Home

Getting Started with the Linux Intrusion Detection System

Issue 143

From Issue #143
March 2006

Jan 26, 2006  By Irfan Habib
 in
Sometimes file permissions aren't enough. LIDS gives you kernel-level access control that goes beyond filesystem settings.
Setting Up a LIDS-Enabled Server

This article assumes that you have installed LIDS and its associated administration tools.

We will set up a system with tight security settings, and the services that will be allowed to run are MySQL, Apache and Bind.

The sample commands below assume that the Apache installation resides in /usr/local/apache, with a log directory of /var/log/httpd, and also assumes your Apache configuration directory is /etc/httpd. MySQL is assumed to be installed in /usr/local/mysql. Obviously, you'll want to change the commands to suit your installation if it differs.

It is beyond the scope of this article to cover everything necessary to secure your system completely. However, these examples of how access control is administered in LIDS should get you started.

Setting Up a System

After you restart LIDS, you can begin adding access controls to various system binaries and libraries. The following sets the /sbin, /bin, /usr/bin and /lib to read-only: 

lidsconf -A -o /sbin -j READONLY

lidsconf -A -o /bin -j READONLY

lidsconf -A -o /usr/bin -j READONLY

lidsconf -A -o /lib -j READONLY

Next, we define some additional access controls for /opt, /etc and /usr/local/etc, which should be read-only, and we deny all access to /etc/shadow and the boot manager file: 

lidsconf -A -o /etc -j READONLY

lidsconf -A -o /usr/local/etc -j READONLY

lidsconf -A -o /etc/shadow -j DENY

lidsconf -A -o /etc/lilo.conf -j DENY

Because we have denied all access to /etc/shadow, the system will not be able to authenticate logins, thus we need to allow login and vlock to have read-only access to the file. Additionally, su also should have read-only access to the /etc/shadow file: 

lidsconf -A -s /bin/login -o /etc/shadow -j READONLY

lidsconf -A -s /usr/bin/vlock -o /etc/shadow -j READONLY

lidsconf -A -s /bin/su -o /etc/shadow -j READONLY

We need to set some other access controls for su, in order for it to work with UIDs and GIDs, and access the /etc/shadow file: 

lidsconf -A -s /bin/su -o CAP_SETUID -j GRANT

lidsconf -A -s /bin/su -o CAP_SETGID -j GRANT

lidsconf -A -s /bin/su -o /etc/shadow -j READONLY

Now, we need to allow init, login and associated applications to have write access to log files: 

lidsconf -A -o /var/log -j APPEND

lidsconf -A -s /bin/login -o /var/log/wtmp -j WRITE

lidsconf -A -s /bin/login -o /var/log/lastlog -j WRITE

lidsconf -A -s /sbin/init -o /var/log/wtmp -j WRITE

lidsconf -A -s /sbin/init -o /var/log/lastlog -j WRITE

lidsconf -A -s /sbin/halt -o /var/log/wtmp -j WRITE

lidsconf -A -s /sbin/halt -o /var/log/lastlog -j WRITE

lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/wtmp -i 1 -j WRITE

lidsconf -A -s /etc/rc.d/rc.sysinit -o /var/log/lastlog -i 1 -j WRITE

Now, we set up access control for root's home folder. We allow only the bash history file to be appended: 

f -A -o /root -j READONLY

lidsconf -A -s /bin/bash -o /root/.bash_history -j APPEND

Finally, we allow the init program to kill processes on shutdown: 

lidsconf -A -s /sbin/init -o CAP_INIT_KILL -j GRANT

lidsconf -A -s /sbin/init -o CAP_KILL -j GRANT

Now, we allow fstab and init scripts to mount filesystems, kill processes and unmount filesystems: 

lidsconf -A -s/etc/fstab -o CAP_SYS_ADMIN -j 1 -j GRANT

lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_INIT_KILL -i 1 -j GRANT

lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_KILL -i 1 -j GRANT

lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_NET_ADMIN -i 1 -j GRANT

lidsconf -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -i 1 -j GRANT

Setting Access Controls for the Apache Web Server

Apache needs to have setuid and setgid capabilities. We also need to allow Apache to access log files and deny other applications from accessing the httpd binary: 

lidsconf -A -s /usr/local/apache/bin/httpd -o CAP_SETUID -j GRANT

lidsconf -A -s /usr/local/apache/bin/httpd -o CAP_SETGID -j GRANT

lidsconf -A -o /etc/httpd -j DENY

lidsconf -A -s /usr/local/apache/bin/httpd -o /etc/httpd -j READONLY

lidsconf -A -o /usr/local/apache -j DENY

lidsconf -A -s /usr/local/apache/bin/httpd -o /usr/local/apache -j READONLY

lidsconf -A -o /var/log/httpd -j DENY

lidsconf -A -s /usr/local/apache/bin/httpd -o /var/log/httpd -j APPEND

lidsconf -A -s /usr/local/apache/bin/httpd -o /usr/local/apache/logs -j WRITE

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Access controls for Jboss server.

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 08/11/2009 - 06:02.

Hi Irfan,

Your post had been very useful. Thanks first.

I was given the task of binding port 443 to JBoss server.

i have granted the NET_BIND capability on 443 port to Jboss/bin/run.sh subject. But the problem persists with exception as Permission denied :443

Can u pls help wid this.

More Information on LIDS please

Matt's picture
Submitted by Matt (not verified) on Sun, 11/12/2006 - 19:57.

Hello Irfan.

I liked your article on LIDS, but am a bit confused by the phrase:

"It is recommended that the LIDS patch be applied only to the original kernel source, not to the distribution-specific source".

I use Suse Linux 10. Does your statement mean I must somehow 'retrofit' a vanilla kernel into my distribution? This would be something well beyond my capabilities and I presume Novell wouldn't like it much either.

Where can I find LIDS?

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions