Next Previous Contents

3. Build a secure Linux system

With the LIDS features, let's go and see how to build a secure system with LIDS step by step.

3.1 Download LIDS patch and coresponsive official Linux kernel

You can download lids patch and admin tool from LIDS Home and LIDS Ftp Home and other mirrors of LIDS around the world, check LIDS Mirror for the nearby mirror site.

The patch name will be lids-x.xx-y.y.y.tar.gz, x.xx represents the lids version and the y.y.y represents the Linux kernel version. For example, lids-0.9.9-2.2.17.tar.gz represent lids version 0.9.9 and the coresponsive kernel version is 2.2.17.

You should download the coresponsive kernel version. For example, if you download the lids-0.9.9-2.2.17.tar.gz, you should download the Linux kernel 2.2.17 source code. You can download the kernel source from Kernel FTP Site or other mirror sites.

And then, you need to uncompress the kernel source and LIDS tar-ball.For example, you have get lids-0.9.9-2.2.17.tar.gz from and linux-2.2.17.tar.bz2 from

1. uncompress the Linux kernel source code tree.
# cd linux_install_path/ 
# bzip2 -cd linux-2.2.17.tar.bz2 | tar -xvf - 

2. uncompress the lids source code and install the lidsadm tool.
# cd lids_install_path
# tar -zxvf lids-0.9.8-2.2.17.tar.gz

3.2 Patch LIDS to official linux kernel

3. patch the lids to the Linux kernel source code.

# cd linux_install_path/linux
# patch -p1 </lids_install_path/lids-0.9pre4-2.2.14.patch

/* link the default source path to lids patched version
# rm -rf /usr/src/linux
# ln -s linux_install_patch/linux /usr/src/linux 

3.3 configuring the Linux kernel

4. configure the Linux kernel 
# cd linux
# make menuconfig or make xconfig 

Now, it it time to configure the Linux kernel, turn the following option on,

[*] Prompt for development and/or incomplete code/drivers 
[*] Sysctl support 

After that, you will find that a new item appear in the bottom of the configuration menu  name "Linux Intrusion Detection System". Entering this menu, turn the 

[*] Linux Intrusion Detection System support  (EXPERIMENTAL) (NEW).
After configure the LIDS kernel options. exit the configure interface, and compile the kernel.
# make dep
# make clean
# make bzImage
# make modules
# make modules_install

3.4 Install LIDS and admin tool into the linux system.

4. copy the bzImage to /boot/ and edit the /etc/lilo.conf

# cp arch/i386/boot/bzImage /boot/bzImage-lids-0.9.9-2.2.17

/* build admin tools */
# cd lids-0.9.8-2.2.17/lidsadm-0.9.8/
# make
# make install 

# less /etc/lilo.conf



5 running /sbin/lilo to install the new kernel.

# /sbin/lilo

3.5 configure the LIDS system

Now before reboot, you must configure you lids system to meet you security need. You can define protected files, protected process,etc.

By default, the lidsadm will install the default configuration files in /etc/lids/. You must reconfig it with your need. First of all, you can update the inode/dev value of the default lids.conf by.

# /sbin/lidsadm -U 

In the next chapter, we will show you the details about this topic.

3.6 Reboot the system

After you configure the Linux system, reboot your system. When lilo appear, select the lids enable kernel to load. After then, you will enter the wonderful world of LIDS.

3.7 Sealing the kernel.

After your system boots up, do not forget to seal the kernel with lidsadm, you can put the command in latest line of /etc/rc.local.

# /sbin/lidsadm -I 

You can check the LIDS HOWTO to view the details meaning of each options of lidsadm.

3.8 Online administration

After you seal the kernel, your system is now protected by LIDS. You can do some test on it. If you want to change some configuration, such as modify the capability option, you can change your lids security level online by providing a password.

# /sbin/lidsadm -S -- -LIDS 
After you change you lids configuration value, such as lids.conf, lids.cap. You can also reload the configuration file into the kernel by

# /sbin/lidsadm -S -- +RELOAD_CONF

Next Previous Contents