These notes refer to the Linux Intrusion Detection System
If you have no experience in installing a new Kernel please refer to the KernelNotes section.
Assumes the lids package is installed in /usr/src/lids-{version}-{kernel-version}, and the kernel source is installed to /usr/src/linux-{kernel-version}. The examples will assume kernel 2.6.0 and lids 2.0.3 for 2.6.0.
Patch the source of the 2.6.x kernel with the LIDS patch
% cd /usr/src/linux-2.6.0 % patch -p1 < /usr/src/lids-2.0.3-2.6.0/lids-2.0.3-2.6.0.patch
Configure the lidstools package
% cd /usr/src/lids-2.0.3-2.6.0/lidstools-0.5.1 % ./configure KERNEL_DIR=/usr/src/linux-2.6.0
Install the lidstools package
% make % make install
Configure the 2.6.x kernel (make config|menuconfig|xconfig) and enable LIDS
% cd /usr/src/linux-2.6.0 % make menuconfig
--> Security Options
[*? Enable Different Security Models < > Default Linux Capabilities --> Linux Intrusion Detection System
<M> Linux Intrusion Detection System support (EXPERIMENTAL)
Build the new kernel
% make all % make modules_install
Setup the ACLs for your LIDS installation (/etc/lids)
% cd /etc/lids
check the files: lids.ini, lids.net, lids.*.cap, lids.*.conf
Install the new kernel
Don't forget to update your BootLoader (GRUB, LILO, or other) to be able to load the new kernel.
Test the kernel
% reboot
Load the LIDS module
% modprobe lids
After having updated the Kernel you may encounter problems with certain processes when starting or shutting down your system. These problems will be relating to the mounting and unmounting of your partitions, and adjusting the clock. Most of these problems lie in /etc/rc.d/rc.sysinit.
Here's a sample configuration used to setup your default LIDS values.
rc.sysyinit:818: dmesg -s 131072 > /var/log/dmesg
Either comment out the line which updates /var/log/dmesg in rc.sysinit, apply the patch to the dmesg source available here (util-linux-XXX/sys-utils/dmesg.c) or allow bash to modify the file. (I opted for the dmesg patch - GerwinVanDeSteeg).
rc.sysinit: dmesg -s 131072 -f /var/log/dmesg
Just comment this out for now until a fix is found.
The way to do this is to replace the /etc/mtab file with a symbolic link to /proc/mounts.
% rm -rf /etc/mtab % ln -sf /proc/mounts /etc/mtab
And then going through your initialization scripts (rc.sysinit) and modifying all mount and umount commands and adding the "-n" option, which will tell mount to not update /etc/mtab. You may then also get errors about being unable to mount a filesystem due to it already being mounted.
rc.sysinit:570: action $"Mounting local filesystems: " mount -a -t nonfs,smbfs,ncpfs -O no_netdev
replace with
rc.sysinit: action $"Mounting local filesystems: " mount -a -n -t nonfs,smbfs,ncpfs,sysfs,proc,devpts -O no_netdev
See sample configuration
Solution not yet found.
No page links to LIDSNotes.