LIDS (Linux Intrusion Detection System) is a Linux kernel patch and system management employee lidsadm. it enhances the Linux kernel. It implements a security mode in the kernel-reference mode and MandatoryAccessControl (command entry control) mode in the kernel. This article describes the functions of LIDS and how to use it to create
LIDS (Linux Intrusion Detection System) is a Linux kernel patch and system management employee lidsadm. it enhances the Linux kernel. It implements a security mode in the kernel-reference mode and Mandatory Access Control (command entry Control) mode in the kernel. This article describes the functions of LIDS and how to use it to build a secure Linux system.
Why LIDS?
As Linux on the Internet is becoming more and more popular, more and more security vulnerabilities are found in the application software on the GNU/LINUX system. Many programs exploit the carelessness of programmers, such as cache overflow and formatting code attacks. When the system security is compromised by programs and hackers obtain the ROOT permission, the entire system will be controlled by intruders.
Because of the openness of the code, we can get a lot of the original code of the Linux application, and modify it according to our needs. Therefore, bugs can be easily found and quickly fixed. However, when a vulnerability is revealed, the system administrator is negligent in patching the vulnerability, which can easily cause intrusion. What's worse, hackers can obtain the root shell. Using the existing GNU/Linux system, he does whatever he wants. This is what LIDS wants to solve.
First, let's look at the problems existing in the GNU/Linux system.
File system not protected
Many important files in the system, such as/bin/login. after a hacker intrude into the system, he can upload the modified login file to replace/bin/login, then he can log on to the system without any login name or password. This is often called Trojan house.
The process is not protected
Processes running on the system serve certain system functions. for example, HTTPD is a web server to meet the web requirements of remote clients. As a web server system, it is important to protect its processes from being terminated illegally. However, when the intruder has the ROOT permission, we cannot do anything.
System Management unprotected
Many system management systems, such as module loading/uninstallation, route setting, and firewall rules, can be easily modified if the user ID is 0. Therefore, it becomes insecure when intruders obtain the ROOT permission.
Super User (root) as ROOT may abuse permissions
He can do whatever he wants. as ROOT, he can even modify the existing permissions.
To sum up, we found that entering the control mode in the existing Linux system is not enough to establish a secure Linux system. We must add a new mode in the system to solve these problems. This is what LIDS has to do.
LIDS features
Linux Intrusion Detection System is a Linux kernel patch and system administrator tool that enhances kernel security. It implements the reference listening mode and Mandatory Access Control (command entry Control) mode in the kernel. When it works, select the file to enter, and manage each system/network. any access permission, raw device, mem, and I/O will be disabled, even for ROOT. It uses and extends system functions, binds control settings on the entire system, and adds security features of the network and file system to the kernel, thus enhancing security. You can adjust security protection online, hide sensitive processes, and receive security warnings through the network.
In short, LIDS provides protection, reconnaissance, and response functions, from the security mode in the LINUX kernel.
Protection
LIDS provides the following protection:
Protect any types of important files and directories on the hard disk, which cannot be changed by anyone, including ROOT. It can protect important processes from being terminated and prevent raw io operations of illegal programs. Protects hard disks, including MBR protection. Protects sensitive files in the system and prevents unauthorized users (including ROOT) and unauthorized programs from accessing.
Reconnaissance
When someone scans your host, LIDS can detect and report to the system administrator. LIDS can also detect any illegal process on the system.
Response
When someone violates the rules, LIDS records invalid operation details to the system log files protected by LIDS. LIDS can also upload log information to your mailbox. LIDS can also immediately close conversations with users.
Establish a secure Linux system
After reading the LIDS features, let's take a look at how to build a secure system with LIDS step by step.
Download the LIDS patch and related official Linux kernel
You can obtain LIDS patches and system management tools from LIDS Home, LIDS Ftp Home, or recent LIDS Mirror.
The patch name is lids-x.xx-y.y.y.tar.gz, x. xx represents the lids version, y. y. y represents the Linux kernel version. for example, the lids-0.9.9-2.2.17.tar.gz represents the lids version 0.9.9 and the related kernel version is 2.2.17 ..
You must download the relevant kernel version. For example, if you download lids-0.9.9-2.2.17.tar.gz, you should download the original code of Linux kernel 2.2.17. The Kernel source code can be obtained from the Kernel FTP Site or other images.
Decompress the kernel source code and LIDS tar. for example, after the kernel:
1. uncompress the Linux kernel source code tree.
# Cd linux_install_path/
# Bzip2-cd linux-2.2.17.tar.bz2 | tar-xvf-
2. uncompress the lids source code and install the lidsadm tool.
# Cd lids_install_path
# Tar-zxvf lids-0.9.8-2.2.17.tar.gz
Apply the LIDS patch on the official Linux kernel, and apply the LIDS patch to the original Linux kernel code.
# Cd linux_install_path/linux
# Patch-p1
/* Link the default source path to lids patched version
# Rm-rf/usr/src/linux
# Ln-s linux_install_patch/linux/usr/src/linux
To configure the Linux kernel, follow these steps:
Prompt for development and/or incomplete code/drivers
Sysctl support
After that, you will find that a new item appear in the bottom of the configuration menu
Name "Linux Intrusion Detection System". Entering this menu, turn the Linux Intrusion
Detection System support (EXPERIMENTAL) (NEW ).
After the LIDS kernel is configured, exit the configuration interface and compile the kernel.
# Make dep
# Make clean
# Make bzImage
# Make modules
# Make modules_install
Install LIDS and system management tools on Linux, copy bzImage to/boot/, and edit/etc/lilo. conf.
# Cp arch/i386/boot/bzImage/boot/bzImage-lids-0.9.9-2.2.17
/* Build admin tools */
# Cd lids-0.9.8-2.2.17/lidsadm-0.9.8/
# Make
# Make install
# Less/etc/lilo. conf
Boot =/dev/hda
Map =/boot/map
Install =/boot. B
Prompt
Timeout = 50
Default = linux
Image =/boot/vmlinuz-2.2.16-3
Label = linux
Read-only
Root =/dev/hda2
Image =/boot/bzImage-lids-0.9.9-2.2.17
Label = dev
Read-only
Root =/dev/hda2
Run/sbin/lilo to install the new kernel:
#/Sbin/lilo
Configure the LIDS system
Before restarting, you must configure the lids system to meet your security needs. you can define protected files, protected processes, and so on.
By default, lidsadm installs the default configuration file to/etc/lids /. You must reconfigure it as needed. First, update the inode/dev value of the default lids. conf file.
#/Sbin/lidsadm-U
Restart the system
After the Linux system is configured, restart. When lilo appears, select to load the lids enable kernel. Then you will enter the wonderful LIDS world.
Encapsulate the kernel
After the system is started, do not forget to use lidsadm to encapsulate the kernel. add the following command at the end of/etc/rc. local:
#/Sbin/lidsadm-I
Online Management
After the kernel is encapsulated, your system is protected by LIDS. You can perform some tests to verify the security level. if you want to change some configurations, such as modifying permissions, you can enter a password to change the security level of lids online.
#/Sbin/lidsadm-S ---LIDS
After changing the lids configuration attributes, such as lids. conf and lids. cap, you can re-load the configuration file in the kernel using the following command:
#/Sbin/lidsadm-S -- + RELOAD_CONF
Configure the LIDS system
LIDS configuration directory -- "/etc/lids /"