5.24. Is it possible to limit access based on time of day?

Yes. There is a new feature in LIDS version 0.10.1 for 2.2.19 and version 1.0.10 for 2.4.5 that allows a time restriction to be placed on ACLs. For example, to only allow logins between the hours of 9:00 AM and 6:00 PM (18:00):

/sbin/lidsconf -A -s /bin/login -o /etc/shadow -t 0900-1800 -j READONLY

Now, /bin/login can only read the /etc/shadow file during the specified time period and any login attempts outside of that time period will fail. You can also use the "!" operator for negation (e.g. The ACL permits access all the time except for the time period listed).

If you grant privileges to crond based on time restrictions, it is highly recommended that you hide your crontabs from everyone (including root), and only allow crond to read them. Otherwise, someone could figure out what time of day they should try and exploit something by looking at your crontabs. Remember to protect the system crontabs as well as the user crontabs.

For example, the following should be hidden:

/var/spool/cron/ /etc/crontab /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/ /etc/cron.d/

WARNING: Because this new feature relies on the system time, you should not grant CAP_SYS_RAWIO to any program that can change the system time (e.g. /sbin/hwclock. This would allow someone to bypass the time restriction by changing the system time.