Penguin

These notes refer to the Linux Intrusion Detection System

Installation Instructions

If you have no experience in installing a new Kernel please refer to the KernelNotes section.

Kernel 2.6.x

Assumes the lids package is installed in /usr/src/lids-{version}-{kernel-version}, and the kernel source is installed to /usr/src/linux-{kernel-version}. The examples will assume kernel 2.6.0 and lids 2.0.3 for 2.6.0.

  • First ensure you have a working installtion of the 2.6.x kernel that you wish to add the LIDS patch to.
  • Patch the source of the 2.6.x kernel with the LIDS patch

    % cd /usr/src/linux-2.6.0 % patch -p1 < /usr/src/lids-2.0.3-2.6.0/lids-2.0.3-2.6.0.patch

  • Configure the lidstools package

    % cd /usr/src/lids-2.0.3-2.6.0/lidstools-0.5.1 % ./configure KERNEL_DIR=/usr/src/linux-2.6.0

  • Install the lidstools package

    % make % make install

  • Enter your LIDS password (Don't forget this)
  • Configure the 2.6.x kernel (make config|menuconfig|xconfig) and enable LIDS

    % cd /usr/src/linux-2.6.0 % make menuconfig

    --> Security Options

    [*? Enable Different Security Models < > Default Linux Capabilities --> Linux Intrusion Detection System

    <M> Linux Intrusion Detection System support (EXPERIMENTAL)

  • As with any kernel upgrade ensure you have a backup kernel that can be loaded in the event of a failure.
  • Build the new kernel

    % make all % make modules_install

  • Setup the ACLs for your LIDS installation (/etc/lids)

    % cd /etc/lids

    check the files: lids.ini, lids.net, lids.*.cap, lids.*.conf

  • Install the new kernel

    Don't forget to update your BootLoader (GRUB, LILO, or other) to be able to load the new kernel.

  • Test the kernel

    % reboot

  • Load the LIDS module

    % modprobe lids

Installation Notes

  • When compiling the LIDS module, you cannot load it if the default linux capabilities security module is already loaded.

Fedora Core 1

After having updated the Kernel you may encounter problems with certain processes when starting or shutting down your system. These problems will be relating to the mounting and unmounting of your partitions, and adjusting the clock. Most of these problems lie in /etc/rc.d/rc.sysinit.

Here's a sample configuration used to setup your default LIDS values.

Problem - error writing to /var/log/dmesg

rc.sysyinit:818: dmesg -s 131072 > /var/log/dmesg

Either comment out the line which updates /var/log/dmesg in rc.sysinit, apply the patch to the dmesg source available here (util-linux-XXX/sys-utils/dmesg.c) or allow bash to modify the file. (I opted for the dmesg patch - GerwinVanDeSteeg).

rc.sysinit: dmesg -s 131072 -f /var/log/dmesg

Problem - writing to /var/log/ksyms*

Just comment this out for now until a fix is found.

Problem - writing to /etc/mtab

The way to do this is to replace the /etc/mtab file with a symbolic link to /proc/mounts.

% rm -rf /etc/mtab % ln -sf /proc/mounts /etc/mtab

And then going through your initialization scripts (rc.sysinit) and modifying all mount and umount commands and adding the "-n" option, which will tell mount to not update /etc/mtab. You may then also get errors about being unable to mount a filesystem due to it already being mounted.

rc.sysinit:570: action $"Mounting local filesystems: " mount -a -t nonfs,smbfs,ncpfs -O no_netdev

replace with

rc.sysinit: action $"Mounting local filesystems: " mount -a -n -t nonfs,smbfs,ncpfs,sysfs,proc,devpts -O no_netdev

Problem - updating /etc/adjtime

See sample configuration

Problem - turning of filesystem quota's on restart, cannot stat() /dev/root

Solution not yet found.

Usage

  • Refer to the documentation or the installation instructions provided with the lidstools source and lids patch. (ie. RTFM)

CategoryNotes