Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 73 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
73
Dung lượng
380,59 KB
Nội dung
690 Part VI ✦ Tuning for Performance and Scalability 9. If you want LIDS to disconnect the console when a user violates a security rule, then select the Hang up console when raising a security alert option. 10. LIDS is enabled during boot up process so it is likely that you will run other programs before it. If you wish to issue a security alert when a program is executed before LIDS protection is enabled, select the Security alert when execing unprotected programs before sealing LIDS option. When you select this option, you will have a chance to also choose to disable execution of unprotected programs all together by using the Do not execute unprotected programs before sealing LIDS option. I do not recommend that you disallow unprotected programs completely during boot up unless you are absolutely certain that everything (that is, all the utilities, daemons, and so on) that you want to run during boot are protected and will not stop the normal boot process. 11. Enable the Try not to flood logs (NEW) option and leave the default 60-second delay between logging of two identical entries to conserve the sanity and the size of the log file. 12. (Optional) Select the Allow switching LIDS protections option if you want to allow switching of LIDS protection. If you do, you can customize this further by selecting the value for Number of attempts to submit password , or Time to wait after a fail (seconds), or Allow remote users to switch LIDS protections , or Allow any program to switch LIDS protections , or Allow reloading config. file. My preferences are shown below. [*] Allow switching LIDS protections (NEW) (3) Number of attempts to submit password (NEW) (3) Time to wait after a fail (seconds) (NEW) [*] Allow remote users to switch LIDS protections (NEW) [ ] Allow any program to switch LIDS protections (NEW) [*] Allow reloading config. file (NEW) 13. You definitely want to select the Port Scanner Detector in kernel option so that you can detect port scans by potential intruders and the Send security alerts through network option. Leave the default values for the second option as is. 14. Save your kernel configuration and run the following commands to compile the new kernel and its modules (if any). make depend make bzImage make modules make modules_install m4821-2 ch23.F 2/22/02 10:32 AM Page 690 691 Chapter 23 ✦ Creating a High-Availability Network If you are not compiling a newer version of the kernel than what is running on the system, you should back up the /bin/modules/current-version directory, where current-version is the current kernel version. For example, if you are compiling version 2.4.1 and you already have 2.4.1 running, then you should run the cp -r /lib/modules/2.4.1 /lib/modules/2.4.1.bak command to backup the current modules. In case of a problem with the new kernel, you can delete the broken kernel’s modules and rename this directory to its original name. 15. Now copy the newly created /usr/src/linux/arch/i386/boot/bzImage kernel image to /boot/vmlinuz-lids-1.0.5-2.4.1 by using the cp /usr/ src/linux/arch/i386/boot/bzImage /boot/vmlinuz-lids-1.0.5-2.4.1 command. 16. Add to the /etc/lilo.conf file: image=/boot/vmlinuz-lids-1.0.5-2.4.1 label=lids read-only root=/dev/hda1 If /dev/hda1 is not the root device, make sure you change it as appropriate. 17. Run /sbin/lilo to reconfigure lilo. The kernel part of the configuration is complete and LIDS configuration can be done. Compiling, installing, and configuring LIDS To compile and install the LIDS administrative program lidsadm, follow these steps: 1. Assuming you have installed the LIDS source in the /usr/local/src direc- tory, change to /usr/local/src/lids-1.0.5-2.4.1/lidsadm-1.0.5. 2. Run make; make install commands to install the lidsadm program in /sbin and to create the necessary configuration files (lids.cap, lids.conf, lids.net, lids.pw) in /etc/lids. 3. Run the /sbin/lidsadm -P command and enter a password for the LIDS sys- tem. This password is stored in the /etc/lids/lids.pw file in RipeMD-160 encrypted format. 