Article Title: familiar with Linux kernel security intrusion detection system. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
LIDS (Linux Intrusion Detection System) is a Linux kernel patch and system management employee lidsadm. It enhances the Linux kernel. It implements a security mode in the kernel-reference mode and Mandatory Access Control (command entry Control) mode in the kernel. This article describes the functions of LIDS and how to use it to build a Secure Linux system.
Why LIDS?
As Linux on the Internet is becoming more and more popular, more and more security vulnerabilities are found in the application software on the GNU/LINUX system. Many programs exploit the carelessness of programmers, such as cache overflow and formatting code attacks. When the system security is compromised by programs and hackers obtain the ROOT permission, the entire system will be controlled by intruders.
Because of the openness of the code, we can get a lot of the original code of the Linux application, and modify it according to our needs. Therefore, bugs can be easily found and quickly fixed. However, when a vulnerability is revealed, the system administrator is negligent in patching the vulnerability, which can easily cause intrusion. What's worse, hackers can obtain the root shell. Using the existing GNU/Linux system, he does whatever he wants. This is what LIDS wants to solve.
First, let's look at the problems existing in the GNU/Linux system.
File System not protected
Many important files in the system, such as/bin/login. After a hacker intrude into the system, he can upload the modified login file to replace/bin/login, then he can log on to the system without any login name or password. This is often called Trojan house.
The process is not protected
Processes running on the system serve certain system functions. For example, HTTPD is a web server to meet the web requirements of remote clients. As a web server system, it is important to protect its processes from being terminated illegally. However, when the intruder has the ROOT permission, we cannot do anything.
System Management unprotected
Many system management systems, such as module loading/uninstallation, route setting, and firewall rules, can be easily modified if the user ID is 0. Therefore, it becomes insecure when intruders obtain the ROOT permission.
Super User (root) as ROOT may abuse Permissions
He can do whatever he wants. as ROOT, he can even modify the existing permissions.
To sum up, we found that entering the control mode in the existing Linux system is not enough to establish a Secure Linux system. We must add a new mode in the system to solve these problems. This is what LIDS has to do.
LIDS features
Linux intrusion detection system is a Linux kernel patch and System Administrator tool that enhances kernel security. It implements the reference listening mode and Mandatory Access Control (command entry Control) mode in the kernel. When it works, select the file to enter, and manage each system/network. Any access permission, raw device, mem, and I/O will be disabled, even for ROOT. It uses and extends system functions, binds control settings on the entire system, and adds security features of the network and file system to the kernel, thus enhancing security. You can adjust security protection online, hide sensitive processes, and receive security warnings through the network.
In short, LIDS provides protection, reconnaissance, and response functions, from the security mode in the LINUX kernel.
Protection
LIDS provides the following protection:
Protect any types of important files and directories on the hard disk, which cannot be changed by anyone, including ROOT. It can protect important processes from being terminated and prevent raw io operations of illegal programs. Protects hard disks, including MBR protection. Protects sensitive files in the system and prevents unauthorized users (including ROOT) and unauthorized programs from accessing.
Reconnaissance
When someone scans your host, LIDS can detect and report to the system administrator. LIDS can also detect any illegal process on the system.
Response
When someone violates the rules, LIDS records invalid operation details to the System log Files protected by LIDS. LIDS can also upload log information to your mailbox. LIDS can also immediately close conversations with users.
Establish a Secure Linux System
After reading the LIDS features, let's take a look at how to build a secure system with LIDS step by step.
[1] [2] Next page