LIDS (Linux Intrusion Detection System) is a Linux kernel patch to enhance the Linux kernel. In this article, we will talk about LIDS, including what it can do and how to use it to build a secure linux system.

Xie Huagang (This email address is being protected from spambots. You need JavaScript enabled to view it., )
With additions by Nick DeClario (This email address is being protected from spambots. You need JavaScript enabled to view it.)

1. Why LIDS.

With increasing popularity of Linux on Internet, more and more security holes are found in the current GNU/Linux system. You may hear from the Internet that - There are bugs found in Linux, which will cause the system tobe easily compromised by a hacker.

Since Linux is an art of the open source community, security holes can befound easily and can also be patched quickly. But when the hole is disclosed to the public and the administrator is too lazy to patch the hole, it is very easy to break into the current system and it is worse than that, the hacker can get the root shell. With the current GNU/linux system, he can do whatever he wants. Now, you may ask, what is the problem and what can we do?

What's wrong with the current GNU/Linux system.

  • superuser (root) may abuse the rights. Being root, he can do whatever he wants. Even the capability existing in the current the system can be easily altered as root.
  • Many system files can be changed easily. There are many important files, such as /bin/login, in the system. If the hacker came in, he can upload a changed login program to replace /bin/login , so he can re-login without any login name or password. But the files do not need to change frequently, unless you want to upgrade the system.
  • Modules are easily used to intercept the kernel. Modules are a good design for the linux kernel to make the linux kernel more modulized and more felixible. But after the modules are inserted into the kernel, it will be part of the kernel and can do what the original kernel can do. Therefore some unfriendly code could be written as a module and inserted into to the kernel. The code can even redirect the system calls and act like a virus.
  • Processes are unprotected. Certain processes, such as a web server daemon, which are vulnerable to the attack of hackers.

With the above description about Linux insecurity, how can we build a secure system? We must have a secure kernel and then build our secure system on top of it. This is what LIDS does.

2. Features about LIDS.

The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it is in installed, chosen files access, every system/network administration operations, any capability use, rawdevice, mem, and I/O access can be made impossible even for root. Ituses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features in kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more.

In short, LIDS provides Protection, Detection and Response to the intrusion in the Linux kernel.

  • Protection. LIDS can protect important files on your hard disk no matter what filesystem type they reside on, anybody including root can not change the files. LIDS can also protect the important processes from being killed. LIDS can prevent RAW IO operations from an unauthoritized program. It can also protect your hard DISK, include MBR protection, etc.
  • Detection. When someone scans your host, LIDS can detect it and inform the administrator. LIDS can also notice any activity on the system which violates the rules.
  • Response. When someone violates the rules, LIDS can log a detailed message about the violated action to the system log file which has been protected by LIDS. LIDS can also send the log message to your mailbox. In this case, LIDS can also shutdown the user's session at once.

3. Build a security linux system with LIDS

With the LIDS features, let's go and see how to build a security system with LIDS step by step.

3.1 Download LIDS patch and coresponsive official Linux kernel

You can download LIDS patch from LIDS Home and LIDS Ftp Home and other mirror of LIDS around the world, check LIDS Mirror for the nearby mirror site.

The patch name will be lids-x.xx-y.y.y.tar.gz, x.xx represents the lids version and the y.y.y represents the Linux kernel version.

You should download the corresponding kernel version. For example, if you download the lids-0.9pre4-2.2.14.tar.gz, you should download the linux kernel 2.2.14 source code. You can download the kernel source from Kernel FTP Site or other mirror site of it.

1. uncompress the linux kernel source code tree.
# cd linux_install_path
# bzip2 -cd linux-2.2.14.tar.bz2 | tar -xvf -

2. uncompress the lids source code.

# cd lids_install_path
# tar -zxvf lids-0.9pre4-2.2.14.tar.gz

3.2 Patch LIDS to official linux kernel

After downloading the kernel source and LIDS, uncompress the source and lids.For example, if you download the lids-0.9pre4-2.2.14.tar.gz and linux-2.2.14.tar.bz2, then,

3. patch the lids to the Linux kernel source code.
# cd linux_install_path
# patch -p0 < /lids_install_path/lids-0.9pre4-2.2.14.patch

4. configure Linux kernel to use LIDS

Turn the following options on:

[x] Prompt for development and/or incomplete code/drivers
[x] Sysctl support

Turning these on will add a series of options for LIDS. Note: There are many kernel options for LIDS. Please check the lids-howto for detailed information about configuring these options.

# cd linux
# make menuconfig or make xconfig

5. compile the Linux kernel

# cd linux
# make dep clean
# make bzImage
# make modules
# make modules_install

6. copy the bzImage to /boot/ and edit the /etc/lilo.conf

7. Run /sbin/lilo to install the new kernel.

# /sbin/lilo

3.3 Compile the lidsadm program

lidsadm in the administration utility for LIDS.
It is required to install this before rebooting your system with
your new kernel but it does not require the new kernel or patch to
compile. It will compile and install with your original kernel.

# cd lids_install_path/lidsadm-0.9pre4
# make or make VIEW=1 (use VIEW=1 to see exact LIDS state)
# make install

Read the README included in the LIDS package for details on
compiling and running lidsadm.

3.4 Initialize the LIDS system

Now before you reboot, you must configure your LIDS system to meet your security needs. You can define protected files, protected process, etc.. In the next chapter, we will show you the details about this topic.

3.5 Reboot the system

After your system is configured, reboot the system. When lilo appears, select the LIDS enable kernel to load. After then, you enter the wonderful world of LIDS.

3.6 Sealing the kernel.

After your system boots up, do not forget to seal the kernel with lidsadm. You can put the command in the last line of /etc/rc.local.

