Jason's Home Page - Linux HOWTOs

lids - Linux Intrusion and Detection System ChangeLog

Web site:

http://www.lids.org/

HOWTO

LIDS 1.1.1r2 + Linux 2.4.19
===========================
# Both patches used below were found on the LIDS User mailing list.
#
# The lids-1.1.1r2xlids-1.1.1r2-icz patch is from Radek Bohunsky
# and fixes a few bugs in LIDS 1.1.1r2
# It's available from http://www.roedie.nl/downloads/lids/lids-2.4/jk/
#
# The 1.1.1r2-2.4.18 -> 2.4.19 patch is from Shane Wegner
# and is available from:
# http://www.cm.nu/~shane/lids-1.1.1r2-2.4.19.patch.gz

cd
wget \
ftp://ftp.kernel.org/pub/linux/kernel/v2.4/linux-2.4.19.tar.bz2 \
http://www.lids.org/download/lids-1.1.1r2-2.4.18.tar.gz \
ftp://englanders.cc/pub/linux/misc/notmine/lids-1.1.1r2-2.4.19.patch.gz \
ftp://englanders.cc/pub/linux/misc/notmine/lids-1.1.1r2xlids-1.1.1r2-icz.patch

cd /usr/src
tar xjvf ~/linux-2.4.19.tar.bz2
chown -R root.root linux-2.4.19
ln -sf linux-2.4.19 linux

cd /usr/local/src
tar xzvf ~/lids-1.1.1r2-2.4.18.tar.gz
cd lids-1.1.1r2-2.4.18
chown -R root.root .

cd /usr/src/linux
zcat ~/lids-1.1.1r2-2.4.19.patch.gz | patch -p1
patch -p1 < ~/lids-1.1.1r2xlids-1.1.1r2-icz.patch

# configure the kernel: make menuconfig, make xconfig, whatever
make dep ; make clean
make bzImage
make modules
make modules_install
make install

# remember that if you get screwed, you can boot the kernel
# with lids turned off by putting 'Linux lids=0' at the LILO prompt

cd /usr/local/src/lids-1.1.1r2-2.4.18
# Open up configure, find where it checks to make sure the kernel is 2.4.18,
# change that to 2.4.19
./configure
make VIEW=1
make install

cd /etc/lids
# Fix up lids.net

# Fix up lids.cap if you want to turn on/off any capabilities
# Note: You may want/need to copy over a newer lids.cap if you're upgrading
# LIDS (make install won't overwrite an existing lids.cap)

# Add a line to /etc/rc.d/rc.local like this:
/sbin/lidsadm -I

# Copy jason's lids bash script (lids.sh) into /etc/lids and run it

mkdir -p ~/backup ; mv /etc/mtab ~/backup/ ; ln -s /proc/mounts /etc/mtab

# Change all mount and umount lines in /etc/rc.d/* (rc.6, rc.S, rc.inet2)
# to include the -n parameter (don't use /etc/mtab)

# Change this line in rc.S:
# /bin/rm -f /etc/mtab* /etc/nologin /etc/shutdownpid
# to this (don't remove mtab, it's a symlink now):
# /bin/rm -f /etc/nologin /etc/shutdownpid

# Comment out lines 27-ish through 42-ish in rc.modules (the whole section
# except for the RELEASE= line.

# Comment out the line in rc.M that runs /sbin/ldconfig

# Comment out the lines in rc.S that write to /etc/issue (if there are any)

# Comment out the lines that run update in rc.S and rc.K if you removed
# the slackware package for util-linux and installed the source (update
# doesn't come with it any more, no longer needed with the new kernels)

# reboot

Using LIDS
==========
Open up a LFS (LIDS free session), ie. turn off LIDS just on your tty:
lidsadm -S -- -LIDS

Turn it back on:
lidsadm -S -- +LIDS

Turn LIDS off globally:
lidsadm -S -- -LIDS_GLOBAL

Turn LIDS back on:
lidsadm -S -- +LIDS_GLOBAL

Reload configuration (do this after running /root/lids):
lidsadm -S - +RELOAD_CONF

Update protected file info (do this after upgrading something):
# This updates /etc/lids/lids.conf
lidsadm -U

Make file/dir read only (the dir and everything under it on the same
filesystem):
lidsadm -A -o /some/directory -j READ

Make file/dir hidden (recursive):
lidsadm -A -o /some/file_or_directory -j DENY

Make a log append-only (recursive):
lidsadm -A -o /some/log/file -j APPEND