lids-faq.sgml

关于LINUX安全内核的源代码

<!doctype linuxdoc system>

<article>

<title> LIDS FAQ
<author>Steve Bremer, <tt><htmlurl url="mailto:steve@clublinux.org" name="steve@clublinux.org"></tt>
<date>v.13, May 20th, 2001
<abstract>
This is the Linux Intrusion Detection System (LIDS) FAQ.
</abstract>

<toc>

<!-- Section 1 -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

<sect> Introduction to LIDS
<p>
<sect1> What is LIDS?
<p>
LIDS is an enhancement for the Linux kernel written by <htmlurl url="mailto:xie@gnuchina.org" name="Xie Huagang"> and <htmlurl url="mailto:philippe.biondi@webmotion.com" name="Philippe Biondi">.  It implements several security features that are not in the Linux kernel natively.  Some of these include: mandatory access controls (MAC), a port scan detector, file protection (even from root), and process protection.  

<sect1> Why use LIDS?
<p>
The current Linux setup has many problems that are inherent in many versions of *nix.  Probably the single largest problem is the "all powerful" root account.  When a process or user has root privileges, there is little if nothing to prevent that process or user from completely destroying the system.  A malicious user/intruder with root access can cause much heartache for us hard working sysadmins.  LIDS implements access control lists (ACLs) that will help prevent even those with access to the mighty root account from wreaking havoc on a system.  These ACLs allow LIDS to protect files as well as processes.

<sect1> Where can I obtain LIDS?
<p>
<htmlurl url="http://www.lids.org" name="www.lids.org">

<sect1> Which versions of the Linux kernel are supported?
<p>
Currently, LIDS supports the latest 2.2.x kernels as well as the new 2.4  kernel.  Xie has expressed interest in making 2.4 the primary kernel for LIDS support.  However, he also has stated he would maintain a stable version of LIDS for the 2.2.x series.

<sect1> Is there a LIDS mailing list?
<label id="mailing-list">
<p>
Yes.  You can post to the list at any time by e-mailing <tt>lids-users@lists.sourceforge.net</tt>.  However, if you wish to receive messages posted to the mailing list, you must subscribe to it.  To subscribe, go to <htmlurl url=" http://lists.sourceforge.net/lists/listinfo/lids-user" name="http://lists.sourceforge.net/lists/listinfo/lids-user"> and fill out the form.  You will then receive a confirmation request that you must reply to.  You can also unsubscribe and change your mailing list options from that page.

<sect1> What about an archive?
<p>
The mailing list archive is located at <htmlurl url="http://www.geocrawler.com/redir-sf.php3?list=lids-user" name="http://www.geocrawler.com/lists/3/SourceForge/9348/0/">
The old archive can be found at <htmlurl url="http://groups.yahoo.com/group/lids" name="http://groups.yahoo.com/group/lids">.

<sect1> Copyright &amp Disclaimer
<p>
This document is <tt>copyright(c) 2000, 2001 Steve Bremer </tt> and it is a FREE document. You may redistribute it under the terms of the GNU General Public License.

<p>
The information here in this document is, to the best of Steve's knowledge, correct.  However, being human, there is the chance that mistakes, bugs, etc. might happen from time to time.
<p>
No person, group, or other body is responsible for any damage to your computer(s) and any other losses by using the information in this document. i.e.
<p>
<quote>
<bf>THE AUTHORS AND ALL MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.</bf>
</quote>

<sect1> Feedback
<p>
If you have any questions, comments, suggestions, or corrections for this document, please feel free to contact me at <htmlurl url="mailto:steve@clublinux.org" name="steve@clublinux.org">.  I always welcome feedback whether it's good or bad!

