Adding an Entry

Using this option allows you to add a new item to the LIDS config. You have the options to add a single file with an attribute, give a file permission to override another files permissions, and change the capabilities of a file.

lidsadm -A [-s subject] -o object [-t] -j TARGET

To protect a file enter the filename and path using the -o flag, followed by the attribute, READ, WRITE, IGNORE, DENY, or APPEND under the -j attribute. If your object is a capability setting you need to use the -t flag to tell lidsadm it's a special option. -s is used to point the object to a subject. In the case of capabilities you, are pointing a capability to the subject or giving the subject the capability. Same idea with file protections. If you deny access to a file but want the subject to use it, you point to the denied file(object) to the file to give access to(subject) then tell it what kind of access to give it -j. Here's an example of protecting a file:

lidsadm -A -o /path/to/protected_file -j DENY

Now to give a binary full access to the file that was denied to everyone else:

lidsadm -A -s /path/to/binary \  
           -o /path/to/protected_file -j WRITE

We also want to give the binary the capability to chown, which has been disabled earlier by LIDS:

lidsadm -A -s /path/to/binary \

        -t -o CAP_CHOWN -j INHERIT

When changing a files capabilities we use INHERIT or NO_INHERIT instead of the READ...APPEND commands. Using INHERIT gives the file access to the capability while the NO_INHERIT turns off the files abilities to use the given capability. In a later section capabilities are explained in more detail. In the next session an example of a package being protected is given.

• [NOTE:]Don't forget to do a lidsadm -S - +RELOAD_CONF after changes were made so they take effect when you reload LIDS.