Re: Is LIDS a good idea?
On Fri, Nov 30, 2001 at 11:31:08AM +1000, mdevin@ozemail.com.au wrote:
> I just stumbled upon this LIDS (Linux Intrusion Detection/Defense
> System) see: http://www.lids.org
>
> I just wanted to know if anyone is using this and what they think of it.
> Is it hard to set up? What happens when you do an apt-get dist-upgrade
> - will it refuse to change the binaries you want to upgrade? Is
> something like Tripwire / AIDE better because it doesn't stop root
> from changing/deleting files but will tell you later which ones have
> changed.
>
> Anyone with any experience in using this LIDS?
I've been using lids for a while. It has the potential of giving you
quite good security in the case you do get broken into (ie- it would be
damn near impossible to install a usable root kit). It is also fairly
easy to work with, all things considered. But it does come at a price:
developing a system that is both secure and functional (even functioning
at all) is tricky and a good deal of work. Having said that, I feel that
lids is a pretty good product. For example, one of the big problem areas
in using mandatory access controls (MACs) is system startup. With lids
you can choose exactly when to start enforcing the controls, which is
nice since that allows you to get most of your system up and running
before activating lids. After that you can turn the access controls on
or off by giving a passphrase, so if you need to install packages or
whatever you can just turn them off for a bit. One really nice feature
of lids when doing that is that permissions are relaxed for that tty
only... access controls are still enforced for all other users.
I recommend giving it a shot if you are interested in strong security
and are willing to put in a fair amount of work for it.
--
John Patton patton66@home.com
"Everything should be as simple as it is, but not simpler."
-Albert Einstein
Reply to: