Linux Intrusion Detection System FAQ

Sander Klein

v.20, May 19th, 2003

This is the Linux Intrusion Detection System (LIDS) FAQ. It answers commonly asked questions asked on the LIDS-mailing-list (and more!).

The LIDS version at the time this Document was released was:

  • Kernel 2.4: 1.1.1 (stable) 1.1.2-rc6 (developement)

  • Kernel 2.2: 0.11.0r2 (stable) 0.11.1pre1 (development)

  • Kernel 2.5: 2.0.3rc1 (development)

Table of Contents
1. Introduction to LIDS
1.1. What is LIDS?
1.2. Why use LIDS?
1.3. Where can I obtain LIDS?
1.4. Which versions of the Linux kernel are supported?
1.5. Is there a LIDS mailing list?
1.6. What about an archive?
1.7. Copyright & Disclaimer
1.8. Feedback
1.9. Credit
1.10. Translations
1.11. Revision History
1.12. To-do
1.13. Where can I get this faq?
2. Installing LIDS
2.1. How do I apply the LIDS kernel patch?
2.2. How do I install the LIDS administration utilities (lidsadm & lidsconf)?
2.3. What next?
2.4. When I try to compile lidsadm, gcc reports that lidstext.h doesn't exist. How do I fix this problem?
2.5. A note for Debian users...
2.6. I tried to apply the LIDS patch to kernel version 2.x.x-x that is shipped with my distro and I received errors. What's wrong?
3. lidsadm and lidsconf
3.1. What is lidsadm?
3.2. What is lidsconf?
3.3. What options are available for lidsadm?
3.4. What options are available for lidsconf?
3.5. Nice, what do all those capabilities mean?
4. LIDS Administration
4.1. How do I set my LIDS password?
4.2. How do I change my LIDS password once it is set?
4.3. What is a LIDS free session and how do I create one?
4.4. I created a LIDS free session, but LIDS still appears to be active! What's wrong?
4.5. How do I tell LIDS to reload its configuration files?
4.6. Help!!! My system is totally unusable! What do I do?
4.7. I've updated/moved a system binary. How do I tell LIDS that the file changed/moved?
4.8. OK, without rebooting, how do I completely disable LIDS?
4.9. What does it mean to "seal the kernel"?
4.10. How do I view the status of my LIDS system?
4.11. How do I configure the port scan detector in LIDS?
4.12. What are the subject and object in a LIDS ACL?
4.13. Can I enable/disable a system capability without modifying /etc/lids/lids.cap and reloading the configuration files?
4.14. I've reconfigured my LIDS ACLs, but my changes don't seem to take effect. What's wrong?
4.15. Why won't lidsconf -L list my ACLs?
4.16. Is there anyway to reduce the number of LIDS violations that get reported on the console?
4.17. Should I be concerned about the LD_PRELOAD environment variable with LIDS?
4.18. When I boot up, the message "read password file error" appears. How do I fix the problem?
4.19. How do I check if LIDS is enabled/disabled??
5. Configuring LIDS
5.1. How do I protect a file as read only?
5.2. OK, so how do I protect a directory as read only?
5.3. How can I hide a file/directory from everyone?
5.4. How can I protect log files so they can only be appended to?
5.5. If nothing is allowed to read my /etc/shadow file, how can I authenticate myself to the system?
5.6. If I protect /etc as read only, how will mount be able to write to /etc/mtab?
5.7. LIDS complains that it can't write to my modules.dep file during startup. What's wrong?
5.8. If I protect my logs as append only, how will logrotated rotate my logs?
5.9. Why can't I just give my log rotation utility write access to the directory containing my log files so it can rotate them?
5.10. When LIDS is active, my file systems won't unmount during shutdown. What do I do?
5.11. Why can't I start a service that runs on a privileged port as root?
5.12. Why can't I start a service that runs on a privileged port from an LFS?
5.13. How do I disable/enable capabilities?
5.14. Why won't the X Window System work with LIDS enabled?
5.15. With all of these ACLs, how can I possibly keep track of my configuration?
5.16. How can I give init write access to /etc/initrunlvl so LIDS doesn't complain about it during startup and shutdown?
5.17. Can a process inherit file ACLs from its parent?
5.18. Help! I can't seem to get program xyz to work under LIDS. How do I determine what files/capabilities it needs access to?
5.19. How do I give passwd the proper permissions to update the /etc/shadow file?
5.20. Why doesn't ssh or scp work when LIDS is enabled?
5.21. Open-SSH won't start at boot time. LIDS reports that bash tried to access a hidden file. How can I fix this?
5.22. Some of my file systems won't unmount at shutdown because I have hidden processes running. How can I kill them?
5.23. I just want to start with a basic configuration. Can you recommend a setup that will provide additional protection and still leave most of my system functioning as normal?
5.24. Is it possible to limit access based on time of day?
5.25. How do I limit the ports that a program can bind to?
5.26. If I make /etc/mtab a symbolic link to /proc/mounts, will user quotas still work?
5.27. When I edit a file protected by LIDS, it appears to lose it's LIDS protections. Why?
5.28. When I update my LIDS configuration some processes seem to lose their capabilities
6. Configuring Security Alerts
6.1. Which kernel configuration options do I need to select in order to send security alerts through the network?
6.2. Where do I specify the mail server information and e-mail address to send the LIDS alerts to?
6.3. LIDS can't seem to deliver alerts to my qmail SMTP server. Is there a fix for this?
7. Sample Configurations
7.1. Basic System Setup
7.2. Apache
7.3. Qmail
7.4. Dnscache & Tinydns (djbdns)
7.5. Courier-imap
7.6. MySQL
7.7. OpenSSH (3.4p1)
7.8. OpenLDAP (slapd)
7.9. Port Sentry
7.10. Samba
7.11. Linux HA heartbeat
7.12. Bind 9.x
7.13. Sendmail
7.14. Apcupsd
7.15. Pump
7.16. Snort
7.17. Getty
7.18. Login
7.19. Su
7.20. Exim
7.21. Qpopper
7.22. Proftp
7.23. Aproxy
7.24. Squid
7.25. Innd
7.26. Postfix
8. LIDS Technical
8.1. Will LIDS work with a file system other than ext2?
8.2. Will LIDS run on an SMP system?
8.3. Will LIDS coexist with Solar Designer's Openwall patch?
8.4. Will LIDS run on non-Intel hardware?
8.5. What is the difference between the 0.x, 1.x and 2.x versions of LIDS?
  Next
  Introduction to LIDS