build_lids.html

这是一个介绍 linux 编程知识的文章。

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>BUILD A SECURITY SYSTEM WITH LIDS</TITLE>


</HEAD>
<BODY>
<H1>BUILD A SECURITY SYSTEM WITH LIDS</H1>

<H2>Xie Huagang (<CODE>xhg@ncic.ac.cn,</CODE> <CODE>http://www.lids.org</CODE>)</H2>Tue Apr 18 00:02:12 CST 2000.
<P><HR>
<EM>LIDS ( Linux Intrusion Detection System) is a linux kernel patch to enhance the the linux kernel. In this article, we will talk about the LIDS including what it can do and how to use it to build a security linux system.</EM>
<HR>
<H2><font size="4"><a href="#s1">1.Why LIDS</a><br>
  <a href="#s2">2.Features about LIDS</a><br>
  <a href="#s3">3.Build a security linux system with LIDS</a><br>
  <a href="#s4">4.Configurate LIDS</a><br>
  <a href="#s5">5.Thanks</a></font></H2>
<H2><a href="lids-chinese.txt"><font size="4">懒得看英文的朋友可以先看看这个中文简介。。。</font></a> 
  <br>
</H2>
<hr>
<H2><A NAME="s1">1. Why LIDS. </A></H2>

<P>
<P>With increasing popularity of Linux on Internet , more and more security holes
are found in the current GNU/Linux system. You may hear from the Internet that - There are bugs found in Linux, which will cause the system to be easily compromised by hacker.
<P>Since the Linux is an art of open source community, security holes can be
found easily and can also be patched quickly. But when the hole is disclose to
the public, and the administrator is too lazy to patch the hole. 
It is very easy to break
into the current system and it is worse that the hacker can get the
root shell. With the current GNU/linux system, he can do whatever he want.
Now, you may ask, what is the problem and what can we do?
<P>
<P>What's wrong with the current GNU/Linux system.
<P>
<UL>
<LI> superuser (root) may abuse the rights

Being a root, he can do whatever he want. Even the capability
existing in the current the system. As a root, he can easily change
the capability.
</LI>
<LI> Many system files can be changed easily.

There are many important files, such as  /bin/login, in the system.
if the hacker come in, he can upload a changed login program to replace
/bin/login , so he can re-login without any login name of password.
But the files do not need to change frequently, unless you want
to upgrade the system.
</LI>
<LI> Modules is easily used to intercept the kernel.
Module is a good design for the linux kernel to make the
linux kernel more modulized and more felixible.
But after the modules inserted into the kernel, 
it will be part of the kernel and can do what the original 
kernel can do. 

Therefore some unfriendly code could
be written as a modules and inserted into to kernel, the code can even
redirect the system call and act like a virus.
<P>
</LI>
<LI> Process is unprotected.

Certain processes, such as web server daemon, which are critical to
to system is not under strict protection. Therefore, there are
vulnerable to the attack of hackers.
</LI>
</UL>
<P>With above description about insecurity thing, how can we build a security system? we must have a security kernel and then build our security system on top of it.
This is what LIDS do.
<P>
<H2><A NAME="s2">2. Features about LIDS.</A></H2>

<P>
<P>The Linux Intrusion Detection System is <CODE>a patch which enhances the
kernel's security</CODE>. When it is in effect, chosen files access, every
system/network administration operations, any capability use, raw
device, mem and I/O access can be made impossible even for root. It
uses and extends the system capabilities bounding set to control the
whole system and adds some network and filesystem security features in
kernel to enhance the security. You can finely tune the security
protections online, hide sensitive processes, receive security alerts
through the network, and more.
<P>In short, LIDS provides <CODE>Protection, Detection and Response</CODE> to the intrusion in the linux kernel. 
<P>
<P>
<UL>
<LI> Protection.

LIDS can protect important files on your hard disk no matter what filesystem
type they reside on, anybody include root can not change the files. 

LIDS can also protect the important process from being killed. 

