Next Previous Contents

9. Intrusion Response System

When we detect someone or some program violate the rules, we must respone to the action. In the current LIDS, we can log the information via klog with the feature of anti-flood loging. We also have the feature to hang up the console which the misbehavious user on. In the future, we will add more response system to the LIDS, not only in the kernel, but also in user space.

9.1 Allow logging in a security way

Most of the code and ideas is from solar desinger's Linux OpenWall project. Thanks solar.

With the traditional logging in the kernel, we use the printk(KERN_XXX) every time we need to print a message to the console. But it is every easily used by other misbehivious to make a DoS attack to the kernel. He can make the kernel running the printk very frequence and then make the filesystem out of free space. With the current security logging facility, we can just use the security_alert() in the kernel, let the function do the other anti-DoS job.

You can have a look at the source at include/linux/kernel.h.

9.2 hangup the console.

This feature use with the security_log to make the user who violate the rules defined in LIDS quickly being hangup. He have to relogin the system to continus. But what he have done have log into the system log file or also send to the adminstration by the mail tools developing by Boidi.

9.3 Notify the Administrator by mail and pager.

This feature is developed by Boidi now. With the tools, we can easy know what is wrong with the system, we can response to the intrusion every quickly.

It has been released in lids-0.9pre1, it create a kernel thread to do the communicate things. For details, look at the kernel source for LIDS.

Next Previous Contents