Alerts This Week
Warning Icon 1 619
Alerts This Week
Warning Icon 1 619

Stay Ahead With Linux Security Features

Cron Hero Esm H350
Price Tag 1security advisory attack

A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
1 min read
Siem Architecture Hero Esm H350
Price Tag 1threat detection scalability

Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
4 - 7 min read
Http2 Bomb Hero 2026 Esm H350
Price Tag 1security advisory apache

A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
3 - 5 min read
Supply Chain Risk Starts At The Workstation Hero Esm H350
Price Tag 1security advisory important

The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
3 - 5 min read
Persistence Tricks Hero Esm H350
Price Tag 1security advisory open-source

You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
4 - 7 min read
Filter Icon Refine features
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security features

We found -2 articles for you...
102
1.Penguin Landscape Esm H240
Price Tag 1network securitycybersecurityrisk mitigation

Strategies to Enhance Linux Compliance and Security Resilience

Linux has various robust cybersecurity features, making it a popular choice among enterprises. Businesses can carry out critical operations with the peace of mind that they have the support of comprehensive, multi-layered cloud security frameworks to keep all data safe. Effective compliance management, all-encompassing data and network security measures, risk mitigation, and security patching help Linux Security harden your platform, keep away threats, and maintain integrity. . Linux can tighten security settings, reduce attack surfaces, and implement Linux patching best practices to protect your system from cybersecurity vulnerabilities and network security threats. Organizations must integrate the most effective strategies to combat issues the server might encounter. This article will discuss the basics of Linux Security, how to enhance compliance and security, how to evade threats, and a variety of solutions you can incorporate immediately. What is Linux Security Hardening? Bolster your Linux systems with the correct data and network security protocols. Hardening your server is the first step to having proper defense-in-depth protection. Here are the various suggestions to consider when strengthening your platform: Keep your system up-to-date , so you have the latest security patching solutions in place to keep your organization safe. Your Linux kernel, system libraries, and software packages require these updates to ensure you can discover and address data and network security issues immediately. Mitigate vulnerabilities to remediate threats with proper configurations and prevent cybersecurity vulnerabilities from weakening your server. Minimize open ports by removing unnecessary ones and monitoring the ones you keep to reduce your risk of exploits in cybersecurity. Enable Two-Factor or Multi-Factor authentication so that you have secure access to Linux systems, neutralizing threats that come with compromised passwords. Strengthen password policies toavoid brute-force attacks by requiring upper and lowercase letters, numbers, and special characters. Update the BIOS to ensure your server remains compatible with the latest hardware, resolve potential bugs, and enhance system performance. The cybersecurity trends the BIOS helps you patch can also improve your security posture. Uninstall end-of-life software to reduce your attack surface. Any unnecessary software is another way for cybercriminals to enter your system and steal your data. Employ regular cloud security auditing to see if your system is secure and complies with industry mandates, offering the opportunity to discover and suspend anomalies in your network quickly and efficiently. How Can I Achieve Compliance on My Server? Organizations in Linux environments struggle to maintain compliance with industry-specific regulations and standards. However, businesses must adhere to these policies to avoid legal ramifications and minimize clo ud security breaches that could cause financial loss, reputational damage, and significant downtime. Companies must review and comply with the Center for Internet Security's (CIS) industry-standard security benchmarks to secure systems and combat network security threats. Here are a few ways to achieve compliance on your Linux Security server: Conduct a comprehensive assessment of your Linux cloud security frameworks to identify security gaps and determine how compliant your server is with CIS benchmarks. Implement CIS-recommended security configurations , including user setting adjustments, system configurations, and network parameters. Enforce stringent access control by configuring user accounts, permissions, and privileges to coincide with CIS benchmarks, preventing authorized