LIDS (Linux Intrusion detection system) is a Linux kernel patch and systems management staff lidsadm), it strengthened the Linux kernel. It implements a safe mode in the kernel - the core reference model and the Mandatory Access Control (command to enter control) mode. This paper will present LIDS features and how to use it to build a secure Linux system.
With the growing popularity of Linux interconnection line, more and more applications on an existing GNU / LINUX system security vulnerabilities are discovered. Many programs use a programmer carelessness, such as buffer overflow, format code attacks. When the system security by threatening programs, hackers to gain ROOT privileges, the whole system will be intruder control.
Since the code is open, we can get a lot of Linux applications desired original code, and according to our need to be modified. So the bug can be found easily and quickly repaired. But when the vulnerability was revealed, and the neglect of the system administrators to patch vulnerabilities, resulting in easily to the invasion, even worse, a hacker can get ROOT SHELL. Use of existing GNU / Linux system, he pleases. This is the LIDS want to solve the problem.
First look at what are the problems existing GNU / Linux system.
File system is not protected
System of many important documents, such as / bin / login, once the hacking, he can upload the modified login file instead of / bin / login, then he can not require any login name and password to login. This is often referred to as Trojan house.
Process is not protected
Processes running on the system for some system functions and services, such as HTTPD is a web server for remote clients to meet the needs of web. As a web server system, the process is not to protect their illegal termination is very important. But when the intruder gained ROOT permissions, we can not do anything.
Unprotected systems management
Many systems management, for example, loading / unloading, routing settings, firewall rules module, and can easily be modified if the user ID is 0. So when an intruder access to ROOT permissions, it becomes very safe.
Superuser (root) as a possible abuse of authority ROOT
He can do whatever they want, as ROOT he can even modify the existing permissions.
In summary, we found that the existing Linux system into the control mode is not enough to establish a secure Linux system. We must add a new pattern in the system to solve these problems. This is the LIDS to do.
Linux intrusion detection system is a Linux kernel patch and system administrator tool, it strengthened the core of security. It implements the reference monitor mode and Mandatory Access Control (command to enter control) in the kernel mode. When it works, select the file to enter, manage the operation of each system / network, any use of authority, raw device, mem and I / O will be able to enter the prohibited even for ROOT is the same. It uses and extends the functionality of the system, setting binding control over the entire system, add network security features and file system in the kernel, thus enhancing security. You can adjust online security protection, hide sensitive processes, receive security alerts via the network, and so on.
In short, LIDS provides protection, detection, response function, which is the LINUX kernel in safe mode can be achieved.
LIDS provides the following protection:
Hard disk protection on any type of important files and directories, including ROOT any person can not change. Protect important process can not be terminated to prevent illegal procedure RAW IO operation. Protect the hard disk, including MBR protection, and so on. You can protect sensitive system files to prevent unauthorized persons (including ROOT), and unauthorized program proceeds.
When someone scanning your host, LIDS can detect and report to the system administrator. LIDS can also detect any illegal rule to the process on the system.
When someone violate rules, LIDS will be illegal to record details of the operation by the LIDS protection system log file. LIDS can also log information reach your mailbox. LIDS can also turn off the dialogue with the user immediately.
To establish a secure Linux system
After reading the LIDS features, let's look at how to step by step to establish a secure system with LIDS. [Next]
LIDS patch download the official Linux kernel and related
From LIDS Home, LIDS Ftp Home or recent LIDS Mirror obtain LIDS patch and systems management tools.
Patch name is lids-x.xx-yyytar.gz, x.xx lids on behalf of the version, yyy on behalf of Linux kernel version, for example, lids-0.9.9-2.2.17.tar.gz representatives lids version is 0.9.9 and the related kernel version is 2.2.17 ..
Must download the kernel version. For example, you downloaded the lids-0.9.9-2.2.17.tar.gz, then you should download the Linux kernel 2.2.17 of the original code. You can get the kernel source code from Kernel FTP Site or other mirror.
Then, the kernel of the original code and LIDS tar decompression, for example, obtained from www.lids.org lids-0.9.9-2.2.17.tar.gz, get linux-2.2.17.tar from ftp.us.kernel.org after .bz2:... 1. uncompress the Linux kernel source code tree # cd linux_install_path / # bzip2 -cd linux-2.2.17.tar.bz2 tar -xvf -2 uncompress the lids source code and install the lidsadm tool # cd lids_install_path # tar -zxvf lids-0.9.8-2.2.17.tar.gz
LIDS patch to play on the official linux kernel, Linux kernel source code to play LIDS patch # cd linux_install_path / linux # patch -p1 / * link the default source path to lids patched version # rm -rf / usr / src / linux # ln - s linux_install_patch / linux / usr / src / linux
Configure the Linux kernel, and now, configuring Linux kernel, follow these steps to implement: Prompt for development and / or incomplete code / driversSysctl supportAfter that, you will find that a new item appear in the bottom of the configuration menu name "Linux Intrusion Detection System" . Entering this menu, turn the Linux Intrusion Detection System support (EXPERIMENTAL) (NEW).
After configuring LIDS kernel. Exit the configuration, compile the kernel. # Make dep # make clean # make bzImage # make modules # make modules_install
Installation on Linux systems LIDS and systems management tools, copy the bzImage to / boot /, edit /etc/lilo.conf. # Cp arch / i386 / boot / bzImage /boot/bzImage-lids-0.9.9-2.2.17/*build admin tools * / # cd lids-0.9.8-2.2.17 / lidsadm-0.9.8 / # make # make install # less /etc/lilo.confboot=/dev/hdamap=/boot/mapinstall=/boot/boot.bprompttimeout=50default=linuximage=/boot/vmlinuz-2.2.16-3label=linuxread-onlyroot=/dev /hda2image=/boot/bzImage-lids-0.9.9-2.2.17label=devread-onlyroot=/dev/hda2
Run / sbin / lilo to install the new kernel: # / sbin / lilo
LIDS system configuration
Before restarting, you must configure the lids system to meet your security needs. You can define the protected files, protected processes and so on.
By default, lidsadm will install the default configuration file to the / etc / lids /. You must be reconfigured according to their needs. First, you can update the default lids.conf the inode / dev value. # / Sbin / lidsadm -U
Reboot the system
After configuring Linux system to restart. When lilo appears, select loading the lids enable kernel. Then you will enter the wonderful world LIDS.
After the system starts, do not forget to use lidsadm package core, at the end of /etc/rc.local add the following command: # / sbin / lidsadm -I
After the kernel package, your system is under the protection of LIDS. You can do some tests to verify if you want to change some configurations, for example, modify the permissions, you can enter a password online way to change the lids security level. # / Sbin / lidsadm -S - -LIDS
After changing the lids configuration attributes, such as lids.conf, lids.cap, you can reload with the following command in the kernel configuration file: # / sbin / lidsadm -S - + RELOAD_CONF
LIDS system configuration
LIDS configuration directory - "/etc/lids/".html