lids-faq.txt

关于LINUX安全内核的源代码

  LIDS FAQ
  Steve Bremer, steve@clublinux.org
  v.13, May 20th, 2001

  This is the Linux Intrusion Detection System (LIDS) FAQ.
  ______________________________________________________________________

  Table of Contents


























































  1. Introduction to LIDS

     1.1 What is LIDS?
     1.2 Why use LIDS?
     1.3 Where can I obtain LIDS?
     1.4 Which versions of the Linux kernel are supported?
     1.5 Is there a LIDS mailing list?
     1.6 What about an archive?
     1.7 Copyright & Disclaimer
     1.8 Feedback
     1.9 Credit
     1.10 To Do
     1.11 Change Log

  2. Installing LIDS

     2.1 How do I apply the LIDS kernel patch?
     2.2 How do I install the LIDS administration utility lidsadm?
     2.3 What next?
     2.4 When I try to compile lidsadm, gcc reports that lidstext.h doesn't exist.  How do I fix this problem?
     2.5 When I

  3. lidsadm

     3.1 What is lidsadm?
     3.2 What options are available for lidsadm?
     3.3 Gee, thanks.  What are all these options?

  4. LIDS Administration

     4.1 How do I set my LIDS password?
     4.2 How do I change my LIDS password once it is set?
     4.3 What is a LIDS free session and how do I create one?
     4.4 I created a LIDS free session, but LIDS still appears to be active!  What's wrong?
     4.5 How do I tell LIDS to reload its configuration files?
     4.6 Help!!! My system is totally unusable! What do I do?
     4.7 I've updated/moved a system binary.  How do I tell LIDS that the file changed/moved?
     4.8 OK, without rebooting, how do I completely disable LIDS?
     4.9 What does it mean to "seal the kernel"?
     4.10 How do I view the status of my LIDS system?
     4.11 How do I configure the port scan detector in LIDS?
     4.12 What are the subject and object in a LIDS ACL?
     4.13 Can I enable/disable a system capability without modifying /etc/lids/lids.cap and reloading the configuration files?
     4.14 I've reconfigured my LIDS ACLs, but my changes don't seem to take effect.  What's wrong?
     4.15 Why won't lidsadm -L list my ACLs?
     4.16 Is there anyway to reduce the number of LIDS violations that get reported on the console?
     4.17 Should I be concerned about the LD_PRELOAD environment variable with LIDS?
     4.18 When I boot up, the message "read password file error" appears.  How do I fix the problem?

  5. Configuring LIDS

     5.1 How do I protect a file as read only?
     5.2 OK, so how do I protect a directory as read only?
     5.3 How can I hide a file/directory from everyone?
     5.4 How can I protect log files so they can only be appended to?
     5.5 If nothing is allowed to read my /etc/shadow file, how can I authenticate myself to the system?
     5.6 If I protect /etc as read only, how will mount be able to write to /etc/mtab?
     5.7 LIDS complains that it can't write to my modules.dep file during startup.  What's wrong?
     5.8 If I protect my logs as append only, how will logrotated rotate my logs?
     5.9 Why can't I just give my log rotation utility write access to the directory containing my log files so it can rotate them?
     5.10 When LIDS is active, my file systems won't unmount during shutdown.  What do I do?
     5.11 Why can't I start a service that runs on a privileged port as root?
     5.12 Why can't I start a service that runs on a privileged port from an LFS?
     5.13 How do I disable/enable capabilities?
     5.14 Why won't the X Window System work with LIDS enabled?
     5.15 With all of these ACLs, how can I possibly keep track of my configuration?
     5.16 I can't see my /etc/lids directory when LIDS is enabled.  What's going on?
     5.17 How can I give init write access to /etc/initrunlvl so LIDS doesn't complain about it during startup and shutdown?
     5.18 Can a process inherit file ACLs from its parent?
     5.19 Help! I can't seem to get program xyz to work under LIDS.  How do I determine what files/capabilities it needs access to?
     5.20 How do I give passwd the proper permissions to update the /etc/shadow file?
     5.21 Why doesn't ssh or scp work when LIDS is enabled?
     5.22 OpenSSH won't start at boot time.  LIDS reports that
     5.23 Some of my file systems won't unmount at shutdown because I have hidden processes running.  How can I kill them?
     5.24 I just want to start with a basic configuration.  Can you recommend a setup that will provide additional protection and still leave most of my system functioning as normal?

