Linux Intrusion Detection/Defense System (LIDS)

- Sowmya Ponugoti- Binita Mehta- Christopher James

Why LIDS

File System is unprotected Processes are unprotected System administration is unprotected Super user may abuse his rights.

Introduction

Linux Intrusion Detection/Defense System (LIDS) is a patch and set of admin tools which enhances the kernel’s security.

When installed, chosen file access, system/network administration, any capability use, raw device, mem and I/O access can be made impossible even for root.

Features

Protection Protect important files and directories

irrespective of the file system Protect important processes Prevent raw i/o operations by any

unauthorized program Detection

Notice any activity on the system that violates the rules.

Features …

ResponseLog a detail message about the violated

action to the system log file which has been protected by LIDS.

Send the log message to your mailbox .Can also shutdown the user’s session

immediately.

Building a Secure Linux System

1. Download LIDS patch and corresponding official Linux kernel

uncompress the Linux kernel source code tree.

# cd linux_install_path/

# bzip2 -cd linux-2.2.17.tar.bz2 | tar -xvf - uncompress the lids source code

# cd lids_install_path

# tar -zxvf lids-0.9.8-2.2.17.tar.gz

Building a Secure Linux System2. Patch LIDS to official Linux kernel

# cd linux_install_path/linux# patch -p1 </lids_install_path/lids-0.9pre4-2.2.14.patch

3. Configuring the Linux Kernel # make menuconfig or make xconfig

Turn this option on [*] Prompt for development and/or incomplete code/drivers

Entering the menu- "Linux Intrusion Detection System“turn this option on [*] Linux Intrusion Detection System support (EXPERIMENTAL)

(NEW).

Building a Secure Linux System Here are the options we turned on for LIDS

Security alert when executing unprotected programs before sealing

Try not to flood logs Allow switching LIDS protections Allow reloading the config file Send security alerts through network

After this compile the kernel following the usual steps

Building a Secure Linux System

4.Install LIDS admin tool into the Linux system # cd lids-0.9.8-2.2.17/lidsadm-0.9.8/

# make

# make install

5. Configuring the LIDS System Protecting Files and Directories

DENY access to any body.

# lidsadm -A -o /etc/shadow -j DENY

# lidsadm -A -s /bin/login -o /etc/shadow -j READ

Building a Secure Linux System

Read Only Files or Directories.

# lidsadm -A -o /sbin/ -j READ Append Only Files.

# lidsadm -A -o /var/log/message -j APPEND

Our Configuration :

lidsadm -Z

lidsadm -A -o /usr/sbin -j READ

lidsadm -A -o /usr/bin -j READ

lidsadm -A -o /usr/lib -j READ

Building a Secure Linux System

6. Making a Password for LIDS lidsadm -P

7. Reboot into the New Kernel !

8. Sealing the Kernel and Setting CapabilitiesWe removed the following capabilities CAP_CHOWN

Overrides changing file and group ownership

CAP_NET_ADMIN Disallows Interface Configuration Disallows modification of routing tables ..

Building a Secure Linux System CAP_SYS_ADMIN

Disallows mount() and umount() Disallows examination and configuration of disk quotas …

CAP_SYS_MODULE Disallows insertion and removal of kernel modules

CAP_SYS_TIME Disallows modification of System Time

CAP_SYS_BOOT Disallows reboot() command

For Finally Sealing the Kernel without these capabilities :lidsadm –I -- -CAP_CHOWN –CAP_NET_ADMIN –CAP_SYS_ADMIN –CAP_SYS_MODULE –CAP_SYS_TIME –CAP_SYS_BOOT

Online Administration

Switching LIDS On and Off# lidsadm -S -- -LIDS

Changing the ConfigurationModify lids.cap or lids.conf lidsadm -S -- +RELOAD_CONF

References

“Building a Secure System with Lids”http://www.lids.org/document/build_lids-0.2.html

LIDS-Howto

http://www.lids.org/lids-howto/

LIDS FAQhttp://www.lids.org/lids-faq/LIDS-FAQ.html