📄 00000017.htm

📁 一份很好的linux入门资料
💻 HTM
📖 第 1 页 / 共 3 页
字号:
上一页 1 23
LIDS&nbsp;can&nbsp;protect&nbsp;the&nbsp;process&nbsp;whose&nbsp;parent&nbsp;is&nbsp;init(pid=1),&nbsp;you&nbsp;must&nbsp;seal&nbsp;the&nbsp;<BR>kernel&nbsp;with&nbsp;a&nbsp;specified&nbsp;option&nbsp;as&nbsp;below.&nbsp;&nbsp;<BR>&nbsp;<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;lidsadm&nbsp;-I&nbsp;--&nbsp;+INIT_CHILDREN_LOCK&nbsp;<BR>&nbsp;<BR>4.3&nbsp;Protect&nbsp;with&nbsp;capability.&nbsp;<BR>&nbsp;<BR>Capabilities&nbsp;are&nbsp;like&nbsp;privileges&nbsp;you&nbsp;can&nbsp;give&nbsp;a&nbsp;process.&nbsp;A&nbsp;root&nbsp;process&nbsp;has&nbsp;all&nbsp;<BR>the&nbsp;capabilities.&nbsp;But&nbsp;there&nbsp;exists&nbsp;a&nbsp;capabilities&nbsp;bounding&nbsp;set.&nbsp;In&nbsp;a&nbsp;normal&nbsp;<BR>kernel,&nbsp;when&nbsp;you&nbsp;remove&nbsp;a&nbsp;capability&nbsp;from&nbsp;the&nbsp;bounding&nbsp;set,&nbsp;nobody&nbsp;can&nbsp;ever&nbsp;<BR>use&nbsp;it&nbsp;again,&nbsp;until&nbsp;next&nbsp;reboot.&nbsp;(see&nbsp;<A HREF="http://www.netcom.com/">http://www.netcom.com/</A>&nbsp;spoon/lcap&nbsp;for&nbsp;<BR>the&nbsp;normal&nbsp;use).&nbsp;&nbsp;<BR>&nbsp;<BR>LIDS&nbsp;modifies&nbsp;this&nbsp;behavior&nbsp;to&nbsp;enable&nbsp;you&nbsp;to&nbsp;switch&nbsp;theses&nbsp;on&nbsp;and&nbsp;off,&nbsp;<BR>whenever&nbsp;you&nbsp;want.&nbsp;An&nbsp;access&nbsp;to&nbsp;the&nbsp;/proc/sys/kernel/cap_bset&nbsp;is&nbsp;<BR>trapped&nbsp;and&nbsp;raise&nbsp;a&nbsp;security&nbsp;alert.&nbsp;lidsadm&nbsp;performs&nbsp;all&nbsp;the&nbsp;job.&nbsp;&nbsp;<BR>&nbsp;<BR>You&nbsp;can&nbsp;list&nbsp;all&nbsp;capability&nbsp;in&nbsp;LIDS&nbsp;by&nbsp;running&nbsp;lidsadm,&nbsp;and&nbsp;you&nbsp;can&nbsp;see&nbsp;what&nbsp;<BR>the&nbsp;exactly&nbsp;meaning&nbsp;of&nbsp;each&nbsp;capability.&nbsp;&nbsp;<BR>&nbsp;<BR>We&nbsp;here&nbsp;discuss&nbsp;two&nbsp;of&nbsp;them,&nbsp;&nbsp;<BR>&nbsp;<BR>CAP_SYS_RAWIO&nbsp;<BR>&nbsp;<BR>With&nbsp;this&nbsp;capability&nbsp;on,&nbsp;we&nbsp;can&nbsp;allow&nbsp;ioperm/iopl&nbsp;and&nbsp;/dev/port&nbsp;access,&nbsp;allow&nbsp;<BR>/dev/mem&nbsp;and&nbsp;/dev/kmem&nbsp;acess&nbsp;and&nbsp;allow&nbsp;raw&nbsp;block&nbsp;devices&nbsp;(/dev/[sh]d??)&nbsp;<BR>acess&nbsp;&nbsp;<BR>&nbsp;<BR>When&nbsp;we&nbsp;disable&nbsp;this&nbsp;capability,&nbsp;we&nbsp;can&nbsp;make&nbsp;all&nbsp;process&nbsp;on&nbsp;the&nbsp;system&nbsp;has&nbsp;<BR>no&nbsp;any&nbsp;right&nbsp;to&nbsp;the&nbsp;raw&nbsp;device,&nbsp;such&nbsp;as&nbsp;runing&nbsp;lilo.&nbsp;&nbsp;<BR>&nbsp;<BR>But&nbsp;some&nbsp;process&nbsp;may&nbsp;want&nbsp;this&nbsp;capability&nbsp;to&nbsp;run,&nbsp;such&nbsp;as&nbsp;XF86_SVGA.&nbsp;In&nbsp;<BR>this&nbsp;case,&nbsp;we&nbsp;can&nbsp;let&nbsp;the&nbsp;program&nbsp;in&nbsp;the&nbsp;exception&nbsp;list&nbsp;when&nbsp;compile&nbsp;the&nbsp;<BR>kernel.&nbsp;&nbsp;<BR>&nbsp;<BR>CAP_NET_ADMIN&nbsp;<BR>&nbsp;<BR>This&nbsp;capability&nbsp;get&nbsp;the&nbsp;following&nbsp;ability,&nbsp;&nbsp;<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;interface&nbsp;configuration&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;administration&nbsp;of&nbsp;IP&nbsp;firewall,&nbsp;masquerading&nbsp;and&nbsp;accounting&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;setting&nbsp;debug&nbsp;option&nbsp;on&nbsp;sockets&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;modification&nbsp;of&nbsp;routing&nbsp;tables&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;setting&nbsp;arbitrary&nbsp;process&nbsp;/&nbsp;process&nbsp;group&nbsp;ownership&nbsp;on&nbsp;sockets&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;binding&nbsp;to&nbsp;any&nbsp;address&nbsp;for&nbsp;transparent&nbsp;proxying&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;setting&nbsp;TOS&nbsp;(type&nbsp;of&nbsp;service)&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;setting&nbsp;promiscuous&nbsp;mode&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;clearing&nbsp;driver&nbsp;statistics&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;multicasting&nbsp;&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;read/write&nbsp;of&nbsp;device-specific&nbsp;registers&nbsp;<BR>&nbsp;<BR>For&nbsp;the&nbsp;security&nbsp;reason,&nbsp;we&nbsp;should&nbsp;disable&nbsp;this&nbsp;to&nbsp;disallow&nbsp;changing&nbsp;network&nbsp;<BR>configuration.&nbsp;When&nbsp;it&nbsp;disallow,&nbsp;the&nbsp;firewall&nbsp;rules&nbsp;will&nbsp;not&nbsp;allow&nbsp;to&nbsp;change.&nbsp;&nbsp;<BR>&nbsp;<BR>Choose&nbsp;the&nbsp;capability&nbsp;and&nbsp;sealing&nbsp;the&nbsp;kernel&nbsp;&nbsp;<BR>&nbsp;<BR>You&nbsp;should&nbsp;choose&nbsp;what&nbsp;capability&nbsp;you&nbsp;should&nbsp;disallow&nbsp;when&nbsp;sealing&nbsp;the&nbsp;<BR>kernel.&nbsp;Here&nbsp;we&nbsp;give&nbsp;an&nbsp;example.&nbsp;&nbsp;<BR>&nbsp;<BR>You&nbsp;may&nbsp;put&nbsp;it&nbsp;in&nbsp;a&nbsp;rc&nbsp;script&nbsp;(rc.local,&nbsp;/etc/init.d/lids,&nbsp;/etc/rc.d/init.d/lids,&nbsp;etc.)&nbsp;<BR>depending&nbsp;upon&nbsp;your&nbsp;distribution&nbsp;and&nbsp;the&nbsp;way&nbsp;you&nbsp;administrate&nbsp;your&nbsp;system.&nbsp;<BR>The&nbsp;command&nbsp;is,&nbsp;for&nbsp;example&nbsp;:&nbsp;&nbsp;<BR>&nbsp;<BR>&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lidsadm&nbsp;-I&nbsp;--&nbsp;-CAP_SYS_MODULE&nbsp;-CAP_SYS_RAWIO&nbsp;-CAP_SYS_ADMIN&nbsp;\&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-CAP_SYS_PTRACE&nbsp;-CAP_NET_ADMIN&nbsp;\&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;+LOCK_INIT_CHILDREN&nbsp;<BR>&nbsp;<BR>4.4&nbsp;Network&nbsp;Security.&nbsp;<BR>&nbsp;<BR>LIDS&nbsp;provide&nbsp;some&nbsp;network&nbsp;security&nbsp;enhancement.&nbsp;&nbsp;<BR>&nbsp;<BR>network&nbsp;security&nbsp;with&nbsp;capability&nbsp;<BR>&nbsp;<BR>With&nbsp;the&nbsp;capability,&nbsp;we&nbsp;can&nbsp;enhance&nbsp;the&nbsp;network&nbsp;security.&nbsp;such&nbsp;as&nbsp;anti&nbsp;<BR>snifferring,&nbsp;can&nbsp;not&nbsp;bind&nbsp;to&nbsp;the&nbsp;port&nbsp;lower&nbsp;than&nbsp;1024,&nbsp;can&nbsp;not&nbsp;change&nbsp;the&nbsp;<BR>firewall&nbsp;and&nbsp;routing&nbsp;rules.&nbsp;&nbsp;<BR>&nbsp;<BR>so,&nbsp;what&nbsp;I&nbsp;suggest&nbsp;is&nbsp;to&nbsp;view&nbsp;each&nbsp;capability&nbsp;meaning&nbsp;carefully.&nbsp;&nbsp;<BR>&nbsp;<BR>Scanner&nbsp;detector&nbsp;in&nbsp;kernel&nbsp;<BR>&nbsp;<BR>LIDS&nbsp;provide&nbsp;a&nbsp;scanner&nbsp;detector&nbsp;in&nbsp;kernel&nbsp;in&nbsp;order&nbsp;to&nbsp;detect&nbsp;who&nbsp;had&nbsp;scan&nbsp;<BR>your&nbsp;system.&nbsp;The&nbsp;scanner&nbsp;can&nbsp;detect&nbsp;half-open&nbsp;scan,&nbsp;normal&nbsp;scan&nbsp;etc.&nbsp;using&nbsp;<BR>tools&nbsp;like&nbsp;nmap,satan&nbsp;can&nbsp;be&nbsp;detected&nbsp;by&nbsp;the&nbsp;detector.&nbsp;&nbsp;<BR>&nbsp;<BR>It&nbsp;is&nbsp;useful&nbsp;when&nbsp;raw&nbsp;socket&nbsp;is&nbsp;disable.&nbsp;In&nbsp;this&nbsp;case,&nbsp;some&nbsp;user&nbsp;space&nbsp;<BR>detector&nbsp;based&nbsp;on&nbsp;snifferring&nbsp;will&nbsp;not&nbsp;work.&nbsp;And&nbsp;the&nbsp;detector&nbsp;does&nbsp;not&nbsp;use&nbsp;<BR>any&nbsp;socket,&nbsp;it&nbsp;will&nbsp;be&nbsp;more&nbsp;secure&nbsp;than&nbsp;a&nbsp;user&nbsp;space&nbsp;detector.&nbsp;&nbsp;<BR>&nbsp;<BR>If&nbsp;you&nbsp;want&nbsp;this&nbsp;feature,&nbsp;you&nbsp;should&nbsp;select&nbsp;it&nbsp;on&nbsp;when&nbsp;compile&nbsp;the&nbsp;kernel.&nbsp;&nbsp;<BR>&nbsp;<BR>4.5&nbsp;Intrusion&nbsp;Responsive&nbsp;system.&nbsp;&nbsp;<BR>&nbsp;<BR>When&nbsp;LIDS&nbsp;detect&nbsp;some&nbsp;thing&nbsp;violate&nbsp;the&nbsp;rules&nbsp;defined,&nbsp;it&nbsp;can&nbsp;response&nbsp;to&nbsp;<BR>the&nbsp;action&nbsp;by&nbsp;following&nbsp;method.