Home

Getting Started with the Linux Intrusion Detection System

Issue 143

From Issue #143
March 2006

Jan 26, 2006  By Irfan Habib
 in
Sometimes file permissions aren't enough. LIDS gives you kernel-level access control that goes beyond filesystem settings.
MySQL

For MySQL, we need to deny other applications' access to the mysql binary. We also need to restrict access to the mysql/var directory so that it's append=only, and allow read-only access for the mysqld dæmon to the mysql directory: 

lidsconf -A -o /usr/local/mysql/var -j APPEND

lidsconf -A -o /usr/local/mysql -j DENY

lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY

lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE

Bind

Bind needs a lot of capabilities to run: 

lidsconf -A -s /usr/sbin/named -o CAP_NET_BIND_SERVICE 53 -j GRANT


lidsconf -A -s /usr/sbin/named -o CAP_SETPCAP -j GRANT

lidsconf -A -s /usr/sbin/named -o CAP_SYS_CHROOT -j GRANT

lidsconf -A -s /usr/sbin/named -o CAP_SYS_RESOURCE -j GRANT

lidsconf -A -s /usr/sbin/named -o CAP_SETUID -j GRANT

lidsconf -A -s /usr/sbin/named -o CAP_SETGID -j GRANT

Login

Login is the program that allows a user to log in to a GNU/Linux system: 

lidsconf -A -s /bin/login -o /etc/shadow -j READONLY

lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT

lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT

lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT

lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT

After having specified the previous commands, we need to seal the kernel, so that the system can take full advantage of LIDS. We add this line to rc.local: 

lidsadm -I

Restart the machine to apply all the new access controls. With the previously mentioned access controls, you will not be able to run the X server as it uses raw I/O, but most servers don't run an X server anyway. If you really need it, add the following access control (this command assumes that your X server binary is located in /usr/X11R6/bin/startx): 

lidsconf -A -s /usr/X11R6/bin/startx

As we can see, LIDS is a powerful addition to the Linux kernel, which can secure your system completely, even from the root user. LIDS is also very easy to use.

Irfan Habib is a software engineering student at the National University of Science and Technology in Pakistan. He has had great interest in Linux and open-source technology since high school—everything from embedded Linux development to Web services. He has been advocating GNU/Linux in Pakistan for the past two years and has written various articles in local magazines and newspapers on the subject.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Access controls for Jboss server.

Anonymous's picture
Submitted by Anonymous (not verified) on Tue, 08/11/2009 - 06:02.

Hi Irfan,

Your post had been very useful. Thanks first.

I was given the task of binding port 443 to JBoss server.

i have granted the NET_BIND capability on 443 port to Jboss/bin/run.sh subject. But the problem persists with exception as Permission denied :443

Can u pls help wid this.

More Information on LIDS please

Matt's picture
Submitted by Matt (not verified) on Sun, 11/12/2006 - 19:57.

Hello Irfan.

I liked your article on LIDS, but am a bit confused by the phrase:

"It is recommended that the LIDS patch be applied only to the original kernel source, not to the distribution-specific source".

I use Suse Linux 10. Does your statement mean I must somehow 'retrofit' a vanilla kernel into my distribution? This would be something well beyond my capabilities and I presume Novell wouldn't like it much either.

Where can I find LIDS?

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState