lids-faq-1.html

来自「关于LINUX安全内核的源代码」· HTML 代码 · 共 280 行

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE> LIDS FAQ: Introduction to LIDS</TITLE>
 <LINK HREF="LIDS-FAQ-2.html" REL=next>

 <LINK HREF="LIDS-FAQ.html#toc1" REL=contents>
</HEAD>
<BODY>
<A HREF="LIDS-FAQ-2.html">Next</A>
Previous
<A HREF="LIDS-FAQ.html#toc1">Contents</A>
<HR>
<H2><A NAME="s1">1. Introduction to LIDS</A></H2>

<P>
<H2><A NAME="ss1.1">1.1 What is LIDS?</A>
</H2>

<P>LIDS is an enhancement for the Linux kernel written by 
<A HREF="mailto:xie@gnuchina.org">Xie Huagang</A> and 
<A HREF="mailto:philippe.biondi@webmotion.com">Philippe Biondi</A>.  It implements several security features that are not in the Linux kernel natively.  Some of these include: mandatory access controls (MAC), a port scan detector, file protection (even from root), and process protection.  
<P>
<H2><A NAME="ss1.2">1.2 Why use LIDS?</A>
</H2>

<P>The current Linux setup has many problems that are inherent in many versions of *nix.  Probably the single largest problem is the "all powerful" root account.  When a process or user has root privileges, there is little if nothing to prevent that process or user from completely destroying the system.  A malicious user/intruder with root access can cause much heartache for us hard working sysadmins.  LIDS implements access control lists (ACLs) that will help prevent even those with access to the mighty root account from wreaking havoc on a system.  These ACLs allow LIDS to protect files as well as processes.
<P>
<H2><A NAME="ss1.3">1.3 Where can I obtain LIDS?</A>
</H2>

<P>
<A HREF="http://www.lids.org">www.lids.org</A><P>
<H2><A NAME="ss1.4">1.4 Which versions of the Linux kernel are supported?</A>
</H2>

<P>Currently, LIDS supports the latest 2.2.x kernels as well as the new 2.4  kernel.  Xie has expressed interest in making 2.4 the primary kernel for LIDS support.  However, he also has stated he would maintain a stable version of LIDS for the 2.2.x series.
<P>
<H2><A NAME="mailing-list"></A> <A NAME="ss1.5">1.5 Is there a LIDS mailing list?</A>
</H2>

<P>Yes.  You can post to the list at any time by e-mailing <CODE>lids-users@lists.sourceforge.net</CODE>.  However, if you wish to receive messages posted to the mailing list, you must subscribe to it.  To subscribe, go to 
<A HREF=" http://lists.sourceforge.net/lists/listinfo/lids-user">http://lists.sourceforge.net/lists/listinfo/lids-user</A> and fill out the form.  You will then receive a confirmation request that you must reply to.  You can also unsubscribe and change your mailing list options from that page.
<P>
<H2><A NAME="ss1.6">1.6 What about an archive?</A>
</H2>

<P>The mailing list archive is located at 
<A HREF="http://www.geocrawler.com/redir-sf.php3?list=lids-user">http://www.geocrawler.com/lists/3/SourceForge/9348/0/</A>
The old archive can be found at 
<A HREF="http://groups.yahoo.com/group/lids">http://groups.yahoo.com/group/lids</A>.
<P>
<H2><A NAME="ss1.7">1.7 Copyright &amp; Disclaimer</A>
</H2>

<P>This document is <CODE>copyright(c) 2000, 2001 Steve Bremer </CODE> and it is a FREE document. You may redistribute it under the terms of the GNU General Public License.
<P>
<P>The information here in this document is, to the best of Steve's knowledge, correct.  However, being human, there is the chance that mistakes, bugs, etc. might happen from time to time.
<P>No person, group, or other body is responsible for any damage to your computer(s) and any other losses by using the information in this document. i.e.
<P>
<BLOCKQUOTE>
<B>THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.</B>
</BLOCKQUOTE>
<P>
<H2><A NAME="ss1.8">1.8 Feedback</A>
</H2>

<P>If you have any questions, comments, suggestions, or corrections for this document, please feel free to contact me at 
<A HREF="mailto:steve@clublinux.org">steve@clublinux.org</A>.  I always welcome feedback whether it's good or bad!
<P>
<H2><A NAME="ss1.9">1.9 Credit</A>
</H2>

