Getting Started with the Linux Intrusion Detection System
For MySQL, we need to deny other applications' access to the mysql binary. We also need to restrict access to the mysql/var directory so that it's append=only, and allow read-only access for the mysqld dæmon to the mysql directory:
lidsconf -A -o /usr/local/mysql/var -j APPEND lidsconf -A -o /usr/local/mysql -j DENY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE
Bind needs a lot of capabilities to run:
lidsconf -A -s /usr/sbin/named -o CAP_NET_BIND_SERVICE 53 -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETPCAP -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_CHROOT -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_RESOURCE -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETUID -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETGID -j GRANT
Login is the program that allows a user to log in to a GNU/Linux system:
lidsconf -A -s /bin/login -o /etc/shadow -j READONLY lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
After having specified the previous commands, we need to seal the kernel, so that the system can take full advantage of LIDS. We add this line to rc.local:
Restart the machine to apply all the new access controls. With the previously mentioned access controls, you will not be able to run the X server as it uses raw I/O, but most servers don't run an X server anyway. If you really need it, add the following access control (this command assumes that your X server binary is located in /usr/X11R6/bin/startx):
lidsconf -A -s /usr/X11R6/bin/startx
As we can see, LIDS is a powerful addition to the Linux kernel, which can secure your system completely, even from the root user. LIDS is also very easy to use.
Irfan Habib is a software engineering student at the National University of Science and Technology in Pakistan. He has had great interest in Linux and open-source technology since high school—everything from embedded Linux development to Web services. He has been advocating GNU/Linux in Pakistan for the past two years and has written various articles in local magazines and newspapers on the subject.
Webinar: 8 Signs You’re Beyond Cron
11am CDT, April 29th
Join Linux Journal and Pat Cameron, Director of Automation Technology at HelpSystems, as they discuss the eight primary advantages of moving beyond cron job scheduling. In this webinar, you’ll learn about integrating cron with an enterprise scheduler.Join us!
- Tips for Optimizing Linux Memory Usage
- Picking Out the Nouns
- "No Reboot" Kernel Patching - And Why You Should Care
- DevOps: Better Than the Sum of Its Parts
- Return of the Mac
- Android Candy: Intercoms
- Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
- Non-Linux FOSS: .NET?
- Consent That Goes Both Ways