Getting Started with the Linux Intrusion Detection System
For MySQL, we need to deny other applications' access to the mysql binary. We also need to restrict access to the mysql/var directory so that it's append=only, and allow read-only access for the mysqld dæmon to the mysql directory:
lidsconf -A -o /usr/local/mysql/var -j APPEND lidsconf -A -o /usr/local/mysql -j DENY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE
Bind needs a lot of capabilities to run:
lidsconf -A -s /usr/sbin/named -o CAP_NET_BIND_SERVICE 53 -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETPCAP -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_CHROOT -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_RESOURCE -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETUID -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETGID -j GRANT
Login is the program that allows a user to log in to a GNU/Linux system:
lidsconf -A -s /bin/login -o /etc/shadow -j READONLY lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
After having specified the previous commands, we need to seal the kernel, so that the system can take full advantage of LIDS. We add this line to rc.local:
Restart the machine to apply all the new access controls. With the previously mentioned access controls, you will not be able to run the X server as it uses raw I/O, but most servers don't run an X server anyway. If you really need it, add the following access control (this command assumes that your X server binary is located in /usr/X11R6/bin/startx):
lidsconf -A -s /usr/X11R6/bin/startx
As we can see, LIDS is a powerful addition to the Linux kernel, which can secure your system completely, even from the root user. LIDS is also very easy to use.
Irfan Habib is a software engineering student at the National University of Science and Technology in Pakistan. He has had great interest in Linux and open-source technology since high school—everything from embedded Linux development to Web services. He has been advocating GNU/Linux in Pakistan for the past two years and has written various articles in local magazines and newspapers on the subject.
- Nmap—Not Just for Evil!
- Resurrecting the Armadillo
- High-Availability Storage with HA-LVM
- March 2015 Issue of Linux Journal: System Administration
- Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
- DNSMasq, the Pint-Sized Super Dæmon!
- Localhost DNS Cache
- Days Between Dates: the Counting
- The Usability of GNOME
- Linux for Astronomers