Kernel Capabilities

When a process is created it is given a set of capabilities from the kernel. These capabilities tell the process what it can and can not do. LIDS gives you the ability to alter these capabilities in the kernel. You can set the capabilities to apply to all processes or only specific processes. We saw how to apply capabilities to only specific processes previously in the Adding an Entry section and in the above example.

The default capabilities set that LIDS used is defined in the /etc/lids/lids. 
cap file. This file contains a list of the capabilities by name, with a number and a + or - symbol before it. A + enables the listed capability following it and a - disables it. Before each capability is a description of what the capability does. We suggest you keep the default capabilities. You can also find a list of all the capabilities and definitions at the end of this section and by just typing lidsadm or lidsadm -h. Issuing:

lidsadm -I

sets all the capabilities listed in the /etc/lids/lids.cap file. By default, in EnGarde Linux, the command is entered into the/etc/rc.local file so the kernel is sealed during boot up. When LIDS is disabled the capabilities return to their original settings and when you enable the kernel again they return to their previous state.

Earlier we set capabilities to a binary. We were actually linking a capability a process the binary creates:

lidsadm -A -s /path/to/binary -t -o CAP_NAME

All processes, however are protected from being killed by anyone but the owner of the process. This too can be avoided with the above process.