access and cloud security breaches. Secure the network infrastructure through proper firewall rules and configuration, encryption protocol implementation, and network traffic monitoring to protect your environment from data and network securitythreats. Why Must We Enhance Linux Security? Cybercriminals, with attacks like WannaCry ransomware (2017) and OpenSSL Heartbleed cybersecurity vulnerabilities (2014), require that businesses upgrade their Linux Security patching and compliance to reduce the chances of facing network security issues. The immediate operational disruptions, long-term reputational risks, and financial setbacks from these compromised accounts can affect organizations, stakeholders, clients, and employees. Ransomware gangs have increasingly targeted Linux security systems after developing effective Linux-specific malware to harm servers. SprySOCKs, one such malware, conducts espionage attacks that China-linked threat actors utilize to exfiltrate documents and email credentials from government bodies. As these data and network security risks grow, Linux Security systems must enhance their protection to prevent these attacks from causing lifetime impacts on a business. How Can You Evade the Rising Threats Targeting Linux? Organizations must establish a robust and comprehensive data and network security solution with multi-layered defense mechanisms that can effectively shield critical assets and data from malicious actors and attacks in network security. Elevating your security posture is crucial to company success, though it can be challenging without the right tools. Unfortunately, most solutions pay attention to a specific aspect of exploits in cybersecurity rather than offering comprehensive, holistic approaches to management. These limited functions include vulnerability scanning, single-layered threat detection, and simple compliance checks. To safeguard your server, you need more than just one aspect of a solution. Let’s clarify a few shortcomings with network security toolkits: Traditional vulnerability scanners detect and report issues but do not always have the advanced, automated remediation and monitoring you need. Basic firewalls only carry standard protection features and no advancedfunctionalities that combat sophisticated threats effectively. Conventional compliance tools offer minimal regulatory checks that do not provide comprehensive insights into cyber security gaps and risks. The Ultimate Security Solution Checklist Here is a varied list of network security toolkits and the features they must have to boost your server and keep your data safe: Vulnerability scanner Real-time vulnerability and Zero-Day attack detection Vulnerability assessments Scheduled scans Patch deployment Automated patch deployment Zero-day mitigation Multi-platform security patching Patch testing and approval Security configuration management Firewall auditing Password policies Account lockout and login security User account management Compliance management Industry-specific compliance reports Group policies Mapping and auditing of systems Flexible deployments Audit ports and high-risk software Elimination of outdated software Remote desktop sharing software and peer-to-peer software uninstallation Active port monitoring Identification of the types of ports Reports and dashboards Security reports on vulnerabilities, patches, and more Interactive dashboards with comprehensive insights Other important aspects Failover server to prevent downtime Secure gateway server for enhanced protection You must assess how comprehensive the features and functionalities you utilize so that you have the security patching and compliance management you need. Then, organizations can prepare themselves for any future data and network security risks. Final Thoughts on Synergizing Linux Hardening, Compliance, and Risk Mitigation Enhance Linux Security by integrating robust principles like hardening, compliance, and risk management. These principles can foster a resilient cloud security framework that protects all vital assets of your data. Combining data and network security can improvesecurity posture by helping you identify and neutralize potential threats before it is too late. ManageEngine Vulnerability Manager Plus is an integrated threat and vulnerability management solution that helps craft a bulletproof defense for your organization. Its advanced features and capabilities streamline the vulnerability management process from one console. Vulnerability Manager Plus is a cornerstone for organizations fortifying their Linux infrastructure. . Businesses face ongoing challenges in meeting regulatory requirements while simultaneously addressing risks that could endanger their operations.. Linux Resilience, Cybersecurity Strategies, Security Hardening, Compliance Management. . Brittany Day

Calendar 2 Oct 31, 2023 User Avatar Brittany Day
102
General Esm H240
Price Tag 1intrusion detectionsystem hardeningsecurity hardening

Jay Beale Discusses Bastille Project: Effective Linux Hardening

Jay Beale talks about his efforts as lead developer of one of the hottest projects in the Internet security space today.. R ecently I got an opportunity to speak with Jay Beale, the Lead Developer of the Bastille Project. Jay is the author of several articles on Unix/Linux security, along with the upcoming book "Securing Linux the Bastille Way," to be published by Addison Wesley. At his day job, Jay is a security admin working on Solaris and Linux boxes. You can learn more about his articles, talks and favorite security links via . LinuxSecurity.com: Can you briefly describe the bastille-linux project? What is the goal/objective of bastille? Jay Beale: Bastille Linux is a project to harden, or "lock-down," Linux systems. It asks the user a number of questions, which it uses to provide the most comprehensive security, without removing needed functionality. We're trying to make a more secure environment for every class of user, without restricting them too much. We've been very successful so far - Bastille can stop almost every single root grab vulnerability that I know of against Red Hat 6.x. In the case of the well-known BIND remote root vulnerability, we had secured against that one before it was even discovered! LinuxSecurity.com: How was it started? Jay Beale: Bastille started about almost two years ago, when Jon Lasser began making UMBC Linux, a secure distribution that he could give out to students and faculty, without worrying that their new boxes would be quickly "rooted." While at a SANS conference, he met a number of people who were doing the same thing. Through a beer-enabled Birds of a Feather (BoF) session, they decided to stop duplicating effort, banding together to create the new Bastille Linux distribution. Fast forward a few months. As many would-be distribution makers quickly learn, this group found out that making a new distribution was very hard work, before you even tried to secure it. They shifted strategy, and instead decided tomodify the existing Red Hat distribution. This was faster and could be far more comprehensive. I joined up then, bringing a rather long Perl script with me that would turn a virgin Red Hat 6.0 box into more secure one. Jon and I became partners, Lead Coordinator and Lead Developer, and I posted a "modules wanted" sign in the form of a Spec Document for the script. At that point, we were joined by the people that make up our core team, including Pete Watkins, who brought his strong and comprehensive IPCHAINS firewall, Sweth Chandramouli, who's helping me with architecture design, and Mike Rash, who's working on Intrusion Detection. We've got a great team on board, really, with a number of people dedicated to testing Bastille and generating ideas. LinuxSecurity.com: Can you describe your background? How long have you been involved with security and Linux? Jay Beale: Two years ago, I was a mathematician with an interest in computing and physics. I became interested in computer security when I took my first sysadmin job about two years ago. Security is one of the few areas of computing that is rather complex - yet, there's an underlying structure running through the entire field. It really fascinated me from the beginning, so I read everything I could find and started tinkering at home and at work. Later on, I began working as a security admin., doing everything from writing host-based Intrusion Detection, to handling hacker break-ins, to writing hardening scripts. Bastille's main module development started as an extension of ideas I implemented for Solaris, actually. Now, I'm writing a book on applied Linux Security for Addison Wesley and writing articles for various sites, in addition to keeping up with Bastille, which is no small task. LinuxSecurity.com: Do you ever expect vendors to ship Linux in a configuration that obviates the need for such a project? Jay Beale: This really is possible, though it's a long shot... The problem is that users need theirsystems to "work" and, more and more, they don't have the time to tinker with them a great deal first. So, most vendors ship with ftp on, Apache with server-side-includes/cgi enabled, and no password on single user mode. You see, to secure a system, you'll have to remove some functionality. This is due to a basic premise of computer security: to fully secure a system, you really have to grind it into dust, scatter the pieces to the wind, and hope that Entropy does it's part. Since you can't do this, you make tradeoffs. I think things like Bastille will always be around for three reasons. First, vendors have incentives to make systems easy to use - Bastille works against this, but educates the admin/user to compensate. Second, we're going to keep researching, creating and implementing ideas before the vendors. Third, much of what we do isn't necessarily the vendor's "job" - implementing an intrusion detection system is usually a third party function. Bastille does a great deal to systems and we're about to start doing even more - we're growing beyond a simple hardening system into more facets of system security. LinuxSecurity.com: What are the most difficult challenges you've faced while developing it? Jay Beale: The toughest problems are really in the architecture, rather than features. Bastille's original goal to make a new distribution, press our own CD's and such. Then, we were still making a new distro, by installing Red Hat and modifying that directly after install. Now, we can modify a year-old system, but that took an architecture overhaul and an intense code audit to implement. This wasn't so much an added feature, as the problem was getting redefined after we implemented our first solution! Actually, another problem that we're considering over time is that as Bastille does more and more, it has to ask a lot more questions! Right now, if you read all the explanations, it takes about an hour to run through the interactive portion. It's nowhere near as bad asa Linux kernel, but it annoys some users who just want a quick fix. Rather than abandoning these users, we're making "One Shot" configurations, where they can choose a sample configuration that matches their own and deploy that. While they miss a crucial part of securing the system (Secure the Admin!) they still get a safer system... LinuxSecurity.com: What type of user would be most interested in running bastille? Jay Beale: I think Bastille is accessible to every class of user, from the newbie to experienced