On Fri, Nov 30, 2001 at 02:11:04PM +0100, Mathias Gygax wrote: > On Fre, Nov 30, 2001 at 11:31:08 +1000, mdevin@ozemail.com.au wrote: > > I just wanted to know if anyone is using this and what they think of > > it. > > I think it's a good protection that bring's a linux system a step > further in the direction of having a finer tuneable system that doesn't > depend too much on a single user. > > > Is it hard to set up? > > It would be *very* nice to have labor to test this stuff out. To > effectively configure it, you must have a real world load on the machine > where many users try to access their data. This was, for me, a hairy > step. > > --- snip --- > several steps outlined on how to install and set up LIDS > --- snip --- > > After you have a mini LIDS configured system, with basicly configured > filesystem and daemons, you boot the system. > > Many daemons will fail to boot at this step (because e.g. they could not > bind to port 80 'cause lack of access the capability > CAP_NET_SYS_BIND_SERVICE). Try to login (hope, you have configured > /bin/login properly). If something goes wrong, you can reboot with LIDS > disabled and do admin stuff as usual. > > --- more steps to follow --- > > After things go well, you protected filesystem and capabilites and the > system runs with required security, you can fine tune it. "Does this > daemon really need it for running? Can this file/directory be secured > and everything runs well?" > Sounds as though I may need a little more knowledge than I currently have. But on the other hand, if I do go down this path of installing and configuring LIDS and manage to get it to work then I will have learnt LOTS about all the daemons that I run on this box. I must admit: I don't really need the level of security I strive for. It is not as if I am the admin for a major company. I just use this stuff at home and enjoy the challenge of setting things up. I am studying Information Technology at University and so it is all useful experience I guess. Right now, I have some spare time because it is the Summer Break in Australia. The only question I have left at this stage before I decide to give it a go is: Is it easy to get rid of it, if it causes me more trouble than it is worth? What I mean is: If I have trouble and decide that I don't want LIDS anymore, can I boot into single user mode with LIDS deactivated and then reinstall a previous kernel without LIDS? For example: If I make a boot floppy with a kernel without LIDS, can I just boot from this and everything will run as it was before I installed LIDS? Or, will some of the changes that LIDS does to the filesystems or files render them unreadable by other non-LIDS kernels? Thanks for all the information. Much of what you said has inspired me to give it a go. I was just going to go with Tripwire / AIDE but LIDS seems to add quite a lot of functionality. ps. In terms of overall security, I do have a fairly decent iptables firewall - with currently no ports open to the outside. I haven't even allowed SSH yet - but I will (on a non standard port). It seems to me that the next steps for me to take for my security are to install LIDS and libsafe. Thanks for all the replies. Regards. Mark.
Attachment:
pgprwE4YFeJVx.pgp
Description: PGP signature