7.7. OpenSSH (3.4p1)

The following configuration will work after boot and while LIDS_GLOBAL is on because it gives sshd the CAP_NET_BIND_SERVICE capability.
/sbin/lidsconf -A -s /usr/sbin/sshd -o /etc/shadow      -j READONLY

/sbin/lidsconf -A -o /etc/ssh/sshd_config               -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_key              -j DENY
/sbin/lidsconf -A -o /etc/ssh/ssh_host_dsa_key          -j DENY

/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o /etc/ssh/sshd_config               -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o /etc/ssh/ssh_host_key              -j READONLY
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o /etc/ssh/ssh_host_dsa_key          -j READONLY

/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o /var/log/wtmp                      -j WRITE
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o /var/log/lastlog                   -j WRITE

/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_SETUID                         -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_SETGID                         -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_FOWNER                         -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_CHOWN                          -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_DAC_OVERRIDE                   -j GRANT
/sbin/lidsconf -A -s /usr/sbin/sshd \
                  -o CAP_NET_BIND_SERVICE 22-22         -j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
		  -o CAP_SYS_CHROOT			-j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
		  -o CAP_SYS_RESOURCE			-j GRANT
/sbin/lidscond -A -s /usr/sbin/sshd \
		  -o CAP_SYS_TTY_CONFIG			-j GRANT