Linux intrusion Monitoring System LIDS principle (3)

7. Security Level of LIDS in the kernel

In some cases, we need to change the configuration of the protection system. So what should we do? LIDS provides us with two methods.

L we can restart the system and enter security = 0 in LILO.

L we can use a password in lidsadm-S to change the security level.

7.1 two security levels in the kernel

LIDS defines two security levels in the kernel: secure security and insecure none_security. By default, it is set to secure. If you need to change it. At startup, type security = 0.

There is a global variable lids_load in the kernel. It indicates whether the security variable of lids is enabled. The default value is 1. If LILO: type security = 0 at system startup, all LIDS protection will fail, just like those without LIDS protection.

/* Variant defined in fs/lids. c */

Int lids_reload_conf = 0;

Int lids_load = 0;/* it is raised to 1 when kernel boot */

Int lids_local_on = 1;

Int lids_local_pid = 0;

/* In init/main. c */

# Ifdef CONFIG_LIDS

/*

* Lids_setup, read lids info from the kernel.

*/

Static void _ init lids_setup (char * str, int * ints)

{

If (ints [0]> 0 & ints [1]> = 0)

===> _ Lids_load = ints [1];

}

# Endif

....

/* Init the LIDS when the system bootup */

Static void _ init do_basic_setup (void)

{

......

/* Mount the root filesystem ..*/

Mount_root ();

# Ifdef CONFIG_LIDS

/* Init the ids file system */

---> Lids_load = _ lids_load;

Lids_local_on = _ lids_load;

Lids_flags = lids_load * (LIDS_FLAGS_LIDS_ON | LIDS_FLAGS_LIDS_LOCAL_ON );

==> Printk ("Linux Intrusion Detection System % s n", lids_load = 1? "Starts": "stops ");

Init_vfs_security ();

# Endif

......

}

When the System is started, you can see "Linux Intrusion Detection System 0.9 starts", indicating that the LIDS protection is enabled. When the protection is stopped, you can see "Linux Intrusion Detection System 0.9 stops ". 0.9 is the current LIDS version number.

7.2 use lidsadm to change the system security level

Sometimes, you can change your security level when you are online. You must enable the CONFIG_LIDS_ALLOW_SWITCH function. And provide a RipeMD-160 of encrypted password When configuring the kernel before compilation.

The password can be obtained using the lidsadm-p command.

Use kernel Identification

With the provided password, LIDS can identify the user to identify which user can change the security level of the kernel.

The-S parameter of lidsadm is also used for this function. For example.

#/Sbin/lidsadm-S ---LIDS

SWITCH

Password: xxxxxx

#

After entering the password, we can switch to LIDS secure close.

Let's take a look at the internal code to learn how it works,

/* In the fs/lids. c lids_proc_locks_sysctl ()*/

Int lids_proc_locks_sysctl (ctl_table * table, int write, struct file * filp,

Void * buffer, size_t * lenp, int conv, int op)

{

Lids_locks_t locks;

Byte hashcode [RMDsize/8];

Char rmd160sig [170];

.......

Locks. passwd [sizeof (passwd_t)-1] = 0;/* We dont take the risk */

Rmd160sig [0] = 0;

# Ifdef CONFIG_LIDS_ALLOW_SWITCH

If ((! Lids_first_time) | (locks. passwd [0]) {

RMD (byte *) locks. passwd, hashcode );

Memset (char *) locks. passwd, sizeof (passwd_t ));

For (I = 0; I sprintf (rmd160sig + 2 * I, "% 02x", hashcode [I]);

}

If (lids_first_time )&&(! Locks. passwd [0]) |

----------> (! Strncmp (rmd160sig, CONFIG_LIDS_RMD160_PASSWD, 160 ))){

# Else

If (lids_first_time )&&(! Locks. passwd [0]) {

# Endif

/* Access granted! */

Number_failed = 0;

If (lids_process_flags (locks. flags )){

Cap_bset = locks. cap_bset;

Lids_security_alert ("Changed: cap_bset = 0x % x lids_flags = 0x % x", cap_t (cap_bset), lids_flags );

}

Lids_first_time = 0;

}

........

