1. Introduction

With increasing popularity of Linux on Internet , more and more security holes are found in the current GNU/Linux system. You may hear from the Internet that --ooh, There are bugs found in Linux, which will cause the system to be easily compromised by hacker.

Since the Linux is an art of open source community, security holes can be found easily and can also be patched quickly. But when the hole is disclose to the public, and the administrator is too lazy to patch the hole. It is very easy to break into the current system and it is worse that the hacker can get the root shell. With the current GNU/linux system, he can do whatever he want. Now, you may ask, what is the problem and what can we do?

1.1 What is wrong with the current GNU/Linux system.

• superuser (root) may abuse the rights Being a root, he can do whatever he want. Even the capability existing in the current the system. As a root, he can easily change the capability.
• Many system files can be changed easily. There are many important files, such as /bin/login, in the system. if the hacker come in, he can upload a changed login program to replace /bin/login , so he can relogin without any login name of password. But the files do not need to chang frequently, unless you want to upgrade the system.
• Modules is easily used to intercept the kernel. Module is a good design for the linux kernel to make the linux kernel more modulized and more felixible. But after the modules inserted into the kernle, it will be part of the kernel and can do what the original kernel can do. Therefore some unfriendly code could be written as a modules and inserted into to kernel, the code can even redirect the system call and act like a virus.

• Process is unprotected. Certain processes, such as web server daemon, which are critical to to system is not under strict protection. Therefore, there are vulnerable to the attack of hackers.

1.2 What is the idea behide LIDS.

• To protect important files. Since the files can be easily changed by root, why not restrict the file operation ? so, LIDS change the file system call in the kernel to enhance security. Every time someone access a file, he will involve in a system call and then we can check the filename and see whether the file has been protected or not. If it has been protected, we can then deny the request of the visitor.
• To protect important process. There is a little bit different from the above idea to protect the process. When a process is running in the system, he will have an entry to the /proc filesystem with a pid as diretory name, so if you type "ps -axf" you can display the current running processes. You may wonder how to protect certain process. If you want to kill a process, firstly, you type "ps" to get the process's PID, secondly, you type "kill <pid>" to kill it. If I makethe process invisible to you, how can you kill the process? Therefore, what LIDS does to protect the process is to hide the process from everybody.

  Another important method is to protect some important process is to make it unkillable by anybody, include root. LIDS can protect the process whose parent is init (pid = 1).

• To seal the kernel. Since we want to insert some necessary modules into the kernel for use , we also don't allow anybody include root to insert the modules. How to balance this to pardox things. Well, we can use the concept provided and first impletemetated by John Carol Langford (jcl@gs176.sp.cs.cmu.edu). We just allow the system insert the modules into the system while the system boot up, then we seal the kernel, after sealing, the kernel do not allow anyone to insert modules into the kernel. Using the seal concept, we can use it to protect the important files, process --- we just change the necessary files or run the necessary process while the system is booting up, and after sealing the kernel, we can not make any change on the files again.