS de-/activate LIDS locally (the shell & childs)

3.4 lidsconf で使えるオプションは何がありますか?

利用できるオプションを一覧するには、こう入力してください −

# lidsconf -h
これによって、以下の出力が返ってきます −

lidsconf version 1.1.1pre2-2.4.16 for the LIDS project
       Huagang Xie<xie@gnuchina.org>
       Philippe Biondi <philippe.biondi@webmotion.net>

Usage: lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION
       lidsconf -D [-s file] [-o file]
       lidsconf -Z
       lidsconf -U
       lidsconf -L [-e]
       lidsconf -P
       lidsconf -v
       lidsconf -h

Commands:
       -A,--add To add an entry
       -D,--delete      To delete an entry
       -Z,--zero        To delete all entries
       -U,--update      To update dev/inode numbers
       -L,--list        To list all entries
       -P,--passwd      To encrypt a password with RipeMD-160
       -v,--version     To show the version
       -h,--help        To list this help

subject: -s,--subject subj
       can be any program, must be a file
object: -o,--object [obj]
       can be a file, directory or special device (e.g. MEM, HD, NET, IO,
                                                        HIDDEN, KILL)
ACTION: -j,--jump
       DENY     deny access
       READONLY read only
       APPEND   append only
       WRITE    writable
       GRANT    grant capability to subject
       IGNORE   ignore any permissions set on this object
OPTION:
      -d,--domain       The object is an EXEC Domain
      -i,--inheritance Inheritance level
      -t,--time Time dependency
      -e,--extended     Extended list
 
Available capabilities:
           CAP_CHOWN chown(2)/chgrp(2)
    CAP_DAC_OVERRIDE DAC access
 CAP_DAC_READ_SEARCH DAC read
          CAP_FOWNER owner ID not equal user ID
          CAP_FSETID effective user ID not equal owner ID
            CAP_KILL real/effective ID not equal process ID
          CAP_SETGID set*gid(2)
          CAP_SETUID set*uid(2)
         CAP_SETPCAP transfer capability
 CAP_LINUX_IMMUTABLE immutable and append file attributes
CAP_NET_BIND_SERVICE binding to ports below 1024
   CAP_NET_BROADCAST broadcasting/listening to multicast
       CAP_NET_ADMIN interface/firewall/routing changes
         CAP_NET_RAW raw sockets
        CAP_IPC_LOCK locking of shared memory segments
       CAP_IPC_OWNER IPC ownership checks
      CAP_SYS_MODULE insertion and removal of kernel modules
       CAP_SYS_RAWIO ioperm(2)/iopl(2) access
      CAP_SYS_CHROOT chroot(2)
      CAP_SYS_PTRACE ptrace(2)
       CAP_SYS_PACCT configuration of process accounting
       CAP_SYS_ADMIN tons of admin stuff
        CAP_SYS_BOOT reboot(2)
        CAP_SYS_NICE nice(2)
    CAP_SYS_RESOURCE setting resource limits
        CAP_SYS_TIME setting system time
  CAP_SYS_TTY_CONFIG tty configuration
           CAP_MKNOD mknod operation
           CAP_LEASE taking leases on files
          CAP_HIDDEN Hidden process
       CAP_INIT_KILL Kill init children


次のページ 前のページ 目次へ