# /sbin/lidsadm -I -- -CAP_SYS_RAWIO -CAP_NET_ADMIN

You can check the LIDS-HOWTO for a detailed list of all the options for lidsadm.

3.7 Online administration

After you seal the kernel, your system is now protected by LIDS. You can run some tests on it. If you want to change a configuration, such as modify the capability option, you can change your LIDS security level online by providing a password.

# /sbin/lidsadm -S -- -LIDS

4. Configuring LIDS

In this chapter, we will show you how to configure LIDS.

4.1 Protect your files.

First, you must determine which files you will protect. In most cases, you may protect the system binary files and system configuration files, such as /usr/, /sbin/, /etc/, /var/log/.

Second, you must decide the way to protect the files. LIDS provide 3 protection type:

  • Read Only Files. The files marked with Read Only means that nobody can change the files. We can think that the following files are in this catalog, /etc/passwd, /bin/passwd, etc.

    lidsadm -A -r filename_to_protect


    1. to protect the whole /sbin/ as read-only.

    # /sbin/lidsadm -A -r /sbin/

    2. to protect /etc/passwd as read-only

    # /sbin/lidsadm -A -r /etc/passwd
  • Append Only Files. Most of the append only files are system log files, such as /var/log/message, /var/log/secure. The files can only open with append mode and can not truncate or modify its previous contents.

    lidsadm -A -a filename_to_protect


    1. to protect the system log files

    # /sbin/lidsadm -A -a /var/log/message
    # /sbin/lidsadm -A -a /var/log/secure

    2. to protect the apache httpd log files

    # /sbin/lidsadm -A -a /etc/httpd/logs/
    # /sbin/lidsadm -A -a /var/log/httpd/

Here is the example from LIDS-HOWTO by Philippe Biond,

lidsadm -Z
lidsadm -A -r /boot
lidsadm -A -r /vmlinuz
lidsadm -A -r /lib
lidsadm -A -r /root
lidsadm -A -r /etc
lidsadm -A -r /sbin
lidsadm -A -r /usr/sbin
lidsadm -A -r /bin
lidsadm -A -r /usr/bin
lidsadm -A -r /usr/lib
lidsadm -A -a /var/log

Note: If you protect /etc/lids.conf as read-only you can not change any attributes to any files unlessyou reboot the system with a non LIDS kernel. Either protect this file last after you got everything setup the way you like it or protect it with append.

To control where the 'lids.conf' file is placed you can edit this line in 'lidsadm.c' to your likeing
#DEFINE LIDS_CONF "/etc/lids.conf"

Then just recompile it.

4.2 Protect your process.

LIDS can protect the process whose parent is init(pid=1). You must seal the kernel with a specified option as below.

# lidsadm -I -- +INIT_CHILDREN_LOCK

4.3 Protect with capability.

Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities bounding set. In a normal kernel, when you remove a capability from the bounding set, nobody can ever use it again, until next reboot. (see for the normal use).

LIDS modifies this behavior to enable you to switch these on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset is trapped and raise a security alert. lidsadm performs the whole job.

You can list all the capabilities in LIDS by running lidsadm, and you can see what the exact meaning of each capability is.

We here discuss two of them,


With this capability on, we can allow ioperm/iopl and /dev/port access, allow /dev/mem and /dev/kmem acess and allow raw block devices (/dev/[sh]d??) acess

When we disable this capability, we can deny all processes on the system rights to the raw device, such as running lilo.

But some processes may want this capability to run, such as XF86_SVGA. In this case, we can put the program in the exception list when we compile the kernel.


This capability has the following abilities,

interface configuration
administration of IP firewall, masquerading and accounting
setting debug option on sockets
modification of routing tables
setting arbitrary process / process group ownership on sockets
binding to any address for transparent proxying
setting TOS (type of service)
setting promiscuous mode
clearing driver statistics
read/write of device-specific registers
For security reasons, we should disable this to disallow network configuration changes. When it's disallowed, the firewall rules will not allow any changes.

Choosing the capability and sealing the kernel

You should choose what capability you want to disallow when sealing the kernel. Here we give an example.

You may put it in a rc script (rc.local, /etc/init.d/lids, /etc/rc.d/init.d/lids, etc.) depending upon your distribution and the way you administrate your system. The command is, for example :


4.4 Network Security.

LIDS provides some network security enhancements.

network security with capability

With each capability, we can enhance the network security. Such as anti-snifferring, can not bind to the port lower than 1024 and can not change the firewall and routing rules.

So, what I suggest is to view each capability defenition carefully.

Scanner detector in kernel

LIDS provide a scanner detector in kernel in order to detect who has scanned your system. The scanner can detect half-open scans, normal scans etc.. Using tools like nmap, satan can be detected by the detector.

It is useful when raw sockets are disabled. In this casoes not use any socket, it will be more secure than a user space detector.

If you want this feature, you should select it on when you compile the kernel.

4.5 Intrusion Responsive system.

When LIDS detects a violation in the defined rules, it can respond to the action by the following method.

Logging the message

When someone violates a rule, lids_security_log will log a message the klogd. The logging also has the ability to anti_logging_flood. You can set it when compiling the kernel.

Logging the message via mail server

Now, LIDS has a new feature to mail the message to your mail account. You can define the mail server IP, the out-coming mail address,etc, when compiling the kernel.

Shutdown the console

When a user violates a rule, the console will shutdown that user's console.

5. Thanks.

First of all, I want to thank my friend, Kate lee, who always encouraged me to write document like this. This document is dedicated to her.

I also want to thank Philippe Biond and Christophe Long who largely contributed to the project. Without them, the project could never have developed so well.

Many thanks must also go to all the LIDS users. Without their contributions and discussions, LIDS could not have had so many great ideas.

Return to