Introduction to LIDS

With the rapid pace of development and open source nature of Linux, programs are often evaluated for security vulnerabilities. Between the time the known security vulnerabilities are found, additional protection is available to provide an extra layer of security, until the system can be updated.

Since Linux is an art of the open source community, security holes may be found more easily but can also be patched just as quickly and easily. But when the hole is disclosed to the public, and the administrator is unable to patch the hole, it could potentially compromise your system. With the typical Linux systems, a cracker has absolute control if superuser access is gained. With the added protection of LIDS, this and many other potential problems can be reduced.

LIDS provides the ability to control all access to files, processes, binaries, memory, raw devices, drives, etc. One of the main features of LIDS is protection from the superuser, known on a Linux system as the root user.

• [NOTE:]LIDS requires advanced administration skills to manage properly and therefore should not be modified by inexperienced users. Managing EnGarde Secure Linux through the WebTool will not require users to perform and LIDS administration.

The root user has control over every single aspect of the system. They can mount and unmount drives, delete and create files, remove users, access the database, edit the Web page, shutdown the system, etc. So you can see the possible security hazard here. If someone managed to gain root access, the entire system could be put into the crackers control. Here is a number of security enhancements LIDS has to protect the system from this threat.

• Every single file can be protected. Giving each file its own set of read, write, or append rules that even the root user must obey. For example, if you set your log files to append only, no one could go in and delete any trace of themselves on the system. You can set the login binary as read-only and it can not be replaced. Even if there was a possible way to overwrite the file LIDS would know it's not the same file because it indexes the files by their inodes, not their file names.
• Files can also be completely hidden from view and only be accessible by specific programs. For example, if you want to protect your Apache SSL server key from everyone including root, you can hide the file so to every user, including root, it doesn't exist, but at the same time it allows Apache to have full access to the file so it can get the information it needs from it.
• LIDS can also protect processes from being killed by the root user. This could be used to protect your database server, your Web server, your mail server, etc. from being taken off-line by an intruder.
• You can have full control of the Linux kernel ``capabilities''. The current Linux capabilities control what a process can and can't do. Changing these capabilities gives you more control over your system. By setting the capabilities to your needs you can prevent all users from rebooting the system, mounting and unmounting disks, changing network settings, /dev control, ownership control, loading and unloading of kernel modules, and many others.
• Root has the ability to turn LIDS off locally for just the current session or globally. This can be configured so it can only be done locally, and/or remotely. It also requires a password which is protected by Ripe MD-160 encryption.
• A built in port scanner allows you to disable promiscuous mode and still detect port scans.
• All attempts on the system are logged and if any user tried to break one of the LIDS rules, an e-mail is immediately sent to a predefined e-mail address. (A cell phone or a pager can be configured to be alerted when this happens also so you know when someone is making an attempt on your system.)

Some minor drawbacks to this increased method of security is it could hinder the use of certain programs by denying them access to needed files if configured incorrectly. It also makes it more difficult to administer the system from the console but the included GD WebTool includes enhancements that integrate will with LIDS.