&nbsp;&nbsp;<BR>&nbsp;<BR>Logging&nbsp;the&nbsp;message&nbsp;<BR>&nbsp;<BR>When&nbsp;someone&nbsp;violate&nbsp;rules,&nbsp;lids_security_log&nbsp;will&nbsp;log&nbsp;a&nbsp;message&nbsp;the&nbsp;klogd,&nbsp;<BR>the&nbsp;logging&nbsp;also&nbsp;have&nbsp;the&nbsp;ability&nbsp;to&nbsp;anti_logging_flood.&nbsp;You&nbsp;can&nbsp;set&nbsp;it&nbsp;when&nbsp;<BR>compile&nbsp;the&nbsp;kernel.&nbsp;&nbsp;<BR>&nbsp;<BR>Logging&nbsp;the&nbsp;message&nbsp;via&nbsp;mail&nbsp;server&nbsp;<BR>&nbsp;<BR>Now,&nbsp;LIDS&nbsp;has&nbsp;a&nbsp;new&nbsp;feature&nbsp;to&nbsp;mail&nbsp;the&nbsp;message&nbsp;to&nbsp;your&nbsp;mail&nbsp;account.&nbsp;you&nbsp;<BR>can&nbsp;define&nbsp;the&nbsp;mail&nbsp;server&nbsp;IP,&nbsp;the&nbsp;out-coming&nbsp;mail&nbsp;address,etc,&nbsp;when&nbsp;compile&nbsp;<BR>the&nbsp;kernel.&nbsp;&nbsp;<BR>&nbsp;<BR>Shutdown&nbsp;the&nbsp;console&nbsp;&nbsp;<BR>&nbsp;<BR>When&nbsp;user&nbsp;violate&nbsp;the&nbsp;rules,&nbsp;the&nbsp;console&nbsp;will&nbsp;shutdown&nbsp;the&nbsp;user's&nbsp;console.&nbsp;&nbsp;<BR>&nbsp;<BR>5.&nbsp;Thanks.&nbsp;<BR>&nbsp;<BR>First&nbsp;of&nbsp;all,&nbsp;I&nbsp;want&nbsp;thank&nbsp;my&nbsp;friend,&nbsp;Kate&nbsp;lee&nbsp;,&nbsp;who&nbsp;always&nbsp;encourage&nbsp;me&nbsp;to&nbsp;<BR>write&nbsp;document&nbsp;of&nbsp;that,&nbsp;this&nbsp;document&nbsp;is&nbsp;dedicated&nbsp;to&nbsp;her.&nbsp;&nbsp;<BR>&nbsp;<BR>I&nbsp;also&nbsp;want&nbsp;to&nbsp;thank&nbsp;Philippe&nbsp;Biond&nbsp;and&nbsp;Christophe&nbsp;Long&nbsp;who&nbsp;give&nbsp;many&nbsp;help&nbsp;<BR>to&nbsp;the&nbsp;project.&nbsp;Without&nbsp;them,&nbsp;the&nbsp;project&nbsp;can&nbsp;not&nbsp;develop&nbsp;so&nbsp;well.&nbsp;&nbsp;<BR>&nbsp;<BR>Many&nbsp;thanks&nbsp;must&nbsp;go&nbsp;to&nbsp;all&nbsp;the&nbsp;LIDS&nbsp;users,&nbsp;without&nbsp;their&nbsp;contribution&nbsp;and&nbsp;<BR>discussion,&nbsp;LIDS&nbsp;can&nbsp;not&nbsp;has&nbsp;so&nbsp;many&nbsp;great&nbsp;ideas.&nbsp;&nbsp;<BR>&nbsp;<BR>&nbsp;<BR>--&nbsp;<BR>Happy&nbsp;Hacking&nbsp;&nbsp;<BR>&nbsp;<BR>Linux&nbsp;Intrusion&nbsp;Detection&nbsp;System&nbsp;&nbsp;&nbsp;<A HREF="http://www.lids.org/">http://www.lids.org/</A>&nbsp;<BR>&nbsp;<BR>※&nbsp;来源:·BBS&nbsp;水木清华站&nbsp;smth.org·[FROM:&nbsp;159.226.40.137]&nbsp;<BR><CENTER><H1>BBS水木清华站∶精华区</H1></CENTER></BODY></HTML>
上一页 1 23
💿 文件大小 9792 K
👤 上传用户 cenxudong4
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#linux
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -