Linux Intrusion Detection System FAQ
Prev	Chapter 5. Configuring LIDS	Next

5.10. When LIDS is active, my file systems won't unmount during shutdown. What do I do?

This happens when you have disabled the CAP_SYS_ADMIN capability globally and have not given the proper authority to unmount your file systems to your shutdown script(s). For example, on Red Hat 6.2, the /etc/rc.d/init.d/halt script unmounts your file systems. You must give it the CAP_SYS_ADMIN capability so it can unmount your file systems:
bash# lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT
The target "GRANT" tells LIDS to grant the subject (/etc/rc.d/init.d/halt in this case) the CAP_SYS_ADMIN capability. The "-i 1" option sets the "inheritance level" of the ACL to 1.

Beware that this also allows anyone who can execute your /etc/rc.d/init.d/halt script to unmount your file systems. If you have physical access to your box, you may just want to turn off LIDS_GLOBAL before shutting down your system rather than grant capabilities to your shutdown scripts. However, if you have a UPS that can shutdown your system in case of power failure, you may not be around to disable LIDS_GLOBAL.

Prev	Home	Next
Why can't I just give my log rotation utility write access to the directory containing my log files so it can rotate them?	Up	Why can't I start a service that runs on a privileged port as root?