4. Run the /sbin/lidsadm -U command to update the inode/dev numbers. 5. Configure the /etc/lids/lids.net file. Following is a simplified version of the default /etc/lids/lids.net file: MAIL_SWITCH= 1 MAIL_RELAY=127.0.0.1:25 MAIL_SOURCE=lids.sinocluster.com MAIL_FROM= LIDS_ALERT@lids.sinocluster.com MAIL_TO= root@localhost MAIL_SUBJECT= LIDS Alert • The MAIL_SWITCH option can be 1 or 0, where 1 turns on the e-mail alert function and 0 turns it off. Leave the default as is. Caution m4821-2 ch23.F 2/22/02 10:32 AM Page 691 692 Part VI ✦ Tuning for Performance and Scalability • The MAIL_RELAY option should be set to the IP address of the mail server that LIDS should use to send the alert message. If you run the mail server on the same machine that you are configuring LIDS for, leave the default as is. The port number, 25, is the default SMTP port and should be left alone unless you are running your mail server on a different port. • The MAIL_SOURCE option should be set to the host name of the machine being configured. Change the default to the appropriate host name of your system. • The MAIL_FROM option should be set to an address that tells you from which system the alert is coming. The default should be changed to reflect the host name of your system. You do not need to create a real mail account for the from address to be useful. • The MAIL_TO option should be set to the e-mail address of the adminis- trator of the system being configured. Because the root address, root@ localhost , is the default administrative account you can leave it as is. • The MAIL_SUBJECT option is obvious and should be changed as needed. 6. To see what is protected by default, run the /sbin/lidsadm -L command, which should show output similar to the following: LIST Subject ACCESS TYPE Object Any File READ /sbin Any File READ /bin Any File READ /boot Any File READ /lib Any File READ /usr Any File DENY /etc/shadow /bin/login READ /etc/shadow /bin/su READ /etc/shadow Any File APPEND /var/log Any File WRITE /var/log/wtmp /sbin/fsck.ext2 WRITE /etc/mtab Any File WRITE /etc/mtab Any File WRITE /etc /usr/sbin/sendmail WRITE /var/log/sendmail.st /bin/login WRITE /var/log/lastlog /bin/cat READ /home/xhg Any File DENY /home/httpd /usr/sbin/httpd READ /home/httpd Any File DENY /etc/httpd/conf /usr/sbin/httpd READ /etc/httpd/conf /usr/sbin/sendmail WRITE /var/log/sendmail.st /usr/X11R6/bin/XF86_SVGA NO_INHERIT RAWIO /usr/sbin/in.ftpd READ /etc/shadow /usr/sbin/httpd NO_INHERIT HIDDEN Because you are not likely to have /home/xhg (the home directory of the author of LIDS) you can remove the configuration for it by using the m4821-2 ch23.F 2/22/02 10:32 AM Page 692 693 Chapter 23 ✦ Creating a High-Availability Network /sbin/lidsadm -D -s /bin/cat -o /home/xhg command. You can leave everything else as is because you can later change them as needed. 7. Add the following line to the /etc/rc.d/rc.local file to seal the kernel during the end of the boot cycle: /sbin/lidsadm -I 8. Reboot the system and choose the LIDS enable kernel by entering lids at the lilo prompt. When the system boots up and runs the /sbin/lidsadm -I command from the /etc/rc.d/rc.local script, it will seal the kernel and the system will be protected by LIDS. Administering LIDS Except for the /etc/lids/lids.net file, you must use the /sbin/lidsadm program to modify the LIDS configuration files /etc/lids/lids.conf, /etc/ lids/lids.pw , and /etc/lids/lids.cap. The /etc/lids/lids.conf file stores the Access Control List (ACL) information. The /etc/lids/lids.cap file contains all the capability rules for the system. You can configure which capability you want to enable or disable on the system by edit- ing this file with the /sbin/lidsadm command. You can just set + in front of the capability name to enable the system or - to disable the capability. The /etc/lids/lids.net file configures the mail setup needed