  6. Configuring Security Alerts

     6.1 Which kernel configuration options do I need to select in order to send security alerts through the network?
     6.2 Where do I specify the mail server information and e-mail address to send the LIDS alerts to?
     6.3 LIDS can't seem to deliver alerts to my qmail SMTP server.  Is there a fix for this?

  7. Sample Configurations

     7.1 Basic System Setup
     7.2 Apache
     7.3 qmail
     7.4 dnscache & tinydns (djbdns)
     7.5 Courier-imap
     7.6 MySQL
     7.7 OpenSSH
     7.8 OpenLDAP (slapd)
     7.9 Port Sentry
     7.10 Samba
     7.11 Linux HA heartbeat

  8. LIDS Technical

     8.1 Will LIDS work with a file system other than ext2?
     8.2 Will LIDS run on an SMP system?
     8.3 Will LIDS coexist with Solar Designer's Openwall patch?
     8.4 Will LIDS run on non-Intel hardware?
     8.5 What is the difference between the 0.9.x and 1.0.x versions of LIDS?


  ______________________________________________________________________

  1.  Introduction to LIDS


  1.1.  What is LIDS?

  LIDS is an enhancement for the Linux kernel written by Xie Huagang and
  Philippe Biondi.  It implements several security features that are not
  in the Linux kernel natively.  Some of these include: mandatory access
  controls (MAC), a port scan detector, file protection (even from
  root), and process protection.


  1.2.  Why use LIDS?

  The current Linux setup has many problems that are inherent in many
  versions of *nix.  Probably the single largest problem is the "all
  powerful" root account.  When a process or user has root privileges,
  there is little if nothing to prevent that process or user from
  completely destroying the system.  A malicious user/intruder with root
  access can cause much heartache for us hard working sysadmins.  LIDS
  implements access control lists (ACLs) that will help prevent even
  those with access to the mighty root account from wreaking havoc on a
  system.  These ACLs allow LIDS to protect files as well as processes.


  1.3.  Where can I obtain LIDS?

  www.lids.org


  1.4.  Which versions of the Linux kernel are supported?

  Currently, LIDS supports the latest 2.2.x kernels as well as the new
  2.4  kernel.  Xie has expressed interest in making 2.4 the primary
  kernel for LIDS support.  However, he also has stated he would
  maintain a stable version of LIDS for the 2.2.x series.


  1.5.  Is there a LIDS mailing list?

  Yes.  You can post to the list at any time by e-mailing lids-
  users@lists.sourceforge.net.  However, if you wish to receive messages
  posted to the mailing list, you must subscribe to it.  To subscribe,
  go to http://lists.sourceforge.net/lists/listinfo/lids-user and fill
  out the form.  You will then receive a confirmation request that you
  must reply to.  You can also unsubscribe and change your mailing list
  options from that page.


  1.6.  What about an archive?

  The mailing list archive is located at
  http://www.geocrawler.com/lists/3/SourceForge/9348/0/ The old archive
  can be found at http://groups.yahoo.com/group/lids.


  1.7.  Copyright & Disclaimer

  This document is copyright(c) 2000, 2001 Steve Bremer  and it is a
  FREE document. You may redistribute it under the terms of the GNU
  General Public License.


  The information here in this document is, to the best of Steve's
  knowledge, correct.  However, being human, there is the chance that
  mistakes, bugs, etc. might happen from time to time.

  No person, group, or other body is responsible for any damage to your
  computer(s) and any other losses by using the information in this
  document. i.e.


       THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY
       DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMA-
       TION IN THIS DOCUMENT.



  1.8.  Feedback

  If you have any questions, comments, suggestions, or corrections for
  this document, please feel free to contact me at steve@clublinux.org.
  I always welcome feedback whether it's good or bad!


  1.9.  Credit

  Special thanks go to:

  o  Xie Huagang - Technical editor and LIDS author.

  o  ``LIDS version'' question.

  o  ``Subject/object'' question.

  o  Philippe Biondi - LIDS author.

  o  Andy Harrelson - Grammar/spelling editor.

  o  Rob Willis - ``OpenSSH'', ``OpenLDAP'', and ``Port Sentry''
     configuration examples.

  o  Fred Mobach - Inspiration and corrections.

  o  David Ranch - I used his excellent Linux IP Masquerade HOWTO as an
     sgml template.  His disclaimer also proved useful.

  o  Austin Gonyou -

  o  Valuable feedback on FAQ.

  o  Alternative fix to the ``lidsadm compile problem''.

  o  ``Warning'' about updating the inode of the /etc/passwd file.

  o  Pavel Epifanov - For a simple fix to the ``lidsadm compile
     problem''.

  o   Justus Pendleton  - ``Samba'' configuration example.

  o   Nenad Micic

  o  For the ``hidden process kill script'' example.

  o  His ``C program'' to kill hidden processes at shutdown.

  o  ``LD_PRELOAD warning.''

  o   Bill Phillips  - For pointing out many reference errors in the PDF
     version.

  o   Szymon Juraszczyk

  o  ``LD_PRELOAD warning.''

  o  Lorn Kay - ``Heartbeat configuration'' for Linux HA.

  o  Bill McKenzie - Additions to ``Portsentry configuration''.


        Linux is a trademark of Linus Torvalds



  1.10.  To Do


  o  Exec domain feature (-d).

  o  Kernel configuration options.

  o  LIDS Debug.





  1.11.  Change Log

  The latest version of this FAQ can be found at
  http://www.clublinux.org/lids/.  Please check the latest version
  before reporting any bugs.

  o  May 20th, 2001.  Version .13


  o  Added ``heartbeat configuration'' for HA Linux.

  o  Added ``read password error'' question.

  o  Added ``basic configuration'' question.

  o  Minor additions to ``portsentry configuration''.

  o  Enhanced (yet again) ``passwd update'' question.

  o  Other minor corrections.


  o  April 1st, 2001.  Version .12


  o  Updated FAQ for new versions of LIDS (1.0.6+ and 0.9.14+).

  o  Added ``warning'' about LD_PRELOAD environment variable.

  o  Updated ``hardware'' question.


  o  March 10th, 2001.  Version .11


  o  Fixed several reference errors in the PDF version (there are still
     a few document conversion problems that need looked at).

  o  Clarified the ``Basic System Setup'' configuration.

  o  Updated the mailing list ``information''

  o  Updated ``passwd'' and ``log rotation'' questions.


  o  March 1st, 2001.  Version .10


  o  Added ``Samba'' configuration example.

  o  Added ``example'' on how to kill hidden processes at shutdown.

  o  Added ``ssh keygen question''.

  o  Enhanced ``passwd update'' question.


  o  February 10th, 2001.  Version .09


  o  Added ``ssh/scp'' question.

  o  Updated ``mailing list'' information.

  o  ``LIDS SMP status'' update.

  o  January 27th, 2001.  Version .08


  o  Modified ``Apache'' configuration so the server root is protected
     as DENY.

  o  Modified ``mysql'' and ``courier-imap'' so their default
     directories are protected as DENY.

  o  Modified ``ssh'' config to work with password authentication.

  o  Added question regarding ``ACL reconfiguration''.


  o  January 25th, 2001.  Version .07