LIDS ACL DISCOVERY MODE FAQ 	version 0.2	on Auguest 5, 2003
by Huagang XIE(xie [at] www.lids.org). 

1. What is LIDS ACL DISCOVERY MODE

A: In this mode, LIDS will not block anything and will report any action
   which violate the preset rules and also will print out a _RULE_ which
   will allow this violate action when LIDS is in normal protection MODE.

2. Does this mode provide protection?

A: NO. In this mode, you can still do "#lidsadm -S -- -LIDS" etc, but LIDS is 
  acting like a acl discovery machine, no any protection it will preform.	

3. How to turn on the acl discovery mode?

A. You can edit the file in /etc/lids/lids.ini, set the "ACL DISCOVERY=1" 
   will turn on the acl discovery mode when LIDS is started. The recommended 
   way is to compile LIDS into the kernel but not as a module, and when 
   kernel started, LIDS will be started in the "Learning" mode. 
  
   And when you in normal protection mode, if you want to turn on the 
   acl discovery mode, you can use lidsadm , "#lidsadm -S -- +ACL DISCOVERY" 
   will turn on the acl discovery mode.

4. How to turn off the acl discovery mode ?

A. To turn off the acl discovery mode by "default", you can edit the 
   "/etc/lids/lids.ini" and set "ACL DISCOVERY=0". 

   When you in normal protection mode, if you want to turn on the 
   acl discovery mode, you can use lidsadm , "#lidsadm -S -- -ACL DISCOVERY" 
   will turn off the acl discovery mode.

5. How do I know if I was in acl discovery mode?
  
A. When LIDS started, a message will print out to let you know if 
   LIDS acl discovery mode is "on" or "off". just like following msg,
	
	LIDS_INFO: Learning mode on

6. What I expect to happen in the acl discovery mode?

A. When a violation action happen, an alert message will print out 
   as well as a "rule" which you can use later. For an example,
  
LIDS: login (dev 3:2 inode 177942) pid 548 ppid 1 uid/gid (0/0) on (tty1) : attempt to open lastlog for writing  - logging disabled for 60s
LIDS_ACL_DISCOVERY:[state 1]177942:770:login:7:0:16066:773:lastlog:0-0
	
	Above information show that login try to open lastlog for writing,
 And a rule is followed by the alert message.

7. Can I trust the automatically acl discovery mode rules?

A. NO, YOU CAN NOT! Since LIDS simply generate a rule for a violation action,
   You need to view all the rules again to make sure the rule will not cause
   any security leak. For example,

LIDS_ACL_DISCOVERY:[state 1]177752:770:mv:7:0:16065:773:log:0-0
	
This rules was generated in state 1 which is "BOOT" state, it show that 
"mv" can "write" the "log" directory. Abviously, this is too risky to 
make "mv" can write "log" directory..:-(.. So you need to tune this kind
of rules. Be careful to those "subject" is "bash","mv" etc.

 
8. How can I automatically generate the acls into a conf file.

A. LIDS provide a tools in "lidstools/acl discovery" named "lids_acl_discovery.pl". 
   After you install the new "lidstools", the acl discovery mode 
   is turn on by default. Then just reboot the system into this new
   ACL DISCOVERY MODE, then "seal the kernel" by "lidsadm -I", then do 
  all the normal operation you will like to do, and then enter
  shutdown state by "lidsadm -S -- +SHUTDOWN", and reboot the system
   into a NON LIDS kernel. Then just run,

	# perl lids_acl_discovery.pl 
  
    3 acl files will be generated, lids.boot.conf, lids.postboot.conf,
    lids.shutdown.conf. You need to tune this conf file again to make 
   sure everything looks fine. 

9. Why the acl discovery mode acl do not provide a "full path" for the subject
   and object?

A. In the kernel, file is referenced as inode, it is easy to get inode, but
   it is difficult to a full path from inode. If you find a good way to 
   do this, let me know. 

10. Why need acl discovery mode?
 
A. Good question..Simply answer, people need it. Hope you like it. 

11. Who is behide this idea?

A. Sander Klein raised the ideas and I implement it.  

12. Do I have to use it?

A. Not really, but it will help to tune your acls.

