On Son, Dez 02, 2001 at 08:47:41 +1000, [EMAIL PROTECTED] wrote: > You have really inspired me to give this a go. It sounds as though I > have nothing to lose except time. And in my opinion this may be time > well spent as at least I will learn much about the root daemons.
Yes, you will. Definitely. If you deactivate every capability and have running it on a fully-featured system, it will give you a lot of stuff the daemons need and you have to configure. One reason because LIDS is great, you don't have to rewrite any source code to use it and every program uses it by default and it's mandatory. One thing i forgot (and found before): If a daemon can't run properly, it could, but it doesn't have to, that you could lose data (e.g. the daemon can't write to harddisk and it don't get handled properly). I never found myself in this situation, but be prepared if the system if fully loaded. Don't forget to protect lidsadm binary. This is the interface for supplying a password to deactivate the features in the kernel. The password can't be cracked directly (brute force or either) because of a trojaned lidsadm binary. But they [the attackers] could intercept the password with a trojaned interface. > Prior to doing this though, I am going to re-write my iptables firewall > to include NAT (masquerading) for my internal LAN and install libsafe. Give the openwall non-exex-stack patch a thrill. Many buffer-overflows (yet not every flavour is protected) will not work any more. Libsafe IIRC is good for the format string vulns, but if you can, protect it in the kernel. Fefe did a start on writting diet libc for a better protected libc: http://www.fefe.de/dietlibc/ > Then after setting up a DNS server on this box and squid, I will give > LIDS a go. If you have problems and need help, contact the lids-user mailing list or ask here. > So I guess I have a bit of work to do first. And lots of learning :-) As said, you don't have to rewrite any programs. One hint further: if something [like a daemon] really doesn't work anymore, deactivate LIDS globally, restart and activate LIDS. Also don't forget to reload configuration and to update the inode/dev table if something doesn't work. > Thanks for all the time you have put into educating me. Much > appreciated. np.