<sect1> Credit
<p>
Special thanks go to:
<itemize>
<item> <bf>Xie Huagang</bf> - Technical editor and LIDS author.
   <itemize>
   <item> <ref id="LIDS-version-question" name="LIDS version"> question.
   <item> <ref id="Subject-Object-question" name="Subject/object"> question.
   </itemize>
<item> <bf>Philippe Biondi</bf> - LIDS author.
<item> <bf>Andy Harrelson</bf> - Grammar/spelling editor.
<item> <bf>Rob Willis</bf> - <ref id="openssh-config" name="OpenSSH">, <ref id="openldap-config" name="OpenLDAP">, and <ref id="portsentry-config" name="Port Sentry"> configuration examples.
<item> <bf>Fred Mobach</bf> - Inspiration and corrections.
<item> <bf>David Ranch</bf> - I used his excellent <htmlurl url="http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html" name="Linux IP Masquerade HOWTO"> as an sgml template.  His disclaimer also proved useful.
<item> <bf>Austin Gonyou</bf> -
   <itemize>
   <item> Valuable feedback on FAQ.
   <item> Alternative fix to the <ref id="lidsadm-compile-problem-1" name="lidsadm compile problem">.
   <item> <ref id="passwd-file-warning" name="Warning"> about updating the inode of the <tt>/etc/passwd</tt> file.
   </itemize>
<item> <bf>Pavel Epifanov</bf> - For a simple fix to the <ref id="lidsadm-compile-problem-1" name="lidsadm compile problem">.
<item> <bf> Justus Pendleton </bf> - <ref id="samba-config" name="Samba"> configuration example.
<item> <bf> Nenad Micic </bf>
   <itemize>
   <item> For the <ref id="kill-hidden-processes-script" name="hidden process kill script"> example.
   <item> His <ref id="kill-hidden-processes-C-program" name="C program"> to kill hidden processes at shutdown.
   <item> <ref id="LD_PRELOAD-warning" name="LD_PRELOAD warning.">
   </itemize>
<item> <bf> Bill Phillips </bf> - For pointing out many reference errors in the PDF version.
<item> <bf> Szymon Juraszczyk </bf>
   <itemize>
   <item> <ref id="LD_PRELOAD-warning" name="LD_PRELOAD warning.">
   </itemize>
<item> <bf>Lorn Kay</bf> - <ref id="heartbeat-config" name="Heartbeat configuration"> for Linux HA.
<item> <bf>Bill McKenzie</bf> - Additions to <ref id="portsentry-config" name="Portsentry configuration">.

</itemize>
<p>
<quote><bf> Linux is a trademark of Linus Torvalds </bf></quote>

<sect1> To Do
<p>
<itemize>
<item> Exec domain feature (-d).
<item> Kernel configuration options.
<item> LIDS Debug.
</itemize>

<sect1> Change Log
<p>
The latest version of this FAQ can be found at <htmlurl url="http://www.clublinux.org/lids/" name="http://www.clublinux.org/lids/">.  Please check the latest version before reporting any bugs.
<itemize>

<item>  May 20th, 2001.  Version .13
<p>
   <itemize>
   <item> Added <ref id="heartbeat-config" name="heartbeat configuration"> for HA Linux.
   <item> Added <ref id="read-password-error" name="read password error"> question.
   <item> Added <ref id="basic-configuration" name="basic configuration"> question.
   <item> Minor additions to <ref id="portsentry-config" name="portsentry configuration">.
   <item> Enhanced (yet again) <ref id="passwd-update" name="passwd update"> question.
   <item> Other minor corrections.
   </itemize>

<item>  April 1st, 2001.  Version .12
<p>
   <itemize>
   <item> Updated FAQ for new versions of LIDS (1.0.6+ and 0.9.14+).
   <item> Added <ref id="LD_PRELOAD-warning" name="warning"> about LD_PRELOAD environment variable.
   <item> Updated <ref id="non-intel-hardware" name="hardware"> question.
   </itemize>

<item>  March 10th, 2001.  Version .11
<p>
   <itemize>
   <item> Fixed several reference errors in the PDF version (there are still a few document conversion problems that need looked at).
   <item> Clarified the <ref id="basic-system-setup-config" name="Basic System Setup"> configuration.
   <item> Updated the mailing list <ref id="mailing-list" name="information">
   <item> Updated <ref id="passwd-update" name="passwd"> and <ref id="log-rotation" name="log rotation"> questions.
   </itemize>

<item>  March 1st, 2001.  Version .10
<p>
   <itemize>
   <item> Added <ref id="samba-config" name="Samba"> configuration example.
   <item> Added <ref id="kill-hidden-processes-script" name="example"> on how to kill hidden processes at shutdown.
   <item> Added <ref id="ssh-keygen-question" name="ssh keygen question">.
   <item> Enhanced <ref id="passwd-update" name="passwd update"> question.
   </itemize>

<item>  February 10th, 2001.  Version .09
<p>
   <itemize>
   <item> Added <ref id="ssh-scp-question" name="ssh/scp"> question.
   <item> Updated <ref id="mailing-list" name="mailing list"> information.
   <item> <ref id="smp-status" name="LIDS SMP status"> update.
   </itemize>

<item>  January 27th, 2001.  Version .08
<p>
   <itemize>
   <item> Modified <ref id="apache-config" name="Apache"> configuration so the server root is protected as DENY.
   <item> Modified <ref id="mysql-config" name="mysql"> and <ref id="courier-imap-config" name="courier-imap"> so their default directories are protected as DENY.
   <item> Modified <ref id="openssh-config" name="ssh"> config to work with password authentication.
   <item> Added question regarding <ref id="acl-reconfig" name="ACL reconfiguration">.
   </itemize>

<item>  January 25th, 2001.  Version .07
<p>
Added a much simpler fix to the <ref id="lidsadm-compile-problem-1" name="lidsadm compile problem">.  Clarified the <ref id="sealing-the-kernel" name="sealing the kernel"> question (hopefully).  Minor corrections.