admins. Every class of user tends to find it more comprehensive than anything they do by hand. Newbies find it useful because it explains everything it wants to do and asks questions, so as not to break anything. Experienced sysadmins find it useful because it automates what would normally take many man-hours, especially when you scale it to hundreds of systems. Further, many experienced sysadmins haven't ever had the time to learn about or implement security on their systems. They find themselves trying to make time, in the middle of the night, right after someone "hacks" their systems. LinuxSecurity.com: What do you think of the state of security today on Linux? Jay Beale: I think Linux security is getting better, but we're in a tough arena. Given the accessibility of Linux, most crackers have it on hand and are coding exploits for it first. Using Open source makes a program that much easier to audit for holes, so people are discovering some of the vulnerabilities very quickly and not all of them are White Hats. It's also a difficult situation, in that development is moving so much faster than audits. Honestly, we've also got an amazing advantage: we've got the numbers, baby. The "Ping of Death" vulnerability was corrected in, if reports are to be believed, 1 hour for Linux. No vendor came close to that! While Linux may have had many more security vulnerabilities than Solaris in the past three years, these holes get patched a whole lot faster. KurtSeifried's report on this noted that while Sun has, on average, only six announced vulnerabilities per year, it takes then around 90 days to fix them - this doesn't even account for all the programs, like WU-ftpd or BIND 8, that you generally add to a Sun box. The thing to remember, though, is that every operating system will have holes. It is human nature to make mistakes, no matter how many geniuses work on a system. Further, there are many creative, bright people in the cracking community - they will win many battles here. LinuxSecurity.com: What features does it offer the average Linux user? Jay Beale: Bastille is very accessible to the average user. It doesn't just start securing, but instead asks permission for every step it takes. Further, it educates. This key feature came out of a design problem I faced about a quarter way through writing the first script. The average Linux user tends to install their distro with everything installed and everything turned on, because they're not sure what it all does and they don't want to miss something. Bastille was asking the user questions, like "can we disable routing daemons?" when we hadn't explained what a routing daemon was or why they shouldn't need one. Pete and I ended up writing explanations for each question, so anyone could make educated choices, whether they were a newbie or an experienced sysadmin. Bastille also has lots of other nice features: it can be re-run to keep a system secure after patches, everything it does can be undone, and it's fairly comprehensive. It tightens user account security, configures a well-tuned firewall, configures Apache, makes sane boot security choices, configures some smart PAM options, chroot's your DNS server, restricts access within your FTP server, sets better file permissions and audits your Set-UID root programs. It also configures stronger logging, locks down Sendmail a bit, and tries to turn off services and daemons that you don't need. This is really just the start,though! We're expanding this right now with new modules, including a basic network IDS system and a number of other modules under development. LinuxSecurity.com: What new features are you working on? Jay Beale: Expect some really incredible news on this in a few months. We're kicking around some great architecture ideas with the help of Yoann Vandoorselaere, from Mandrake. Sweth and others are helping us move rapidly to support far more than just Red Hat and Mandrake. We're eyeing FreeBSD, Solaris, Irix, Slackware, Debian and everything we can possibly generalize this to. LinuxSecurity.com: What do you think are the biggest security concerns with using Linux today? Jay Beale: Honestly, there aren't too many other security concerns that are specific to Linux. All of it generalizes to Unix and most of it applies to operating systems as a whole. I think too many programs run with superuser privilege. We can kludge this, the way we do with programs that drop privilege, but we can also stop making this an all-or-nothing, user-or-root game. We should think beyond the basic security mechanisms present in Unix/Linux. Let's start implementing our programs using capabilities and dropping the number of programs on the system which use root. Actually, I think computer security as a whole is a very tough problem. We're trying to make computers easier and easier to use, often at the cost of security. Cracker activity has grown immensely, as many more would-be script kiddies get Internet access. When I got my first shell account, the Internet was well known mostly among the University crowd - now, everyone's got access to the Internet and it's becoming a rougher neighborhood. I'm not saying world-wide Internet access is bad - it's an amazing resource, but one that some people are choosing to abuse. LinuxSecurity.com: Security is always about tradeoffs. What tradeoffs do you face while developing bastille? Certainly it would be easiest to just remove rlogin, telnet,and other inherently-insecure programs, but this isn't always possible. Jay Beale: Well, I think we've got a nice solution here. We're letting the user decide what tradeoffs to make and we're providing the user with the background to make that decision. Bastille is highly granular, taking many actions and asking the user about each one. In the end, the user decides whether or not to kill telnet, but we try to help them make an educated decision, by presenting facts like these: telnet is cleartext, so that someone eavesdropping can steal your account from under you - using programs like hunt, they can even steal your entire session! Educating the end-user and letting them make all the decisions was a new approach, but we felt it was the only one that worked for a community as diverse in background as the Linux community. LinuxSecurity.com: Thanks for taking the time with us today, and we wish you and your team members the greatest of success with this project! . Explore perspectives from Jay Beale regarding the Bastille Project and its significance in fortifying Linux systems against various security vulnerabilities.. Linux Hardening, Bastille Project, System Security, Jay Beale, Intrusion Detection. . Brittany Day

