Familiar with Linux kernel Security Intrusion Detection System

LIDS (Linux Intrusion Detection System) is a Linux kernel patch and system management employee lidsadm. It enhances the Linux kernel. It implements a security mode in the kernel-reference mode and the Mandatory Access Control command in the kernel enters the Control mode. This article describes the functions of LIDS and how to use it to build a Secure Linux system.

Why LIDS?

As Linux on the Internet is becoming more and more popular, more and more security vulnerabilities are found in the application software on the GNU/LINUX system. Many programs exploit the carelessness of programmers, such as cache overflow and formatting code attacks. When the system security is compromised by programs and hackers obtain the ROOT permission, the entire system will be controlled by intruders.

Because of the openness of the code, we can get a lot of the original code of the Linux application, and modify it according to our needs. Therefore, bugs can be easily found and quickly fixed. However, when a vulnerability is revealed, the system administrator is negligent in patching the vulnerability, which can easily cause intrusion. What's worse, hackers can obtain the root shell. Using the existing GNU/Linux system, he does whatever he wants. This is what LIDS wants to solve.

First, let's look at the problems existing in the GNU/Linux system.

File System not protected

Many important files in the system, such as/bin/login. After a hacker intrude into the system, he can upload the modified login file to replace/bin/login, then he can log on to the system without any login name or password. This is often called Trojan house.

The process is not protected

Processes running on the system serve certain system functions. For example, HTTPD is a web server to meet the web requirements of remote clients. As a web server system, it is important to protect its processes from being terminated illegally. However, when the intruder has the ROOT permission, we cannot do anything.

System Management unprotected

Many system management systems, such as module loading/uninstallation, route setting, and firewall rules, can be easily modified if the user ID is 0. Therefore, it becomes insecure when intruders obtain the ROOT permission.

Super User (root) as ROOT may abuse Permissions

He can do whatever he wants. as ROOT, he can even modify the existing permissions.

To sum up, we found that entering the control mode in the existing Linux system is not enough to establish a Secure Linux system. We must add a new mode in the system to solve these problems. This is what LIDS has to do.

LIDS features

Linux intrusion detection system is a Linux kernel patch and System Administrator tool that enhances kernel security. It implements the reference listening mode and Mandatory Access Control command in the kernel to enter the Control mode. When it works, select the file to enter, and manage each system/network. Any access permission, raw device, mem, and I/O will be disabled, even for ROOT. It uses and extends system functions, binds control settings on the entire system, and adds security features of the network and file system to the kernel, thus enhancing security. You can adjust security protection online, hide sensitive processes, and receive security warnings through the network.

In short, LIDS provides protection, reconnaissance, and response functions, from the security mode in the LINUX kernel.

Protection

LIDS provides the following protection:

Protect any types of important files and directories on the hard disk, which cannot be changed by anyone, including ROOT. It can protect important processes from being terminated and prevent raw io operations of illegal programs. Protects hard disks, including MBR protection. Protects sensitive files in the system and prevents unauthorized users (including ROOT) and unauthorized programs from accessing.

Reconnaissance

When someone scans your host, LIDS can detect and report to the system administrator. LIDS can also detect any illegal process on the system.

Response

When someone violates the rules, LIDS records invalid operation details to the System log Files protected by LIDS. LIDS can also upload log information to your mailbox. LIDS can also immediately close conversations with users.

Establish a Secure Linux System

After reading the LIDS features, let's take a look at how to build a secure system with LIDS step by step. [Next]

Download the LIDS patch and related official Linux Kernel

You can obtain LIDS patches and system management tools from LIDS Home, LIDS Ftp Home, or recent LIDS Mirror.

The patch name is lids-x.xx-y.y.y.tar.gz, x. xx represents the lids version, y. y. y represents the Linux kernel version. For example, the lids-0.9.9-2.2.17.tar.gz represents the lids version 0.9.9 and the related kernel version is 2.2.17 ..

You must download the relevant kernel version. For example, if you download lids-0.9.9-2.2.17.tar.gz, you should download the original code of Linux kernel 2.2.17. The Kernel source code can be obtained from the Kernel FTP Site or other images.

Decompress the original kernel code and LIDS tar. for example, after the slave: 1. uncompress the Linux kernel source code tree. # cd linux_install_path/# bzip2-cd linux-2.2.17.tar.bz2 tar-xvf-2. uncompress the lids source code and install the lidsadm tool. # cd lids_install_path # tar-zxvf lids-0.9.8-2.2.17.tar.gz

Install the LIDS patch on the Linux kernel, linux kernel source code is patched with LIDS # cd linux_install_path/linux # patch-p1/* link the default source path to lids patched version # rm-rf/usr/src/linux # ln-s linux_install_patch /linux/usr/src/linux

To configure the Linux kernel, follow these steps: Prompt for development and/or incomplete code/driversSysctl supportAfter that, you will find that a new item appear in the bottom of the configuration menu name "Linux Intrusion Detection System ". entering this menu, turn the Linux Intrusion Detection System support (EXPERIMENTAL) (NEW ).

After the LIDS kernel is configured, exit the configuration interface and compile the kernel. # Make dep # make clean # make bzImage # make modules # make modules_install

Install LIDS and system management tools on Linux, copy bzImage to/boot/, and edit/etc/lilo. conf. # Cp arch/i386/boot/bzImage/boot/bzImage-lids-0.9.9-2.2.17/* build admin tools */# cd lids-0.9.8-2.2.17/lidsadm-0.9.8/# make install # less/etc/ lilo. confboot =/dev/hdamap =/boot/mapinstall =/boot. bprompttimeout = 50 default = linuximage =/boot/vmlinuz-2.2.16-3label = linuxread-onlyroot =/dev/hda2image =/boot/bzImage-lids-0.9.9-2.2.17label = devread-onlyroot =/dev/hda2

Run/sbin/lilo to install the new kernel: #/sbin/lilo

Configure the LIDS System

Before restarting, you must configure the lids system to meet your security needs. You can define protected files, protected processes, and so on.

By default, lidsadm installs the default configuration file to/etc/lids /. You must reconfigure it as needed. First, update the inode/dev value of the default lids. conf file. #/Sbin/lidsadm-U

Restart the system

After the Linux system is configured, restart. When lilo appears, select to load the lids enable kernel. Then you will enter the wonderful LIDS world.

Encapsulate the kernel

After the system is started, do not forget to use lidsadm to encapsulate the kernel. Add the following command at the end of/etc/rc. local: #/sbin/lidsadm-I

Online Management

After the kernel is encapsulated, your system is protected by LIDS. You can perform some tests to verify the security level. If you want to change some configurations, such as modifying permissions, you can enter a password to change the security level of lids online. #/Sbin/lidsadm-S ---LIDS

After changing the lids configuration attributes, such as lids. conf and lids. cap, you can run the following command to re-load the configuration file in the kernel: #/sbin/lidsadm-S -- + RELOAD_CONF

Configure the LIDS System

LIDS configuration directory -- "/etc/lids /"

1. Network security framework of Linux kernel 2.4.x
2. Consider system security from the perspective of Linux kernel Vulnerabilities
3. There are 10 high-risk vulnerabilities in the Red Hat Linux Kernel