Next Previous Contents

7. LIDS Security Level in kernel.

At some time, we need to change the protected system, How can we do? LIDS provide two way.

7.1 two levels in the kernel.

LIDS defines two levels in kernel, security and none_security. By default, the security is on. If you want to change it, enter "security=0" after reboot the system.

There is a grobal variant in the kernel name lids_load, it indicates whether the lids security system is on or not. It is default to "1" (on) by default. If you input "security=0" when LILO appear, the lids_load will set to "0", and all security protection by LIDS will be bypassed. It is like the system without LIDS protection.

/* variant defined in fs/lids.c */
int lids_reload_conf=0; 
int lids_load=0;        /* it is raised to 1 when kernel boot */
int lids_local_on=1;
int lids_local_pid=0;

/* in init/main.c */
 *      lids_setup , read lids info from the kernel.
static void __init lids_setup(char *str, int *ints)
        if (ints[0] > 0 && ints[1] >= 0)
    ====>       _lids_load= ints[1];
/* init the LIDS when the system bootup up */

static void __init do_basic_setup(void)
        /* Mount the root filesystem.. */

        /* init the ids file system */
--->    lids_load=_lids_load;
        lids_flags=lids_load * (LIDS_FLAGS_LIDS_ON | LIDS_FLAGS_LIDS_LOCAL_ON);
===>    printk("Linux Intrusion Detection System %s \n",lids_load==1?"starts":"stops");

When the system boots up, you can see " Linux Intrusion Detection System 0.9 starts " when lids protection switch on or "Linux Intrusion Detection System 0.9 stops" when the security off. "0.9" is the current LIDS version.

7.2 Change security level online with lidsadm.

At some times, you may also want to change the security level online, you must turn the CONFIG_LIDS_ALLOW_SWITCH on and also provide a the "RipeMD-160 encrypted password" field when configurate the kernel before compiles.

The password can be obtained by running the command "lidsamd -P".

Authentication with kernel.

With the provided password, LIDS can use authenticate the user who can switch the kernel security level on and off.

It is also performed by lidsadm with parmeter "-S", for example,

# /sbin/lidsadm -S -- -LIDS

After input the correct password, you can swith the lids security off.

Let's look at the code internal to see how it does,

/* in the fs/lids.c lids_proc_locks_sysctl() */
int lids_proc_locks_sysctl(ctl_table *table, int write, struct file *filp,
                            void *buffer, size_t *lenp, int conv, int op)
        lids_locks_t locks;
        byte   hashcode[RMDsize/8];
        char rmd160sig[170];
                locks.passwd[sizeof(passwd_t)-1]=0; /* We don't take the risk */

                if ((!lids_first_time) || (locks.passwd[0])) {
                        RMD((byte *)locks.passwd,hashcode);
                        memset((char *)locks.passwd,'\0',sizeof(passwd_t));
                        for (i=0; i<RMDsize/8; i++)
                                sprintf(rmd160sig+2*i,"%02x", hashcode[i]);
                if ( ((lids_first_time) && (!locks.passwd[0])) ||
   ---------->         (!strncmp(rmd160sig,CONFIG_LIDS_RMD160_PASSWD,160)) ) {
                if ((lids_first_time) && (!locks.passwd[0])) {
                        /* access granted ! */
                        if (lids_process_flags(locks.flags)) {
                                lids_security_alert("Changed: cap_bset=0x%x lids_flags=0x%x",cap_t(cap_bset),lids_flags);

After the password checking is ok, the lids_process_flag() change the current lids flag with LIDS off and then you can do what you want to do. You can look at the code at fs/lids.c of lids_process_flag for detail.

switch with LIDS & LIDS_GLOBAL

If you switch the LIDS protection off, you have two choice, firstly, switch off and on other console it is also unprotected by LIDS, secondly, you can switch off only locally, on other console, all the system also protected by LIDS. It can improve security.

The detail impletmetation is in fs/lids of lids_process_flag().

Next Previous Contents