Getting Started with the Linux Intrusion Detection System
For MySQL, we need to deny other applications' access to the mysql binary. We also need to restrict access to the mysql/var directory so that it's append=only, and allow read-only access for the mysqld dæmon to the mysql directory:
lidsconf -A -o /usr/local/mysql/var -j APPEND lidsconf -A -o /usr/local/mysql -j DENY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE
Bind needs a lot of capabilities to run:
lidsconf -A -s /usr/sbin/named -o CAP_NET_BIND_SERVICE 53 -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETPCAP -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_CHROOT -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_RESOURCE -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETUID -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETGID -j GRANT
Login is the program that allows a user to log in to a GNU/Linux system:
lidsconf -A -s /bin/login -o /etc/shadow -j READONLY lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
After having specified the previous commands, we need to seal the kernel, so that the system can take full advantage of LIDS. We add this line to rc.local:
Restart the machine to apply all the new access controls. With the previously mentioned access controls, you will not be able to run the X server as it uses raw I/O, but most servers don't run an X server anyway. If you really need it, add the following access control (this command assumes that your X server binary is located in /usr/X11R6/bin/startx):
lidsconf -A -s /usr/X11R6/bin/startx
As we can see, LIDS is a powerful addition to the Linux kernel, which can secure your system completely, even from the root user. LIDS is also very easy to use.
Irfan Habib is a software engineering student at the National University of Science and Technology in Pakistan. He has had great interest in Linux and open-source technology since high school—everything from embedded Linux development to Web services. He has been advocating GNU/Linux in Pakistan for the past two years and has written various articles in local magazines and newspapers on the subject.
Webinar: 8 Signs You’re Beyond Cron
On Demand NOW
Join Linux Journal and Pat Cameron, Director of Automation Technology at HelpSystems, as they discuss the eight primary advantages of moving beyond cron job scheduling. In this webinar, you’ll learn about integrating cron with an enterprise scheduler.View Now!
|My Humble Little Game Collection||May 28, 2015|
|New Linux Based OS Brings Internet of Things Closer to Reality||May 27, 2015|
|Non-Linux FOSS: All the Bitcoin, None of the Bloat||May 26, 2015|
|Dr Hjkl on the Command Line||May 21, 2015|
|Initializing and Managing Services in Linux: Past, Present and Future||May 20, 2015|
|Goodbye, Pi. Hello, C.H.I.P.||May 18, 2015|
- New Linux Based OS Brings Internet of Things Closer to Reality
- My Humble Little Game Collection
- Dr Hjkl on the Command Line
- Non-Linux FOSS: All the Bitcoin, None of the Bloat
- Initializing and Managing Services in Linux: Past, Present and Future
- Using Hiera with Puppet
- Gartner Dubs DivvyCloud Cool Cloud Management Vendor
- Goodbye, Pi. Hello, C.H.I.P.
- It's Easier to Ask Forgiveness...
- Infinite BusyBox with systemd