At some time, we need to change the protected system, How can we do? LIDS provide two way.
LIDS defines two levels in kernel, security and none_security. By default, the security is on. If you want to change it, enter "security=0" after reboot the system.
There is a grobal variant in the kernel name lids_load, it indicates whether the lids security system is on or not. It is default to "1" (on) by default.
If you input "security=0" when LILO appear, the lids_load will set to "0",
and all security protection by LIDS will be bypassed. It is like the system
without LIDS protection.
/* variant defined in fs/lids.c */
int lids_reload_conf=0;
int lids_load=0; /* it is raised to 1 when kernel boot */
int lids_local_on=1;
int lids_local_pid=0;
/* in init/main.c */
#ifdef CONFIG_LIDS
/*
* lids_setup , read lids info from the kernel.
*/
static void __init lids_setup(char *str, int *ints)
{
if (ints[0] > 0 && ints[1] >= 0)
====> _lids_load= ints[1];
}
#endif
....
/* init the LIDS when the system bootup up */
static void __init do_basic_setup(void)
{
......
/* Mount the root filesystem.. */
mount_root();
#ifdef CONFIG_LIDS
/* init the ids file system */
---> lids_load=_lids_load;
lids_local_on=_lids_load;
lids_flags=lids_load * (LIDS_FLAGS_LIDS_ON | LIDS_FLAGS_LIDS_LOCAL_ON);
===> printk("Linux Intrusion Detection System %s \n",lids_load==1?"starts":"stops");
init_vfs_security();
#endif
......
}
At some times, you may also want to change the security level online, you must
turn the CONFIG_LIDS_ALLOW_SWITCH on and also provide a the "RipeMD-160 encrypted password" field when configurate the kernel before compiles.
The password can be obtained by running the command "lidsamd -P".
With the provided password, LIDS can use authenticate the user who can switch the kernel security level on and off.
It is also performed by lidsadm with parmeter "-S", for example,
# /sbin/lidsadm -S -- -LIDS
SWITCH
Password:xxxxxx
#
Let's look at the code internal to see how it does,
/* in the fs/lids.c lids_proc_locks_sysctl() */
int lids_proc_locks_sysctl(ctl_table *table, int write, struct file *filp,
void *buffer, size_t *lenp, int conv, int op)
{
lids_locks_t locks;
byte hashcode[RMDsize/8];
char rmd160sig[170];
.......
locks.passwd[sizeof(passwd_t)-1]=0; /* We don't take the risk */
rmd160sig[0]=0;
#ifdef CONFIG_LIDS_ALLOW_SWITCH
if ((!lids_first_time) || (locks.passwd[0])) {
RMD((byte *)locks.passwd,hashcode);
memset((char *)locks.passwd,'\0',sizeof(passwd_t));
for (i=0; i<RMDsize/8; i++)
sprintf(rmd160sig+2*i,"%02x", hashcode[i]);
}
if ( ((lids_first_time) && (!locks.passwd[0])) ||
----------> (!strncmp(rmd160sig,CONFIG_LIDS_RMD160_PASSWD,160)) ) {
#else
if ((lids_first_time) && (!locks.passwd[0])) {
#endif
/* access granted ! */
number_failed=0;
if (lids_process_flags(locks.flags)) {
cap_bset=locks.cap_bset;
lids_security_alert("Changed: cap_bset=0x%x lids_flags=0x%x",cap_t(cap_bset),lids_flags);
}
lids_first_time=0;
}
........
}
After the password checking is ok, the lids_process_flag() change the current
lids flag with LIDS off and then you can do what you want to do. You can look at
the code at fs/lids.c of lids_process_flag for detail.
If you switch the LIDS protection off, you have two choice, firstly, switch off and on other console it is also unprotected by LIDS, secondly, you can switch off only locally, on other console, all the system also protected by LIDS. It can improve security.
The detail impletmetation is in fs/lids of lids_process_flag().