2. Features of LIDS.

The Linux Intrusion Detection System is a patch and admin tools which enhances the kernel's security. It implements a reference monitor and Mandatory access control in the Linux kernel. When it is in effect, chosen files access, every system/network administration operations, any capability use, raw device, mem and I/O access can be made impossible even for root. It uses and extends the system capabilities bounding set to control the whole system and adds some network and file-system security features in kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more.

In short, with the security model implementation in the kernel, LIDS provides A Protection, Detection and Response in the Linux system.

For more information about the secure model of LIDS, please refer to the LIDS Hacking HOWTO.

2.1 Protection.

LIDS provides the following protection,

• LIDS can protect important files and directories on your hard disk no matter what file-system type they reside on, anybody include root can not change the files.
• LIDS can also protect the important process from being killed.
• LIDS can prevent RAW IO operation from an unauthorized program. It can also protect your hard DISK,include MBR protection,etc.
• LIDS can protect your sensitive files on the system to prevent un-authorized users(including root) and unauthorized program to access them.

  And more.

2.2 Detection.

When someone scan your host, LIDS can detect it and inform the administrator. LIDS can also notice any activity on the system which violates the rules.

2.3 Response.

When someone violate the rules, LIDS can log the detail message about the violated action to the system log file which has been protected by LIDS. LIDS can also send the log message to your mailbox. In this case, LIDS can also shutdown the user's session at once.