Re: Is LIDS a good idea?

To: Debian-user <debian-user@lists.debian.org>
Subject: Re: Is LIDS a good idea?
From: Mathias Gygax <mg@trash.net>
Date: Mon, 3 Dec 2001 14:21:07 +0100
Message-id: <[🔎] 20011203142107.A11030@chiba.dyndns.org>
Mail-followup-to: Debian-user <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20011202084741.A12186@beast.home>; from mdevin@ozemail.com.au on Son, Dez 02, 2001 at 08:47:41 +1000
References: <20011130113108.A2637@beast.home> <20011130141104.A5122@chiba.dyndns.org> <20011201153251.A1911@beast.home> <[🔎] 20011201143206.B14470@chiba.dyndns.org> <[🔎] 20011202084741.A12186@beast.home>

On Son, Dez 02, 2001 at 08:47:41 +1000, mdevin@ozemail.com.au wrote:

> You have really inspired me to give this a go.  It sounds as though I
> have nothing to lose except time.  And in my opinion this may be time
> well spent as at least I will learn much about the root daemons.

Yes, you will. Definitely. If you deactivate every capability and have
running it on a fully-featured system, it will give you a lot of stuff
the daemons need and you have to configure.

One reason because LIDS is great, you don't have to rewrite any source
code to use it and every program uses it by default and it's mandatory.

One thing i forgot (and found before): If a daemon can't run properly,
it could, but it doesn't have to, that you could lose data (e.g. the
daemon can't write to harddisk and it don't get handled properly). I
never found myself in this situation, but be prepared if the system if
fully loaded.

Don't forget to protect lidsadm binary. This is the interface for
supplying a password to deactivate the features in the kernel. 
The password can't be cracked directly (brute force or either) because
of a trojaned lidsadm binary. But they [the attackers] could intercept
the password with a trojaned interface.

> Prior to doing this though, I am going to re-write my iptables firewall
> to include NAT (masquerading) for my internal LAN and install libsafe.

Give the openwall non-exex-stack patch a thrill. Many buffer-overflows
(yet not every flavour is protected) will not work any more. Libsafe IIRC is
good for the format string vulns, but if you can, protect it in the
kernel.

Fefe did a start on writting diet libc for a better protected libc:
http://www.fefe.de/dietlibc/

> Then after setting up a DNS server on this box and squid, I will give
> LIDS a go.

If you have problems and need help, contact the lids-user mailing list
or ask here.

> So I guess I have a bit of work to do first.  And lots of learning :-)

As said, you don't have to rewrite any programs.

One hint further: if something [like a daemon] really doesn't work
anymore, deactivate LIDS globally, restart and activate LIDS. Also don't
forget to reload configuration and to update the inode/dev table if
something doesn't work.

> Thanks for all the time you have put into educating me.  Much
> appreciated.

np.

Reply to:

Follow-Ups:
- Re: Is LIDS a good idea?
  - From: mdevin@ozemail.com.au

References:
- Re: Is LIDS a good idea?
  - From: Mathias Gygax <mg@trash.net>
- Re: Is LIDS a good idea?
  - From: mdevin@ozemail.com.au

Prev by Date: RE: Preparing audio cd's for burning
Next by Date: Re: question about font in gtk
Previous by thread: Re: Is LIDS a good idea?
Next by thread: Re: Is LIDS a good idea?
Index(es):
- Date
- Thread