What is LIDS

LIDS stands for Linux Intrusion Detection/Defense System.

This is the how-to for LIDS-0.8.1pre1. It is also exact for LIDS-0.8 and 0.8pre1, 2, 3 and 4, but some feature may be missing.

Only i386 architecture is supported for now. This is mainly because Kevin Xie and I haven't any other machine than i386 to perform tests. If you want LIDS to support your architecture, please let us know and we try to do something (but you will have to test for us :). If you want to send us machines you don't want anymore, we'll be happy :) ).

The goal is to protect linux systems against root intrusions, by disabling some system calls in the kernel itself. As you sometimes need to administrate the system, you can disable LIDS protection.

The first part is to protect LIDS itself against a root intruder. This assume two things :

• The system is safe (no backdoors, ...) until the first time LIDS is on.
• You are the only one who have acess to the console (as you can feed the kernel command line thorugh lilo, you can boot a rescue kernel^1.1 or you can boot on a floppy disk).

Protecting LIDS against a root intruder means :

• Forbid modules
• Forbid raw memory access (/dev/mem, /dev/kmem, /dev/kcore)
• Forbit raw disk acess (/dev/hdxx, /dev/sdxx)
• Protect every files involved in the boot process (lilo files, kernel image, daemons, rc scripts, modules)
• Forbid raw access to I/O ports (/dev/port, ioperm and iopl syscalls)

Then you can think about intrusion detection. For this, LIDS provide :

• logging almost each denied access.
• read-only and append-only flags to protect programs or log files from a root intruder.
• hidding your own intrusion monitors.

For your system protection, LIDS provide :

• locking your routing tables, firewalling rules
• locking mount operations
• protecting daemons from signals
• whatever else you can forbid with linux capabilities bounding set^1.2