Calendar 2 Jul 14, 2000 User Avatar Brittany Day
Banner 2 1028x280 1708121730 1 1771599631
102
General Esm H240
Price Tag 1intrusion detectionkernel securitysystem protection

Steps to Create a Robust and Secure Linux Environment Using LIDS

LIDS (Linux Intrusion Detection System) is a Linux kernel patch to enhance the Linux kernel. In this article, we will talk about LIDS, including what it can do and how to use it to build a secure linux system.. Xie Huagang ( This email address is being protected from spambots. You need JavaScript enabled to view it., ) With additions by Nick DeClario ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) 1. Why LIDS. With increasing popularity of Linux on Internet, more and more security holes are found in the current GNU/Linux system. You may hear from the Internet that - There are bugs found in Linux, which will cause the system tobe easily compromised by a hacker. Since Linux is an art of the open source community, security holes can befound easily and can also be patched quickly. But when the hole is disclosed to the public and the administrator is too lazy to patch the hole, it is very easy to break into the current system and it is worse than that, the hacker can get the root shell. With the current GNU/linux system, he can do whatever he wants. Now, you may ask, what is the problem and what can we do? What's wrong with the current GNU/Linux system. superuser (root) may abuse the rights. Being root, he can do whatever he wants. Even the capability existing in the current the system can be easily altered as root. Many system files can be changed easily. There are many important files, such as /bin/login, in the system. If the hacker came in, he can upload a changed login program to replace /bin/login , so he can re-login without any login name or password. But the files do not need to change frequently, unless you want to upgrade the system. Modules are easily used to intercept the kernel. Modules are a good design for the linux kernel to make the linux kernel more modulized and more felixible. But after the modules are inserted into the kernel, it will be part of the kernel and can do what the original kernel can do. Therefore some unfriendly code could be written as a module and inserted into to the kernel. The code can even redirect the system calls and actlike a virus. Processes are unprotected. Certain processes, such as a web server daemon, which are vulnerable to the attack of hackers. With the above description about Linux insecurity, how can we build a secure system? We must have a secure kernel and then build our secure system on top of it. This is what LIDS does. 2. Features about LIDS. The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it is in installed, chosen files access, every system/network administration operations, any capability use, rawdevice, mem, and I/O access can be made impossible even for root. Ituses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features in kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more. In short, LIDS provides Protection, Detection and Response to the intrusion in the Linux kernel. Protection. LIDS can protect important files on your hard disk no matter what filesystem type they reside on, anybody including root can not change the files. LIDS can also protect the important processes from being killed. LIDS can prevent RAW IO operations from an unauthoritized program. It can also protect your hard DISK, include MBR protection, etc. Detection. When someone scans your host, LIDS can detect it and inform the administrator. LIDS can also notice any activity on the system which violates the rules. Response. When someone violates the rules, LIDS can log a detailed message about the violated action to the system log file which has been protected by LIDS. LIDS can also send the log message to your mailbox. In this case, LIDS can also shutdown the user's session at once. 3. Build a security linux system with LIDS With the LIDS features, let's go and see how to build a security system with LIDS step by step. 3.1 Download LIDS patch andcoresponsive official Linux kernel You can download LIDS patch from LIDS Home and LIDS Ftp Home and other mirror of LIDS around the world, check LIDS Mirror for the nearby mirror site. The patch name will be lids-x.xx-y.y.y.tar.gz, x.xx represents the lids version and the y.y.y represents the Linux kernel version. You should download the corresponding kernel version. For example, if you download the lids-0.9pre4-2.2.14.tar.gz, you should download the linux kernel 2.2.14 source code. You can download the kernel source from Kernel FTP Site or other mirror site of it. 1. uncompress the linux kernel source code tree. # cd linux_install_path # bzip2 -cd linux-2.2.14.tar.bz2 | tar -xvf - 2. uncompress