<item>  January 24th, 2001.  Version .06
<p>
  <itemize>
  <item>Removed ACL example from <ref id="etc-mtab-1" name="/etc/mtab mount"> question because /etc/mtab is recreated at system boot and each time a file system is unmounted.
  <item> Added alternative fix to the <ref id="lidsadm-compile-problem-1" name="lidsadm compile problem">.
  <item> Minor corrections.
  </itemize>

<item>  January 22nd, 2001.  Version .05
<p>
Minor additions to Basic System Setup sample configuration.  Added section on configuring e-mail alerts.

<item>  January 19th, 2001.  Version .04
<p>
Minor correction to <ref id="lidsadm-compile-problem-1" name="lidsadm compile problem"> question.

<item>  January 17th, 2001.  Version .03
<p>
Added information about the new file ACL inheritance "-i" option in LIDS-0.9.12.  Also updated the configuration examples to use the "-i" option when required.  Other minor updates including information about lidsadm compile problems, enabling/disabling capabilities, and how to setup ACLs for a new program.

<item>	January 15th, 2001.  Version .02
<p>
Minor corrections.

<item>	January 15th, 2001.  Version .01
<p>
Initial release.
</itemize>

<!-- Section 2 -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->

<sect> Installing LIDS
<sect1> How do I apply the LIDS kernel patch?
<p>
Xie has included <htmlurl url="http://www.lids.org/install.html" name="instructions"> on how to patch the kernel in the LIDS download.  However, I will briefly cover  the necessary steps.  This example assumes your kernel sources are installed in /usr/src/linux.

<p>
<itemize>
<item> First you need to download the LIDS patch from <htmlurl url="http://www.lids.org/download.html" name="www.lids.org/download.html">.
Make sure you get the version that matches your kernel.
<item> Then, expand the tarball:
<verb> 
$ tar zxvf lids-<lids_version>-<kernel_version>.tar.gz 
</verb>
<item> Apply the lids patch to the existing kernel sources:
<p>
<verb>
$ cd /usr/src/linux
$ patch -p1 < /path/to/lids/patch/lids-<lids_version>-<kernel_version>.patch
</verb>
<item> Then configure your kernel.  For an excellent source of information on recompiling your Linux kernel, see the <bf><htmlurl url="http://www.linuxdoc.org/HOWTO/Kernel-HOWTO.html" name="Linux Kernel HOW-TO."></bf>
<p>
There are several kernel configuration options for LIDS.  In order for LIDS to work, you must make sure the following options are enabled:
<verb>
  [*]   Prompt for development and/or incomplete code/drivers
  [*]   Sysctl Support 
</verb>
 
</itemize>

<sect1> How do I install the LIDS administration utility lidsadm?
<p>
The source for the lidsadm utility is located in the directory containing your LIDS source and is called:
<verb>
lidsadm-<lids_version>
</verb>
<p>
(<bf>NOTE:</bf> If you are upgrading lidsadm, you should backup everything in the /etc/lids directory first!)
<p>

<label id="lidsadm-compile">
To compile and install lidsadm, simply:
<verb>
$ make
$ su -
# make install
</verb>
<p>
from the lidsadm source directory. This will install lidsadm in the /sbin directory.  It will also create an /etc/lids directory and place a few default configuration files in it for you.

If you wish to use the view option with lidsadm, replace the 
<verb>
$ make
</verb>
<p>
with  
<verb>
$ make VIEW=1
</verb>

<sect1> What next?
<p>
Before you reboot into your LIDS enhanced kernel, you should configure your LIDS ACLs first.  Otherwise your system may be unusable when you reboot.  Configuring LIDS ACLs is covered <ref id="Configuring-LIDS" name="later">.  

<sect1> When I try to compile lidsadm, gcc reports that lidstext.h doesn't exist.  How do I fix this problem?
<label id="lidsadm-compile-problem-1">
<p>
This happens on systems where <tt>/usr/include/linux</tt> is not a symbolic link to <tt>/usr/src/linux/include/linux</tt>.  The complete error message is:
<verb>