<P>Special thanks go to:
<UL>
<LI> <B>Xie Huagang</B> - Technical editor and LIDS author.
<UL>
<LI> 
<A HREF="LIDS-FAQ-8.html#LIDS-version-question">LIDS version</A> question.</LI>
<LI> 
<A HREF="LIDS-FAQ-4.html#Subject-Object-question">Subject/object</A> question.</LI>
</UL>
</LI>
<LI> <B>Philippe Biondi</B> - LIDS author.</LI>
<LI> <B>Andy Harrelson</B> - Grammar/spelling editor.</LI>
<LI> <B>Rob Willis</B> - 
<A HREF="LIDS-FAQ-7.html#openssh-config">OpenSSH</A>, 
<A HREF="LIDS-FAQ-7.html#openldap-config">OpenLDAP</A>, and 
<A HREF="LIDS-FAQ-7.html#portsentry-config">Port Sentry</A> configuration examples.</LI>
<LI> <B>Fred Mobach</B> - Inspiration and corrections.</LI>
<LI> <B>David Ranch</B> - I used his excellent 
<A HREF="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html">Linux IP Masquerade HOWTO</A> as an sgml template.  His disclaimer also proved useful.</LI>
<LI> <B>Austin Gonyou</B> -
<UL>
<LI> Valuable feedback on FAQ.</LI>
<LI> Alternative fix to the 
<A HREF="LIDS-FAQ-2.html#lidsadm-compile-problem-1">lidsadm compile problem</A>.</LI>
<LI> 
<A HREF="LIDS-FAQ-5.html#passwd-file-warning">Warning</A> about updating the inode of the <CODE>/etc/passwd</CODE> file.</LI>
</UL>
</LI>
<LI> <B>Pavel Epifanov</B> - For a simple fix to the 
<A HREF="LIDS-FAQ-2.html#lidsadm-compile-problem-1">lidsadm compile problem</A>.</LI>
<LI> <B> Justus Pendleton </B> - 
<A HREF="LIDS-FAQ-7.html#samba-config">Samba</A> configuration example.</LI>
<LI> <B> Nenad Micic </B>
<UL>
<LI> For the 
<A HREF="LIDS-FAQ-5.html#kill-hidden-processes-script">hidden process kill script</A> example.</LI>
<LI> His 
<A HREF="LIDS-FAQ-5.html#kill-hidden-processes-C-program">C program</A> to kill hidden processes at shutdown.</LI>
<LI> 
<A HREF="LIDS-FAQ-4.html#LD_PRELOAD-warning">LD_PRELOAD warning.</A></LI>
</UL>
</LI>
<LI> <B> Bill Phillips </B> - For pointing out many reference errors in the PDF version.</LI>
<LI> <B> Szymon Juraszczyk </B>
<UL>
<LI> 
<A HREF="LIDS-FAQ-4.html#LD_PRELOAD-warning">LD_PRELOAD warning.</A></LI>
</UL>
</LI>
<LI> <B>Lorn Kay</B> - 
<A HREF="LIDS-FAQ-7.html#heartbeat-config">Heartbeat configuration</A> for Linux HA.</LI>
<LI> <B>Bill McKenzie</B> - Additions to 
<A HREF="LIDS-FAQ-7.html#portsentry-config">Portsentry configuration</A>.
</LI>
</UL>
<P>
<BLOCKQUOTE>
<B> Linux is a trademark of Linus Torvalds </B>
</BLOCKQUOTE>
<P>
<H2><A NAME="ss1.10">1.10 To Do</A>
</H2>

<P>
<UL>
<LI> Exec domain feature (-d).</LI>
<LI> Kernel configuration options.</LI>
<LI> LIDS Debug.</LI>
</UL>
<P>
<H2><A NAME="ss1.11">1.11 Change Log</A>
</H2>