}

After the password is correctly checked. Lids_process_flag () will change the current lids mark as disabled, and then you can do what you want in an unprotected system. You can look at the code of fs/lids. c's lids_process_flag to understand it.

Convert LIDS and LIDA_GLOBAL

If you disable LIDS protection, you will have two results: 1. After it is disabled, other consoles that are not protected by LIDS will not be protected. 2. You can disable them locally, in other consoles, all systems are still protected by LIDS. They are safe.

These details are implemented by the fs/lids lids_process_flag.

8. kernel Network Security

With LIDS, you can use the following functions to protect your network.

8.1 protection of firewall and routing rules

If your host contains some firewall rules. You can use LIDS to protect them. You can enable

CONFIG_LIDS_ALLOW_CHANGE_ROUTESLAI. You must also disable CAP_NET_ADMIN when sealing the kernel.

Then, you can allow the program to change the routing rules.

Let's look at the code to protect firewall rules. Every request that changes the firewall will call the kernel's ip_setsockopt () function.

Int ip_setsockopt (struct sock * sk, int level, int optname, char * optval, int optlen)

{

........

Switch (optname)

{

.......

Case IP_FW_DELETE_NUM:

Case IP_FW_INSERT:

Case IP_FW_FLUSH:

Case IP_FW_ZERO:

Case IP_FW_CHECK:

Case IP_FW_CREATECHAIN:

Case IP_FW_DELETECHAIN:

Case IP_FW_POLICY:

# Ifdef CONFIG_LIDS_ALLOW_CHANGE_ROUTES

If (! (Capable (CAP_NET_ADMIN) | (current-> flags & PF_CHROUTES ))){

# Else

If (! Capable (CAP_NET_ADMIN )){

# Endif

# Ifdef CONFIG_LIDS

Lids_security_alert ("CAP_NET_ADMIN violation: try to change IP firewall rules with option % d", optname );

# Endif

Return-EACCES;

}

........

From the code above, we can see that if someone wants to change the firewall rules, you must enable CAP_NET_ADMIN and the program you want to modify the rules must be marked with routing_changeable.

8.2 disable sniffing

This function is also implemented in the above changing_route. Let's take a look at the net/core/dev. c code.

Int dev_ioctl (unsigned int cmd, void * arg)

{

........

Switch (cmd)

{

........

Case SIOCSIFMETRIC:

Case SIOCSIFMTU:

Case SIOCSIFMAP:

Case SIOCSIFHWADDR:

Case SIOCSIFSLAVE:

Case SIOCADDMULTI:

Case SIOCDELMULTI:

Case SIOCSIFHWBROADCAST:

Case SIOCSIFTXQLEN:

Case SIOCSIFNAME:

# Ifdef CONFIG_LIDS_ALLOW_CHANGE_ROUTES

If (! (Capable (CAP_NET_ADMIN) | (current-> flags & PF_CHROUTES ))){

# Else

If (! Capable (CAP_NET_ADMIN )){

# Endif

# Ifdef CONFIG_LIDS

Lids_security_alert ("CAP_NET_ADMIN violation: ioctl SIOC # % I", cmd );

# Endif

Return-EPERM;

.........

You can find that if you want to change the status for sniffing, you must enable CAP_NET_ADMIN to implement this function. You can start CAP_NET_ADMIN before the kernel is sealed, and disable it after the kernel is sealed.

8.3 kernel port scanning function

Why do we need a port scan detection in the kernel?

This is because a half-connection scan can be detected during a port scan. Therefore, Port Scan detection needs to be run as a sniffing program. If we need to detect port scanning. We need to enable the run of the sniffer program, which is useful for port scanning detection in the kernel.

The main idea of port scanning is to scan a range of ports in a short period of time, and then they will record the ports that are open after scanning. With this method, the scanner can detect the port opened by the remote machine. In the kernel, we can find the following code.

Port Scan detection in the kernel

Let's take a look at tcp port scanning

/* In net/ipv4/tcp_ipv4.c */

Int tcp_v4_rcv (struct sk_buff * skb, unsigned short len)

{

........

_ Skb_queue_tail (& sk-> back_log, skb );

Return 0;

No_tcp_socket:

# Ifd