Linux Intrusion Detection/Defense System (LIDS) - Sowmya Ponugoti - Binita Mehta - Christopher...
-
Upload
felicity-cameron -
Category
Documents
-
view
212 -
download
0
Transcript of Linux Intrusion Detection/Defense System (LIDS) - Sowmya Ponugoti - Binita Mehta - Christopher...
Linux Intrusion Detection/Defense System (LIDS)
- Sowmya Ponugoti- Binita Mehta- Christopher James
Why LIDS
File System is unprotected Processes are unprotected System administration is unprotected Super user may abuse his rights.
Introduction
Linux Intrusion Detection/Defense System (LIDS) is a patch and set of admin tools which enhances the kernel’s security.
When installed, chosen file access, system/network administration, any capability use, raw device, mem and I/O access can be made impossible even for root.
Features
Protection Protect important files and directories
irrespective of the file system Protect important processes Prevent raw i/o operations by any
unauthorized program Detection
Notice any activity on the system that violates the rules.
Features …
ResponseLog a detail message about the violated
action to the system log file which has been protected by LIDS.
Send the log message to your mailbox .Can also shutdown the user’s session
immediately.
Building a Secure Linux System
1. Download LIDS patch and corresponding official Linux kernel
uncompress the Linux kernel source code tree.
# cd linux_install_path/
# bzip2 -cd linux-2.2.17.tar.bz2 | tar -xvf - uncompress the lids source code
# cd lids_install_path
# tar -zxvf lids-0.9.8-2.2.17.tar.gz
Building a Secure Linux System2. Patch LIDS to official Linux kernel
# cd linux_install_path/linux# patch -p1 </lids_install_path/lids-0.9pre4-2.2.14.patch
3. Configuring the Linux Kernel # make menuconfig or make xconfig
Turn this option on [*] Prompt for development and/or incomplete code/drivers
Entering the menu- "Linux Intrusion Detection System“turn this option on [*] Linux Intrusion Detection System support (EXPERIMENTAL)
(NEW).
Building a Secure Linux System Here are the options we turned on for LIDS
Security alert when executing unprotected programs before sealing
Try not to flood logs Allow switching LIDS protections Allow reloading the config file Send security alerts through network
After this compile the kernel following the usual steps
Building a Secure Linux System
4.Install LIDS admin tool into the Linux system # cd lids-0.9.8-2.2.17/lidsadm-0.9.8/
# make
# make install
5. Configuring the LIDS System Protecting Files and Directories
DENY access to any body.
# lidsadm -A -o /etc/shadow -j DENY
# lidsadm -A -s /bin/login -o /etc/shadow -j READ
Building a Secure Linux System
Read Only Files or Directories.
# lidsadm -A -o /sbin/ -j READ Append Only Files.
# lidsadm -A -o /var/log/message -j APPEND
Our Configuration :
lidsadm -Z
lidsadm -A -o /usr/sbin -j READ
lidsadm -A -o /usr/bin -j READ
lidsadm -A -o /usr/lib -j READ
Building a Secure Linux System
6. Making a Password for LIDS lidsadm -P
7. Reboot into the New Kernel !
8. Sealing the Kernel and Setting CapabilitiesWe removed the following capabilities CAP_CHOWN
Overrides changing file and group ownership
CAP_NET_ADMIN Disallows Interface Configuration Disallows modification of routing tables ..
Building a Secure Linux System CAP_SYS_ADMIN
Disallows mount() and umount() Disallows examination and configuration of disk quotas …
CAP_SYS_MODULE Disallows insertion and removal of kernel modules
CAP_SYS_TIME Disallows modification of System Time
CAP_SYS_BOOT Disallows reboot() command
For Finally Sealing the Kernel without these capabilities :lidsadm –I -- -CAP_CHOWN –CAP_NET_ADMIN –CAP_SYS_ADMIN –CAP_SYS_MODULE –CAP_SYS_TIME –CAP_SYS_BOOT
Online Administration
Switching LIDS On and Off# lidsadm -S -- -LIDS
Changing the ConfigurationModify lids.cap or lids.conf lidsadm -S -- +RELOAD_CONF
References
“Building a Secure System with Lids”http://www.lids.org/document/build_lids-0.2.html
LIDS-Howto
http://www.lids.org/lids-howto/
LIDS FAQhttp://www.lids.org/lids-faq/LIDS-FAQ.html