the lids source code. # cd lids_install_path # tar -zxvf lids-0.9pre4-2.2.14.tar.gz 3.2 Patch LIDS to official linux kernel After downloading the kernel source and LIDS, uncompress the source and lids.For example, if you download the lids-0.9pre4-2.2.14.tar.gz and linux-2.2.14.tar.bz2, then, 3. patch the lids to the Linux kernel source code. # cd linux_install_path # patch -p0 < /lids_install_path/lids-0.9pre4-2.2.14.patch 4. configure Linux kernel to use LIDS Turn the following options on: [x] Prompt for development and/or incomplete code/drivers [x] Sysctl support Turning these on will add a series of options for LIDS. Note: There are many kernel options for LIDS. Please check the lids-howto for detailed information about configuring these options. # cd linux # make menuconfig or make xconfig 5. compile the Linux kernel # cd linux # make dep clean # make bzImage # make modules # make modules_install 6. copy the bzImage to /boot/ and edit the /etc/lilo.conf 7. Run /sbin/lilo to install the new kernel. # /sbin/lilo 3.3 Compile the lidsadm program lidsadm in the administration utility for LIDS. It is required to install this before rebooting your system with your new kernel but it does not require the new kernel or patch to compile. Itwill compile and install with your original kernel. # cd lids_install_path/lidsadm-0.9pre4 # make or make VIEW=1 (use VIEW=1 to see exact LIDS state) # make install Read the README included in the LIDS package for details on compiling and running lidsadm. 3.4 Initialize the LIDS system Now before you reboot, you must configure your LIDS system to meet your security needs. You can define protected files, protected process, etc.. In the next chapter, we will show you the details about this topic. 3.5 Reboot the system After your system is configured, reboot the system. When lilo appears, select the LIDS enable kernel to load. After then, you enter the wonderful world of LIDS. 3.6 Sealing the kernel. After your system boots up, do not forget to seal the kernel with lidsadm. You can put the command in the last line of /etc/rc.local. # /sbin/lidsadm -I -- -CAP_SYS_RAWIO -CAP_NET_ADMIN You can check the LIDS-HOWTO for a detailed list of all the options for lidsadm. 3.7 Online administration After you seal the kernel, your system is now protected by LIDS. You can run some tests on it. If you want to change a configuration, such as modify the capability option, you can change your LIDS security level online by providing a password. # /sbin/lidsadm -S -- -LIDS 4. Configuring LIDS In this chapter, we will show you how to configure LIDS. 4.1 Protect your files. First, you must determine which files you will protect. In most cases, you may protect the system binary files and system configuration files, such as /usr/, /sbin/, /etc/, /var/log/. Second, you must decide the way to protect the files. LIDS provide 3 protection type: Read Only Files. The files marked with Read Only means that nobody can change the files. We can think that the following files are in this catalog, /etc/passwd, /bin/passwd, etc. USAGE: lidsadm -A -r filename_to_protect Example: 1. to protect the whole /sbin/ as read-only. # /sbin/lidsadm -A -r /sbin/ 2. toprotect /etc/passwd as read-only # /sbin/lidsadm -A -r /etc/passwd Append Only Files. Most of the append only files are system log files, such as /var/log/message, /var/log/secure. The files can only open with append mode and can not truncate or modify its previous contents. USAGE: lidsadm -A -a filename_to_protect Example: 1. to protect the system log files # /sbin/lidsadm -A -a /var/log/message # /sbin/lidsadm -A -a /var/log/secure 2. to protect the apache httpd log files # /sbin/lidsadm -A -a /etc/httpd/logs/ # /sbin/lidsadm -A -a /var/log/httpd/ Here is the example from LIDS-HOWTO by Philippe Biond, lidsadm -Z lidsadm -A -r /boot lidsadm -A -r /vmlinuz lidsadm -A -r /lib lidsadm -A -r /root lidsadm -A -r /etc lidsadm -A -r /sbin lidsadm -A -r /usr/sbin lidsadm -A -r /bin lidsadm -A -r /usr/bin lidsadm -A -r /usr/lib lidsadm -A -a /var/log Note: If you protect /etc/lids.conf as read-only you can not change any attributes to any files unlessyou reboot the system with a non LIDS kernel. Either protect this file last after you got everything setup the way you like it or protect it with append. To control where the 'lids.conf' file is placed you can edit this line in 'lidsadm.c' to your likeing #DEFINE LIDS_CONF "/etc/lids.conf" Then just recompile it. 4.2 Protect your process. LIDS can protect the process whose parent is init(pid=1). You must seal the kernel with a specified option as below. # lidsadm -I -- +INIT_CHILDREN_LOCK 4.3 Protect with capability. Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities bounding set. In a normal kernel, when you remove a capability from the bounding set, nobody can ever use it again, until next reboot. (see https://www.earthlink.net/internet/ for the normal use). LIDS modifies this behavior to enable you to switch these on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset is trapped and raise a security alert.lidsadm performs the whole job. You can list all the capabilities in LIDS by running lidsadm, and you can see what the exact meaning of each capability is. We here discuss two of them, CAP_SYS_RAWIO With this capability on, we can allow ioperm/iopl and /dev/port access, allow /dev/mem and /dev/kmem acess and allow raw block devices (/dev/[sh]d??) acess When we disable this capability, we can deny all processes on the system rights to the raw device, such as running lilo. But some processes may want this capability to run, such as XF86_SVGA. In this case, we can put the program in the exception list when we compile the kernel. CAP_NET_ADMIN This capability has the following abilities, interface configuration administration of IP firewall, masquerading and accounting setting debug option on sockets modification of routing tables setting arbitrary process / process group ownership on sockets binding to any address for transparent proxying setting TOS (type of service) setting promiscuous mode clearing driver statistics multicasting read/write of device-specific registers For security reasons, we should disable this to disallow network configuration changes. When it's disallowed, the firewall rules will not allow any changes. Choosing the capability and sealing the kernel You should choose what capability you want to disallow when sealing the kernel. Here we give an example. You may put it in a rc script (rc.local, /etc/init.d/lids, /etc/rc.d/init.d/lids, etc.) depending upon your distribution and the way you administrate your system. The command is, for example : lidsadm -I -- -CAP_SYS_MODULE -CAP_SYS_RAWIO -CAP_SYS_ADMIN \ -CAP_SYS_PTRACE -CAP_NET_ADMIN \ +LOCK_INIT_CHILDREN 4.4 Network Security. LIDS provides some network security enhancements. network security with capability With each capability, we can enhance the network security. Such as anti-snifferring, can not bind to the port lower than 1024 and cannot change the firewall and routing rules. So, what I suggest is to view each capability defenition carefully. Scanner detector in kernel LIDS provide a scanner detector in kernel in order to detect who has scanned your system. The scanner can detect half-open scans, normal scans etc.. Using tools like nmap, satan can be detected by the detector. It is useful when raw sockets are disabled. In this casoes not use any socket, it will be more secure than a user space detector. If you want this feature, you should select it on when you compile the kernel. 4.5 Intrusion Responsive system. When LIDS detects a violation in the defined rules, it can respond to the action by the following method. Logging the message When someone violates a rule, lids_security_log will log a message the klogd. The logging also has the ability to anti_logging_flood. You can set it when compiling the kernel. Logging the message via mail server Now, LIDS has a new feature to mail the message to your mail account. You can define the mail server IP, the out-coming mail address,etc, when compiling the kernel. Shutdown the console When a user violates a rule, the console will shutdown that user's console. 5. Thanks. First of all, I want to thank my friend, Kate lee, who always encouraged me to write document like this. This document is dedicated to her. I also want to thank Philippe Biond and Christophe Long who largely contributed to the project. Without them, the project could never have developed so well. Many thanks must also go to all the LIDS users. Without their contributions and discussions, LIDS could not have had so many great ideas. . Xie Huagang (This email address is being protected from spambots. You need JavaScript enabled to vie. linux, kernel, (linux, intrusion, detection, system), patch, enhance. . Brittany Day

Calendar 2 May 16, 2000 User Avatar Brittany Day
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

More Polls

What got you started with Linux?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/150-what-got-you-started-with-linux?task=poll.vote&format=json
150
radio
0
[{"id":483,"title":"Self-taught through trial and error","votes":548,"type":"x","order":1,"pct":78.51,"resources":[]},{"id":484,"title":"Formal training or courses","votes":30,"type":"x","order":2,"pct":4.3,"resources":[]},{"id":485,"title":"A job that required it","votes":34,"type":"x","order":3,"pct":4.87,"resources":[]},{"id":486,"title":"Other","votes":86,"type":"x","order":4,"pct":12.32,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200

Search Topics

Your message here