Linux Intrusion Detection/Defense System (LIDS) - Sowmya Ponugoti - Binita Mehta - Christopher James

Why LIDS File System is unprotected Processes are unprotected System administration is unprotected Super user may abuse his rights.

Introduction Linux Intrusion Detection/Defense System (LIDS) is a patch and set of admin tools which enhances the kernel’s security. When installed, chosen file access, system/network administration, any capability use, raw device, mem and I/O access can be made impossible even for root.

Features Protection  Protect important files and directories irrespective of the file system  Protect important processes  Prevent raw i/o operations by any unauthorized program Detection  Notice any activity on the system that violates the rules.

Features … Response  Log a detail message about the violated action to the system log file which has been protected by LIDS.  Send the log message to your mailbox.  Can also shutdown the user’s session immediately.

Building a Secure Linux System 1. Download LIDS patch and corresponding official Linux kernel  uncompress the Linux kernel source code tree. # cd linux_install_path/ # bzip2 -cd linux tar.bz2 | tar -xvf -  uncompress the lids source code # cd lids_install_path # tar -zxvf lids tar.gz

Building a Secure Linux System 2. Patch LIDS to official Linux kernel # cd linux_install_path/linux # patch -p1 </lids_install_path/lids-0.9pre patch 3. Configuring the Linux Kernel # make menuconfig or make xconfig Turn this option on [*] Prompt for development and/or incomplete code/drivers Entering the menu- "Linux Intrusion Detection System“ turn this option on [*] Linux Intrusion Detection System support (EXPERIMENTAL) (NEW).

Building a Secure Linux System Here are the options we turned on for LIDS  Security alert when executing unprotected programs before sealing  Try not to flood logs  Allow switching LIDS protections  Allow reloading the config file  Send security alerts through network After this compile the kernel following the usual steps

Building a Secure Linux System 4.Install LIDS admin tool into the Linux system # cd lids /lidsadm-0.9.8/ # make # make install 5. Configuring the LIDS System  Protecting Files and Directories DENY access to any body. # lidsadm -A -o /etc/shadow -j DENY # lidsadm -A -s /bin/login -o /etc/shadow -j READ

Building a Secure Linux System Read Only Files or Directories. # lidsadm -A -o /sbin/ -j READ Append Only Files. # lidsadm -A -o /var/log/message -j APPEND Our Configuration : lidsadm -Z lidsadm -A -o /usr/sbin -j READ lidsadm -A -o /usr/bin -j READ lidsadm -A -o /usr/lib -j READ

Building a Secure Linux System 6. Making a Password for LIDS lidsadm -P 7. Reboot into the New Kernel ! 8. Sealing the Kernel and Setting Capabilities We removed the following capabilities  CAP_CHOWN Overrides changing file and group ownership  CAP_NET_ADMIN Disallows Interface Configuration Disallows modification of routing tables..

Building a Secure Linux System  CAP_SYS_ADMIN Disallows mount() and umount() Disallows examination and configuration of disk quotas …  CAP_SYS_MODULE Disallows insertion and removal of kernel modules  CAP_SYS_TIME Disallows modification of System Time  CAP_SYS_BOOT Disallows reboot() command For Finally Sealing the Kernel without these capabilities : lidsadm –I -- -CAP_CHOWN –CAP_NET_ADMIN – CAP_SYS_ADMIN –CAP_SYS_MODULE –CAP_SYS_TIME – CAP_SYS_BOOT

Online Administration Switching LIDS On and Off # lidsadm -S -- -LIDS Changing the Configuration  Modify lids.cap or lids.conf  lidsadm -S -- +RELOAD_CONF

References “Building a Secure System with Lids” LIDS-Howto LIDS FAQ