Getting Started with the Linux Intrusion Detection System
For MySQL, we need to deny other applications' access to the mysql binary. We also need to restrict access to the mysql/var directory so that it's append=only, and allow read-only access for the mysqld dæmon to the mysql directory:
lidsconf -A -o /usr/local/mysql/var -j APPEND lidsconf -A -o /usr/local/mysql -j DENY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql -j READONLY lidsconf -A -s /usr/local/mysql/libexec/mysqld -o /usr/local/mysql/var -j WRITE
Bind needs a lot of capabilities to run:
lidsconf -A -s /usr/sbin/named -o CAP_NET_BIND_SERVICE 53 -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETPCAP -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_CHROOT -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SYS_RESOURCE -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETUID -j GRANT lidsconf -A -s /usr/sbin/named -o CAP_SETGID -j GRANT
Login is the program that allows a user to log in to a GNU/Linux system:
lidsconf -A -s /bin/login -o /etc/shadow -j READONLY lidsconf -A -s /bin/login -o CAP_SETUID -j GRANT lidsconf -A -s /bin/login -o CAP_SETGID -j GRANT lidsconf -A -s /bin/login -o CAP_CHOWN -j GRANT lidsconf -A -s /bin/login -o CAP_FSETID -j GRANT
After having specified the previous commands, we need to seal the kernel, so that the system can take full advantage of LIDS. We add this line to rc.local:
Restart the machine to apply all the new access controls. With the previously mentioned access controls, you will not be able to run the X server as it uses raw I/O, but most servers don't run an X server anyway. If you really need it, add the following access control (this command assumes that your X server binary is located in /usr/X11R6/bin/startx):
lidsconf -A -s /usr/X11R6/bin/startx
As we can see, LIDS is a powerful addition to the Linux kernel, which can secure your system completely, even from the root user. LIDS is also very easy to use.
Irfan Habib is a software engineering student at the National University of Science and Technology in Pakistan. He has had great interest in Linux and open-source technology since high school—everything from embedded Linux development to Web services. He has been advocating GNU/Linux in Pakistan for the past two years and has written various articles in local magazines and newspapers on the subject.
- October 2014 Issue of Linux Journal: Embedded
- Encrypt Your Dog (Mutt and GPG)
- Give new life to old phones and tablets with these tips!
- Download "Build a Private Cloud for Less Than $10,000!"
- Practical Tiny Core in the Fire Service
- Tech Tip: Really Simple HTTP Server with Python
- DevOps for Dummies
- Cooking with Linux - Serious Cool, Sysadmin Style!
- Returning Values from Bash Functions
- New Products
Free DevOps eBooks, Videos, and more!
Regardless of where you are in your DevOps process, Linux Journal can help!
We offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, and advice & help from the expert sources like:
- Linux Journal