for sending alert e-mails. You can use a regular editor such as vi, emacs, or pico, to edit this file. If you need to stop LIDS to perform system administration tasks, then you should use /sbin/lidsadm -S -LIDS or /sbin/lidsadm -S -LIDS_GLOBAL command. You will also need to provide the LIDS password to switch off LIDS. After you make any changes in a LIDS configuration file with the lidsadm command, reload the updated configuration into the kernel by running the /sbin/lidsadm -S + RELOAD_CONF command. To add a new ACL to the /etc/lids/lids.conf file, you use the /sbin/lidsadm command as follows: /sbin/lidsadm -A [-s subject] [-t | -d | -i] -o object -j TARGET The options in the command above are explained in the following list: ✦ The -A option tells the /sbin/lidsadm program to add a new ACL. ✦ The -s subject option specifies a subject of the ACL. A subject can be any program such as /bin/cat. When you do not specify a subject, the ACL will apply to everything. ✦ The -t, -d, -i options are not typically needed. ✦ The -o object option is used to specify the name of the object, which can be a file, a directory, or a capability. Each ACL requires a named object. m4821-2 ch23.F 2/22/02 10:32 AM Page 693 694 Part VI ✦ Tuning for Performance and Scalability ✦ The -j TARGET option specifies the target of the ACL. When the new ACL has a file or directory as the object, the target can be ob READ, WRITE, APPEND, DENY, and IGNORE. If the object is a Linux capability, the target can be only INHERIT or NO_INHERIT, which defines whether the object’s children can have the same ability or not. Protecting files and directories You can use lidsadm to protect important files and directories. You can make a file or directory read-only, control write access, control append mode file access, and deny access. LIDS provides the following type of protection for a file or directory. ✦ READ — makes file or directory read-only ✦ WRITE — allows modifications of the file or directory ✦ IGNORE — ignores all other protection set for a file or directory ✦ APPEND — allows adding to the file ✦ DENY — all access to the file or directory is denied Making files or directory read-only To make a file called /path/filename read-only run: /sbin/lids -A -o /path/filename -j READ To make a directory called /mypath read-only run: /sbin/lids -A -o /mypath -j READ Notice that because you do not specify a subject in any of the above commands, the ACL applies to all programs. So no program can write to the above-mentioned file or directory. If you specify a subject then the command only applies to the named file or directory. Denying access to a file or directory To deny access to a file called /etc/shadow run: /sbin/lids -A -o /etc/shadow -j DENY After the above command is run and the LIDS configuration is reloaded, you can run commands such as ls -l /etc/shadow and cat /etc/shadow to see whether you can access the file. None of these programs will see the file because you implic- itly specified the subject to be all the programs in the system. However, if you need to allow a program such as /bin/login to access the /etc/shadow file, you can give it read access by creating a new ACL such as /sbin/lids -A -s /bin/login -o /etc/shadow -j READ m4821-2 ch23.F 2/22/02 10:32 AM Page 694 695 Chapter 23 ✦ Creating a High-Availability Network Allowing append-only access Typically, programs only need append-only access to critical system logs such as / var/log/messages or /var/log/secure. You can enable append-only mode for these two files with the following commands: /sbin/lids -A -o /var/log/messages -j APPEND /sbin/lids -A -o /var/log/secure -j APPEND Allowing write-only access To allow a program called /usr/local/apache/bin/httpd to be able to write to a protected directory called /home/httpd, run the following commands: /sbin/lids -A -o /home/httpd -j DENY /sbin/lids -A -s /usr/local/apache/bin/httpd -o /home/httpd -j READ Deleting an ACL To delete all the ACL rules, run the /sbin/lidsadm -Z command. To delete indi- vidual ACL