The Linux Intrusion Detection System (LIDS) ( www.lids.org) is an intrusion detection and prevention system that resides within the Linux kernel. It is a security enhancement to the Linux kernel consisting of a kernel patch and some administrative tools. LIDS implements mandatory access control, file protection, and process protection on the Linux system by restricting file access, network operations, raw device access, memory use and access, and input/output (I/O) access. LIDS provides the administrator with the ability to define and finely tune access controls. LIDS also contains a port scan detector.

LIDS provides protection, detection, and response within the kernel of the Linux system. It provides protection in the following ways:

• Full file system protection of files and directories from unauthorized users and programs including protection from root.

• Protection of important processes from being terminated.

• Protection of RAW I/O operations from unauthorized programs including hard disk and master boot record (MBR) protection.

LIDS provides detection via the port scan detector and by monitoring any unauthorized system activity. The port scan detector functionality is built into the kernel. It will detect half-open scans and stealth scans such as FIN, Xmas, and Null Scans. It can easily detect tools like Nmap and Nessus.

LIDS can provide response in the following ways:

• When a rule violation occurs, LIDS logs a detailed message about the violation to the system kernel log file, which is also protected by LIDS. LIDS logging has an anti-flooding capability.

• Sending log messages via e-mail.

• Automatically terminating...