在RHEL4系统中配置LIDS入侵检测系统
2007-07-18 kenthy#qingdaonews.com
################################################################
系统环境:RHEL4 [ 2.6.9-5.EL ]
软件环境:
linux-2.6.21.6.tar.gz []
lids-2.2.3rc1-2.6.21.patch []
lidstools-2.2.7.2.tar.gz []
[注意:lids*.patch需与新内核版本保持一致,本例中/usr/src/所在分区需要至少1.5G剩余空间]
[LIDS-FAQ: ]
目标功能:
通过lids内核补丁和lidsadm管理工具,对Linux系统中的重要文件、目录、执行程序、进程等进行保护和权限控制,对外来的扫描和入侵提供监测和响应。
################################################################
1、编译新内核增加lids补丁,重启使用新内核加载系统
# tar zxvf linux-2.6.21.6.tar.gz -C /usr/src/
# tar zxvf lids-2.2.3rc1-2.6.21.patch -C /usr/src/
# ln -s /usr/src/linux-2.6.21.6 /usr/src/linux
# cd /usr/src/linux
# cp /boot/config-2.6.9-5.EL ./.config
# make menuconfig //依顺序在配置界面中把以下项目选择编入内核,注意去掉SELinux和DLC,否则看不到LIDS选项:
Code maturity level options ---> [*]Prompt for development and/or incomplete code/drivers
General setup ---> [*]configure standard kernel features(for small systems) ---> [*]Sysctl syscall support
File systems ---> Pseudo filesystems ---> [*]Sysctl support (/proc/sys)
Cryptographic options ---> [*]SHA256 digest algorithm
Security options ---> < >Default Linux Capabilities
Security options ---> [ ]NSA SELinux Supoort
Security options ---> LIDS supoort ---> [*]Linux Intrusion Detection System support (EXPERIMENTAL)
Security options ---> LIDS supoort ---> [*]Attempt not to flood logs
Security options ---> LIDS supoort ---> [*]Allow switching the LFS and States
Security options ---> LIDS supoort ---> [*]Allow switch the Linux Free Session
Security options ---> LIDS supoort ---> [*]Restrict mode switching to specified terminals
Security options ---> LIDS supoort ---> [*]Allow mode switching from a Linux Console
Security options ---> LIDS supoort ---> [*]Allow mode switching from a serial Console
Security options ---> LIDS supoort ---> [*]Allow mode switching from a PTY
Security options ---> LIDS supoort ---> [*]Shrink the size of ACLs
# make dep && make bzImage && make modules && make modules_install
# make install
2、编译安装lidsadm管理工具
# tar zxvf lidstools-2.2.7.2.tar.gz -C /usr/src/
# cd /usr/src/lidstools-2.2.7.2
# ./configure KERNEL_DIR=/usr/src/linux
# make && make install //根据提示设置lids的管理密码
3、设置启用lids
# lidsconf -U
# lidsconf -U BOOT
# lidsconf -U POSTBOOT
# lidsconf -U SHUTDOWN
# echo '/sbin/lidsadm -I' >> /etc/rc.local
# lidsadm -I //通常在系统启动后执行,使用lidsadm封装内核
# reboot
4、配置并使用lids
# lidsadm -V //查看lids是否启用
# lidsadm -S -- -LIDS //在当前shell及子shell中禁用lids
# lidsadm -S -- +LIDS //在当前shell及子shell中启用lids
# lidsadm -S -- -LIDS_GLOBAL //关闭系统的所有lids保护
# lidsadm -S -- +LIDS_GLOBAL //启用系统的所有lids保护
# lidsadm -S -- +RELOAD_CONF //重新加载新的/etc/lids/lids.conf配置文件
# lidsconf -P //修改lids管理密码
# lidsconf -L //查看acl列表
[文件及进程保护:]
# lidsconf -A POSTBOOT -o /etc/shadow -j DENY //在POSTBOOT状态拒绝任何人使用并隐藏/etc/shadow文件
# lidsconf -A POSTBOOT -s /bin/login -o /etc/passwd -j READ
# lidsconf -A POSTBOOT -s /bin/login -o /etc/shadow -j READ //仅允许login程序读取passwd、shadow文件,即使其已被隐藏
# lidsconf -A -o /etc/secret/ -j READONLY //设置/etc/secret目录为只读
# lidsconf -A BOOT -o /var/log/boot.log -j APPEND //设置boot.log文件仅在BOOT状态下可以APPEND
# lidsconf -A POSTBOOT -o /sbin/specfile -j IGNORE //设置specfile文件在POSTBOOT状态忽略对/sbin/目录的lids保护影响
# lidsconf -A -s /usr/sbin/httpd -o /etc/httpd -j READ //仅允许httpd程序访问/etc/httpd目录
# lidsconf -A -s /usr/sbin/httpd -o CAP_NET_BIND_SERVICE 80 -i -1 -j GRANT //仅允许httpd程序监听80端口
# lidsconf -A -s /sbin/syslogd -o LIDS_CAP_PROTECTED -j ENABLE //保护syslogd进程不响应kill信号
# lidsconf -A -s /usr/sbin/httpd -o CAP_HIDDEN -j GRANT //在用户执行ps等进程管理工具时隐藏httpd进程
【待修订及补充…………】
阅读(1521) | 评论(0) | 转发(0) |
