Article Title: Linux security and LIDS. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
LIDS (Linux Intrusion Detection System) is a Linux kernel patch and system management employee lidsadm.
Core. It implements a security mode in the kernel-reference mode and Mandatory Access Control (command entry Control) mode in the kernel. This article describes the functions of LIDS and how to use it to build a Secure Linux system.
.
1. Why LIDS?
As Linux on the Internet is becoming more and more popular, more and more security vulnerabilities are found in the application software on the GNU/LINUX system. Many programs exploit the carelessness of programmers, such as cache overflow and formatting code attacks. When the system security is compromised by programs and hackers obtain the ROOT permission, the entire system will be controlled by intruders.
Because of the openness of the code, we can get a lot of the original code of the Linux application, and modify it according to our needs. Therefore, bugs can be easily found and quickly fixed. However, when a vulnerability is revealed, the system administrator is negligent in patching the vulnerability, which can easily cause intrusion. What's worse, hackers can obtain the root shell. Exploitation
In some GNU/Linux systems, he does whatever he wants. This is what LIDS wants to solve.
First, let's look at the problems existing in the GNU/Linux system.
File System not protected
Many important files in the system, such as/bin/login, can be uploaded to the modified l
The ogin file replaces/bin/login, and then he can log on to the system without any login name or password. This is often called
It is Trojan house.
The process is not protected
Processes running on the system serve certain system functions. For example, HTTPD is a web server to meet the web requirements of remote clients. As a web server system, it is important to protect its processes from being terminated illegally. However, when the intruder has the ROOT permission, we cannot do anything.
System Management unprotected
Many system management systems, such as module loading/uninstallation, route setting, and firewall rules, can be easily modified if the user ID is 0. Therefore, it becomes insecure when intruders obtain the ROOT permission.
Super User (root) as ROOT may abuse Permissions
He can do whatever he wants. As ROOT, he can even modify existing permissions.
To sum up, we found that entering the control mode in the existing Linux system is not enough to establish a Secure Linux system. We must add a new mode in the system to solve these problems. This is what LIDS has to do.
2. LIDS features
Linux intrusion detection system is a Linux kernel patch and System Administrator tool that enhances kernel security. It implements the reference listening mode and Mandatory Access Control (command entry Control) mode in the kernel. When it works, select the file to enter, and manage each system/network. Any access permission, raw device, mem, and I/O will be disabled, even for ROOT. It uses and extends system functions, binds control settings on the entire system, and adds security features of the network and file system to the kernel, thus enhancing security. You can adjust security protection online, hide sensitive processes, and receive security warnings through the network.
In short, LIDS provides protection, reconnaissance, and response functions, from the security mode in the LINUX kernel.
.
2.1 Protection
LIDS provides the following protection:
Protect any types of important files and directories on the hard disk, which cannot be changed by anyone, including ROOT. It can protect important processes from being terminated and prevent raw io operations of illegal programs. Protects hard disks, including MBR protection. Protects sensitive files in the system and prevents unauthorized users (including ROOT) and unauthorized programs from accessing.
2.2 Reconnaissance
When someone scans your host, LIDS can detect and report to the system administrator. LIDS can also detect the system
The process of illegal rules.
2.3 response
When someone violates the rules, LIDS records invalid operation details to the System log Files protected by LIDS. LID
S can also upload log information to your mailbox. LIDS can also immediately close conversations with users.
3. Establish a Secure Linux System
After reading the LIDS features, let's take a look at how to build a secure system with LIDS step by step.
3.1 download LIDS patch and related official Linux Kernel
You can obtain LIDS patches and system management tools from LIDS Home, LIDS Ftp Home, or recent LIDS Mirror.
The patch name is lids-x.xx-y.y.y.tar.gz, x. xx represents the lids version, y. y. y represents the Linux kernel version. For example, the lids-0.9.9-2.2.17.tar.gz represents the lids version 0.9.9 and the related kernel version is 2.2.17.
.
You must download the relevant kernel version. For example, if you download lids-0.9.9-2.2.17.tar.gz, you should download the original code of Linux kernel 2.2.17. The Kernel source code can be obtained from the Kernel FTP Site or other images.
Then decompress the kernel source code and LIDS tar. For example, get the lids-0.9.9-2.2.17.ta from www.lids.org
R.gz, after connecting ftp.us.kernel.orgto linux-2.2.17.tar.bz2:
To configure the Linux kernel, follow these steps:
[*] Prompt for development and/or incomplete code/drivers
[*] Sysctl support
After that, you will find that a new item appear in the bottom of the configura
Tion menu name "Linux Intrusion Detection System". Entering this menu, turn
[*] Linux Intrusion Detection System support (EXPERIMENTAL) (NEW ).
After the LIDS kernel is configured, exit the configuration interface and compile the kernel.
# Make dep
# Make clean
# Make bzImage
# Make modules
# Make modules_install
3.4 install LIDS and system management tools on Linux
Before restarting, you must configure the lids system to meet your security needs. You can define protected files, protected processes, and so on.
By default, lidsadm installs the default configuration file to/etc/lids /. You must repeat your needs
New configuration. First, update the inode/dev value of the default lids. conf file.
#/Sbin/lidsadm-U
3.6 restart the system
After the Linux system is configured, restart. When lilo appears, select to load the lids enable kernel. However
Then you will enter the wonderful LIDS world.
3.7 encapsulate the kernel
Do not forget to use lidsadm to encapsulate the kernel after the system is started. Add the following command at the end of/etc/rc. local:
#/Sbin/lidsadm-I
3.8 online management
After the kernel is encapsulated, your system is protected by LIDS. You can perform some tests to verify the security level. If you want to change some configurations, such as modifying permissions, you can enter a password to change the security level of lids online.
#/Sbin/lidsadm-S ---LIDS
After changing the lids configuration attributes, such as lids. conf and lids. cap, you can reload the configuration file in the kernel using the following command:
#/Sbin/lidsadm-S -- + RELOAD_CONF
4. Configure the LIDS System
4.1 LIDS configuration directory -- "/etc/lids /"
After lidsadm is installed, a lids configuration directory is generated under/etc/lids/. When the kernel is started, the configuration information is read to the kernel.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