LIDS can prevent RAW IO operation from an unauthority program. It can also
protect your hard DISK,include MBR protection,etc.
</LI>
<LI> Detection.

When someone scan your host, LIDS can detect it and inform the administrator.
LIDS can also notice any activity on the system which violates the rules.
</LI>
<LI> Response.

When someone violate the rules, LIDS can log the detail message about the
violated action to the system log file which has been protected by LIDS. 
LIDS can also send the log message to your mailbox.  In this case, LIDS can also shutdown the user's session at once.

<P>
</LI>
</UL>
<P>
<H2><A NAME="s3">3. Build a security linux system with LIDS</A></H2>

<P>With the LIDS features, let's go and see how to build a security system with LIDS step by step.
<P>
<H2>3.1 Download LIDS patch and coresponsive official linux kernel</H2>

<P>
<P>You can download lids patch from 
<A HREF="http://www.lids.org">LIDS Home</A>  and 
<A HREF="ftp://ftp.lids.org">LIDS Ftp Home</A>  and other mirror of LIDS around the world, check 
<A HREF="http://www.lids.org/mirrors/">LIDS Mirror</A> for the nearby mirror site.
<P>The patch name will be lids-x.xx-y.y.y.tar.gz, x.xx represents the lids version and the y.y.y represents the linux kernel version.
<P>You should download the coresponsive kernel version. For example, if you download the lids-0.9pre4-2.2.14.tar.gz, you should download the linux kernel 2.2.14 source code. You can download the kernel source from 
<A HREF="ftp://ftp.linux.org">Kernel FTP Site</A> or other mirror site of it.
<P>
<BLOCKQUOTE><CODE>
<HR>
<PRE>

1. uncompress the linux kernel source code tree.
# cd linux_install_path 
# bzip2 -cd linux-2.2.14.tar.bz2 | tar -xvf - 

2. uncompress the lids source code.
# cd lids_install_path
# tar -zxvf lids-0.9pre4-2.2.14.tar.gz
</PRE>
<HR>
</CODE></BLOCKQUOTE>
<H2>3.2 Patch LIDS to official linux kernel</H2>

<P>
<P>After downloading the kernel source and lids, uncompress the source and lids.
For example, if you download the lids-0.9pre4-2.2.14.tar.gz and linux-2.2.14.tar.bz2, then,
<P>
<BLOCKQUOTE><CODE>
<HR>
<PRE>

3. patch the lids to the linux kernel source code.

# cd linux_install_path
# patch -p0 &lt;/lids_install_path/lids-0.9pre4-2.2.14.patch
# cd linux
# make dep clean
# make bzImage
# make modules
# make modules_install

4. copy the bzImage to /boot/ and edit the /etc/lilo.conf

5 running /sbin/lilo to install the new kernel.

# /sbin/lilo
</PRE>
<HR>
</CODE></BLOCKQUOTE>
<P>
<H2>3.3 Configure the linux kernel </H2>

<P>Now, it it time to configure the linux kernel, turn the following option on,
<BLOCKQUOTE><CODE>
<PRE>

[*] Prompt for development and/or incomplete code/drivers 
[*] Sysctl support 
</PRE>
</CODE></BLOCKQUOTE>

<BLOCKQUOTE><CODE>
<HR>
<PRE>

4. configurate the linux kernel 
# cd linux
# make menuconfig or make xconfig 
</PRE>
<HR>
</CODE></BLOCKQUOTE>
<P>
<H2>3.4 Initial the lids system</H2>

<P>Now before reboot, you must configurate you lids system to meet you security need. You can define protected files, protected process,etc. In the next chapter, we will show your the details about this topic.
<P>
<H2>3.5 Reboot the system</H2>

<P>
<P>After your configurate your system, reboot your system. When lilo appear,
select the lids enable kernel to load. After then, you enter the wonderful
world of LIDS.
<P>
<H2>3.6 Sealing the kernel.</H2>

<P>
<P>After your system boots up, do not forget to seal the kernel with lidsadm, you can put the command in latest line of /etc/rc.local.
<P>
<BLOCKQUOTE><CODE>