<P>The latest version of this FAQ can be found at 
<A HREF="http://www.clublinux.org/lids/">http://www.clublinux.org/lids/</A>.  Please check the latest version before reporting any bugs.
<UL>
<LI>  May 20th, 2001.  Version .13
<P>
<UL>
<LI> Added 
<A HREF="LIDS-FAQ-7.html#heartbeat-config">heartbeat configuration</A> for HA Linux.</LI>
<LI> Added 
<A HREF="LIDS-FAQ-4.html#read-password-error">read password error</A> question.</LI>
<LI> Added 
<A HREF="LIDS-FAQ-5.html#basic-configuration">basic configuration</A> question.</LI>
<LI> Minor additions to 
<A HREF="LIDS-FAQ-7.html#portsentry-config">portsentry configuration</A>.</LI>
<LI> Enhanced (yet again) 
<A HREF="LIDS-FAQ-5.html#passwd-update">passwd update</A> question.</LI>
<LI> Other minor corrections.</LI>
</UL>
<P>
</LI>
<LI>  April 1st, 2001.  Version .12
<P>
<UL>
<LI> Updated FAQ for new versions of LIDS (1.0.6+ and 0.9.14+).</LI>
<LI> Added 
<A HREF="LIDS-FAQ-4.html#LD_PRELOAD-warning">warning</A> about LD_PRELOAD environment variable.</LI>
<LI> Updated 
<A HREF="LIDS-FAQ-8.html#non-intel-hardware">hardware</A> question.</LI>
</UL>
<P>
</LI>
<LI>  March 10th, 2001.  Version .11
<P>
<UL>
<LI> Fixed several reference errors in the PDF version (there are still a few document conversion problems that need looked at).</LI>
<LI> Clarified the 
<A HREF="LIDS-FAQ-7.html#basic-system-setup-config">Basic System Setup</A> configuration.</LI>
<LI> Updated the mailing list 
<A HREF="#mailing-list">information</A></LI>
<LI> Updated 
<A HREF="LIDS-FAQ-5.html#passwd-update">passwd</A> and 
<A HREF="LIDS-FAQ-5.html#log-rotation">log rotation</A> questions.</LI>
</UL>
<P>
</LI>
<LI>  March 1st, 2001.  Version .10
<P>
<UL>
<LI> Added 
<A HREF="LIDS-FAQ-7.html#samba-config">Samba</A> configuration example.</LI>
<LI> Added 
<A HREF="LIDS-FAQ-5.html#kill-hidden-processes-script">example</A> on how to kill hidden processes at shutdown.</LI>
<LI> Added 
<A HREF="LIDS-FAQ-5.html#ssh-keygen-question">ssh keygen question</A>.</LI>
<LI> Enhanced 
<A HREF="LIDS-FAQ-5.html#passwd-update">passwd update</A> question.</LI>
</UL>
<P>
</LI>
<LI>  February 10th, 2001.  Version .09
<P>
<UL>
<LI> Added 
<A HREF="LIDS-FAQ-5.html#ssh-scp-question">ssh/scp</A> question.</LI>
<LI> Updated 
<A HREF="#mailing-list">mailing list</A> information.</LI>
<LI> 
<A HREF="LIDS-FAQ-8.html#smp-status">LIDS SMP status</A> update.</LI>
</UL>
<P>
</LI>
<LI>  January 27th, 2001.  Version .08
<P>
<UL>
<LI> Modified 
<A HREF="LIDS-FAQ-7.html#apache-config">Apache</A> configuration so the server root is protected as DENY.</LI>
<LI> Modified 
<A HREF="LIDS-FAQ-7.html#mysql-config">mysql</A> and 
<A HREF="LIDS-FAQ-7.html#courier-imap-config">courier-imap</A> so their default directories are protected as DENY.</LI>
<LI> Modified 
<A HREF="LIDS-FAQ-7.html#openssh-config">ssh</A> config to work with password authentication.</LI>
<LI> Added question regarding 
<A HREF="LIDS-FAQ-4.html#acl-reconfig">ACL reconfiguration</A>.</LI>
</UL>
<P>
</LI>
<LI>  January 25th, 2001.  Version .07
<P>Added a much simpler fix to the 
<A HREF="LIDS-FAQ-2.html#lidsadm-compile-problem-1">lidsadm compile problem</A>.  Clarified the 
<A HREF="LIDS-FAQ-4.html#sealing-the-kernel">sealing the kernel</A> question (hopefully).  Minor corrections.
<P>
</LI>
<LI>  January 24th, 2001.  Version .06
<P>
<UL>
<LI>Removed ACL example from 
<A HREF="LIDS-FAQ-5.html#etc-mtab-1">/etc/mtab mount</A> question because /etc/mtab is recreated at system boot and each time a file system is unmounted.</LI>
<LI> Added alternative fix to the 
<A HREF="LIDS-FAQ-2.html#lidsadm-compile-problem-1">lidsadm compile problem</A>.</LI>
<LI> Minor corrections.</LI>
</UL>
<P>
</LI>
<LI>  January 22nd, 2001.  Version .05
<P>Minor additions to Basic System Setup sample configuration.  Added section on configuring e-mail alerts.
<P>
</LI>
<LI>  January 19th, 2001.  Version .04
<P>Minor correction to 
<A HREF="LIDS-FAQ-2.html#lidsadm-compile-problem-1">lidsadm compile problem</A> question.
<P>
</LI>
<LI>  January 17th, 2001.  Version .03
<P>Added information about the new file ACL inheritance "-i" option in LIDS-0.9.12.  Also updated the configuration examples to use the "-i" option when required.  Other minor updates including information about lidsadm compile problems, enabling/disabling capabilities, and how to setup ACLs for a new program.
<P>
</LI>
<LI>    January 15th, 2001.  Version .02
<P>Minor corrections.
<P>
</LI>
<LI>    January 15th, 2001.  Version .01
<P>Initial release.
</LI>
</UL>
<P>
<P>
<HR>
<A HREF="LIDS-FAQ-2.html">Next</A>
Previous
<A HREF="LIDS-FAQ.html#toc1">Contents</A>
</BODY>
</HTML>