rule, simply specify the subject (if any) and/or the object of the ACL. For example, if you run the /sbin/lidsadm -D -o /bin command, all the ACL rules with /bin as the object is deleted. However, if you run the /sbin/lidsadm -D -s /bin/login -o /bin command, only the ACL that specifies /bin/login as the subject and /bin as the object is deleted. Specifying the -Z or the -D option without any argument deletes all your ACL rules. A good file and directory protection scheme In this section I show you a good protection schema that you can use with LIDS. This schema allows you to make the /boot directory (or partition) read only, which means that kernel cannot be modified by intruders; it makes the system library directory /lib, root user’s home directory /root, system configuration directory /etc, system daemon binaries directory /sbin and /usr/sbin, standard binaries directory /usr/bin and /bin read-only as well. It also only allows append opera- tions for files in /var/log directory, which ensures that log files are not destroyed by any intruders. This configuration is shown below: # Make the /boot directory or partition read-ony /sbin/lidsadm -A -o /boot -j READ # Make the system library directory read-only # This protects the lib/modules as well /sbin/lidsadm -A -o /lib -j READ # Make the root user’s home directory read-only /sbin/lidsadm -A -o /root -j READ # Make the system configuration directory read-only Caution m4821-2 ch23.F 2/22/02 10:32 AM Page 695 696 Part VI ✦ Tuning for Performance and Scalability /sbin/lidsadm -A -o /etc -j READ # Make the daemon binary directory read-only /sbin/lidsadm -A -o /sbin -j READ # Make the other daemon binary directory read-only /sbin/lidsadm -A -o /usr/sbin -j READ # Make the general binary directory read-only /sbin/lidsadm -A -o /bin -j READ # Make the other general binary directory read-only /sbin/lidsadm -A -o /usr/bin -j READ # Make the general library directory read-only /sbin/lidsadm -A -o /usr/lib -j READ # Make the system log directory append-only /sbin/lidsadm -A -o /var/log -j APPEND # Make the X Windows binary directory read-only /sbin/lidsadm -A -o /usr/X11R6/bin -j READ In addition to protecting your files and directories by using the above technique, LIDS can use the Linux Capabilities to limit the capabilities of a running program (that is, process). In a traditional Linux system, the root user (that is, user with UID and GID set to 0) has all the “Capabilities” or the ability to perform any task by run- ning any process. LIDS uses Linux Capabilities to break down all the power of the root (or processes run by root user) into pieces so that you can fine-tune what a specific process can or cannot do. To find out more about what Linux Capabilities are available, see the /usr/include/linux/capability.h header file. Table 23-5 lists of all Linux Capabilities and their status (turned on or off) in the default LIDS Capabilities configuration file /etc/lids/lids.cap. Table 23-5 List of Linux Capabilities Capability ID Capability Name Meaning Status in /etc/lids/ lids.cap 0 CAP_CHOWN Allow/disallow the Allow changing of file ownership 1 CAP_DAC_OVERRIDE Allow/disallow override of Allow all DAC access restrictions 2 CAP_DAC_READ_SEARCH Allow/disallow override of Allow all DAC restrictions regarding read and search m4821-2 ch23.F 2/22/02 10:32 AM Page 696 697 Chapter 23 ✦ Creating a High-Availability Network Capability ID Capability Name Meaning Status in /etc/lids/ lids.cap 3 CAP_FOWNER Allow/disallow the Allow following restrictions that the effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on a file; that the effective group ID shall match the file owner ID when setting such bit on a file 4 CAP_FSETID Allow/disallow access Allow when the effective user ID does not equal owner ID 5 CAP_KILL Allow/disallow sending of Allow signals to processes belonging to others 6 CAP_SETGID Allow/disallow changing Allow of the GID 7 CAP_SETUID Allow/disallow changing Allow of the UID 8 CAP_SETPCAP Allow/disallow the Allow transferring and removal of current set to any PID 9 CAP_LINUX_IMMUTABLE Allow/disallow the Disallow modification of immutable and append-only files 10 CAP_NET_BIND_SERVICE Allow/disallow binding Disallow to ports below 1024 11 CAP_NET_BROADCAST Allow/disallow Allow broadcasting/listening to multicast Continued m4821-2 ch23.F 2/22/02 10:32 AM Page 697 698 Part VI ✦ Tuning for Performance and Scalability Table 23-5 (continued) Capability ID Capability Name Meaning Status in /etc/lids/ lids.cap 12 CAP_NET_ADMIN Allow/disallow network Disallow administration to perform interface configuration, administer IP firewalls, set up masquerading, set up IP accounting, set up debug option on sockets, modify routing tables, set up arbitrary process/process group ownership on sockets, bind any address for trans- parent proxying, set up Type Of Service (TOS), set up promiscuous mode, etc. 13 CAP_NET_RAW Allow/disallow use of Disallow raw sockets 14 CAP_IPC_LOCK Allow/disallow locking of Allow shared memory segments 15 CAP_IPC_OWNER Allow/disallow IPC Allow ownership checks 16 CAP_SYS_MODULE Allow/disallow insertion Disallow and removal of kernel modules 17 CAP_SYS_RAWIO Allow ioperm(2)/iopl(2) Disallow to access CAP_SYS_CHROOT chroot(2) 18 CAP_SYS_CHROOT Allow/disallow chroot Disallow system call 19 CAP_SYS_PTRACE Allow/disallow ptrace Allow 20 CAP_SYS_PACCT Allow/disallow Allow configuration of process accounting 21 CAP_SYS_ADMIN Allow/disallow various Allow system administration tasks. 22 CAP_SYS_BOOT Allow/disallow reboot Allow m4821-2 ch23.F 2/22/02 10:32 AM Page 698 699 Chapter 23 ✦ Creating a High-Availability Network Capability ID Capability Name Meaning Status in /etc/lids/ lids.cap 23 CAP_SYS_NICE Allow/disallow changing Allow of process priority using the nice command. 24 CAP_SYS_RESOURCE Allow/disallow setting Allow of system resource limit 25 CAP_SYS_TIME Allow/disallow setting of Allow system time 26 CAP_SYS_TTY_CONFIG Allow/disallow Allow pseudo-terminal (TTY) configuration 27 CAP_MKNOD Allow/disallow the Allow privileged aspects of mknod() system call. 28 CAP_LEASE Allow/disallow taking of Allow leases on files 29 CAP_HIDDEN Allow/disallow hiding Allow of a process from rest of the system 30 CAP_INIT_KILL Allow/disallow programs Allow the capability of killing children of the init process (PID = 1) The default settings for the above Linux Capabilities are stored in /etc/lids/lids.cap file as shown in Listing 23-8. Listing 23-8: /etc/lids/lids.cap +0:CAP_CHOWN +1:CAP_DAC_OVERRIDE +2:CAP_DAC_READ_SEARCH +3:CAP_FOWNER +4:CAP_FSETID +5:CAP_KILL +6:CAP_SETGID +7:CAP_SETUID +8:CAP_SETPCAP -9:CAP_LINUX_IMMUTABLE Continued m4821-2 ch23.F 2/22/02 10:32 AM Page 699 [...]... caching, 21 , 22 , 129 , 155 FastCGI, 401–4 02, 408 file handles, 155, 607–608 file type, assignment to cache by, 620 – 621 hard drive subsystem, checking, 600, 645 MySQL, 179 negative caching, 625 – 626 optimization for speed, 600, 620 – 627 proxy server, 26 9, 27 2 27 5, 27 6 27 8, 621 – 626 SSL (Secured Socket Layer), 556, 561 Squid proxy-caching server, 624 – 625 statistics, 621 time-to-live settings, 556, 561, 625 CacheDefaultExpire... authentication, 6, 29 , 87, 1 82 183, 501 HTTP (Hypertext Transfer Protocol) request method, blocking access by, 194 IBM DB2 database server, using for, 20 2 IP (Internet Protocol) address, via, 109 , 190–194 o4 821 -2 Index.F 2/ 22/ 02 10: 33 AM Page 725 Index ✦ A–C mod_auth module, via, 109 , AuthUserFile directive, 184–185, 184–190 mod_auth_mysql module, via, 20 0 20 2 modules, authentication, 105 , 109 –118 multiple... Apache: :ASP Web site, 467 Apache: :AuthDBI module, 20 2 Apache: :AuthenDBI module, 20 2 20 3 ApacheBench utility See ab apachectl configtest command, 175 apachectl restart command, 52 apachectl script, 28 apachectl stop command, 53 Apache: :DBI module, 586, 628 Apache/ Perl Integration Project Web site, 455, 713 Apache: :Registry module, 456–457 Apache- SSL cache server location, specifying, 561 certificate creation,...m4 821 -2 ch23.F 700 2/ 22/ 02 10: 32 AM Page 700 Part VI ✦ Tuning for Performance and Scalability Listing 23 -8 (continued) -10: CAP_NET_BIND_SERVICE +11:CAP_NET_BROADCAST - 12: CAP_NET_ADMIN -13:CAP_NET_RAW +14:CAP_IPC_LOCK +15:CAP_IPC_OWNER -16:CAP_SYS_MODULE -17:CAP_SYS_RAWIO -18:CAP_SYS_CHROOT +19:CAP_SYS_PTRACE +20 :CAP_SYS_PACCT -21 :CAP_SYS_ADMIN +22 :CAP_SYS_BOOT +23 :CAP_SYS_NICE +24 :CAP_SYS_RESOURCE +25 :CAP_SYS_TIME... character 711 n4 821 -2 AppB.F 2/ 22/ 02 10: 33 AM 7 12 Page 7 12 Appendixes ✦ ^www\.([^.]+)\.host\.com(.*) — This will match a string, such as www.username.host.com STATUS=java and the $1 will be assigned to host and $2 will hold everything followed by the www.username.host.com part of the string The $2 will hold STATUS=java ✦ ✦ ✦ n4 821 -2 AppC.F 2/ 22/ 02 10: 33 AM Page 713 C A P P E N D I X Online Apache Resources... using, 115, 185 MySQL database server, using, 196 20 2 Oracle database server, using, 20 2 password role in, 181, 183 PHP: Hypertext Preprocessor script, using, 451–454 Postgres database server, using, 20 2 proxy server, 27 7 realm name, setting, 87 requirements, specifying sufficient, 91– 92 session authentication, 20 8 21 2 trickle-down, 185, 20 1 user group, 185, 188–190, 198, 20 4 20 8 username, role in, 181,... expression prefix, 77 A ab (ApacheBench) utility, 10, 28 , 618–619 access multiplexer URL (Uniform Resource Locator) rewrite rules, 25 9 26 1 AccessFileName directive, 47, 59–60 AccessWatch log analysis tool, 23 3 Ace Director, 614 ACL (Access Control List), 622 – 623 , 624 , 625 , 693–694, 695 acl command, 622 , 624 Action directive, 118– 121 action triggering, disabling, 22 Active Server Pages See ASP ActiveState... Module Registry — http://modules apache. org Apache/ Perl Integration Project — http://perl apache. org Apache- SSL — www .apache- ssl.org Jakarta Project — http://jakarta .apache. org Apache GUI Project — http://gui .apache. org Apache Today — www.apachetoday.com Apache Week — www.apacheweek.com ✦ ✦ ✦ ✦ n4 821 -2 AppC.F 2/ 22/ 02 10: 33 AM 714 Page 714 Appendixes Usenet newsgroups Usenet newsgroups are excellent resources... considerations, 145 server alias, 82 wild cards, using in defining, 82 AliasMatch directive, 146 Allow directive, 44, 190–1 92 allow from env=variable directive, 193 o4 821 -2 Index.F 724 2/ 22/ 02 10: 33 AM Page 724 Index ✦ A AllowOverride directive, 43, 59, 86–87, 381 Alteon Ace Director, 614 ampersand, double (&&) logical operator, 395–396 ampersand (&) key=value pair separator, 328 Analog log analysis tool, 23 3 Anonymous... 110 anonymous user access, 21 , 110 1 12 Anonymous_Authoritative directive, 110 Anonymous_LogEmail directive, 111 Anonymous_MustGiveEmail directive, 111 Anonymous_NoUserID directive, 111 Anonymous_VerifyEmail directive, 111–1 12 Apache Foundation, 3, 570, 717 Apache Group, 5 Apache Group directory, 573 Apache GUI Project Web site, 581, 713 Apache -k restart command, 577 Apache -k start command, 577 Apache . accounting 21 CAP_SYS_ADMIN Allow/disallow various Allow system administration tasks. 22 CAP_SYS_BOOT Allow/disallow reboot Allow m4 821 -2 ch23.F 2/ 22/ 02 10: 32 AM Page 698 699 Chapter 23 ✦ Creating. /etc/lids/lids.cap +0:CAP_CHOWN +1:CAP_DAC_OVERRIDE +2: CAP_DAC_READ_SEARCH +3:CAP_FOWNER +4:CAP_FSETID +5:CAP_KILL +6:CAP_SETGID +7:CAP_SETUID +8:CAP_SETPCAP -9:CAP_LINUX_IMMUTABLE Continued m4 821 -2 ch23.F 2/ 22/ 02 10: 32 AM Page 699 700 Part VI ✦ Tuning for Performance and Scalability Listing 23 -8 (continued) -10: CAP_NET_BIND_SERVICE +11:CAP_NET_BROADCAST - 12: CAP_NET_ADMIN -13:CAP_NET_RAW +14:CAP_IPC_LOCK +15:CAP_IPC_OWNER -16:CAP_SYS_MODULE -17:CAP_SYS_RAWIO -18:CAP_SYS_CHROOT +19:CAP_SYS_PTRACE +20 :CAP_SYS_PACCT -21 :CAP_SYS_ADMIN +22 :CAP_SYS_BOOT +23 :CAP_SYS_NICE +24 :CAP_SYS_RESOURCE +25 :CAP_SYS_TIME +26 :CAP_SYS_TTY_CONFIG +27 :CAP_MKNOD +28 :CAP_LEASE +29 :CAP_HIDDEN +30:CAP_INIT_KILL The. access restrictions 2 CAP_DAC_READ_SEARCH Allow/disallow override of Allow all DAC restrictions regarding read and search m4 821 -2 ch23.F 2/ 22/ 02 10: 32 AM Page 696 697 Chapter 23 ✦ Creating a High-Availability