diff options
Diffstat (limited to 'docs/docs/stable/mcc-help/en/msecgui.xml')
| -rw-r--r-- | docs/docs/stable/mcc-help/en/msecgui.xml | 372 |
1 files changed, 372 insertions, 0 deletions
diff --git a/docs/docs/stable/mcc-help/en/msecgui.xml b/docs/docs/stable/mcc-help/en/msecgui.xml new file mode 100644 index 00000000..161c25d6 --- /dev/null +++ b/docs/docs/stable/mcc-help/en/msecgui.xml @@ -0,0 +1,372 @@ +<?xml version='1.0' encoding='utf-8'?><section xmlns="http://docbook.org/ns/docbook" xmlns:ns5="http://www.w3.org/1998/Math/MathML" xmlns:ns4="http://www.w3.org/2000/svg" xmlns:ns3="http://www.w3.org/1999/xhtml" xmlns:ns2="http://www.w3.org/1999/xlink" xmlns:ns="http://docbook.org/ns/docbook" version="5.0" xml:id="msecgui"> + <info> + <title xml:id="msecgui-ti1">MSEC: System Security and Audit</title> + + <subtitle>msecgui</subtitle> + </info> + + <!-- written by Lebarhon 2014/01/03 To be checked--> + + + <mediaobject> + <imageobject> + <imagedata xml:id="msecgui-im1" revision="1" fileref="msecgui.png" align="center" format="PNG"/> + </imageobject> + </mediaobject> + + + <section> + <title>Presentation</title> + + <para>msecgui<footnote><para>You can start this tool from the command + line, by typing <emphasis role="bold">msecgui</emphasis> as root.</para> + </footnote> is a graphic user interface for msec that allows to configure + your system security according to two approaches:</para> + + <itemizedlist> + <listitem> + <para>It sets the system behaviour, msec imposes modifications to the + system to make it more secure.</para> + </listitem> + + <listitem> + <para>It carries on periodic checks automatically on the system in + order to warn you if something seems dangerous.</para> + </listitem> + </itemizedlist> + + <para>msec uses the concept of "security levels" which are intended to + configure a set of system permissions, which can be audited for changes or + enforcement. Several of them are proposed by Mageia, but you can define + your own customised security levels.</para> + </section> + + <section> + <title>Overview tab</title> + + <para>See the screenshot above</para> + + <para>The first tab takes up the list of the different security tools with + a button on the right side to configure them:</para> + + <itemizedlist> + <listitem> + <para>Firewall, also found in the MCC / Security / Set up your + personal firewall</para> + </listitem> + + <listitem> + <para>Updates, also found in MCC / Software Management / Update your + system</para> + </listitem> + + <listitem> + <para>msec itself with some information:</para> + + <itemizedlist> + <listitem> + <para>enabled or not</para> + </listitem> + + <listitem> + <para>the configured Base security level</para> + </listitem> + + <listitem> + <para>the date of the last Periodic checks and a button to see a + detailed report and another button to execute the checks just + now.</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + + <section> + <title>Security settings tab</title> + + <para>A click on the second tab or on the Security + <guibutton>Configure</guibutton> button leads to the same screen shown + below.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui2.png"/> + </imageobject> + </mediaobject> + + + <section> + <title>Basic security tab</title> + + <para role="underline"> + <emphasis role="underline">Security levels:</emphasis> + </para> + + <para>After having checked the box <guilabel>Enable MSEC + tool</guilabel>, this tab allows you by a double click to choose the + security level that appears then in bold. If the box is not checked, the + level « none » is applied. The following levels are available:</para> + + <orderedlist numeration="arabic"> + <listitem> + <para>Level <emphasis role="bold">none</emphasis>. This level is + intended if you do not want to use msec to control system security, + and prefer tuning it on your own. It disables all security checks + and puts no restrictions or constraints on system configuration and + settings. Please use this level only if you are knowing what you are + doing, as it would leave your system vulnerable to attack.</para> + </listitem> + + <listitem> + <para>Level <emphasis role="bold">standard</emphasis>. This is the + default configuration when installed and is intended for casual users. + It constrains several system settings and executes daily security + checks which detect changes in system files, system accounts, and + vulnerable directory permissions. (This level is similar to levels 2 + and 3 from past msec versions).</para> + </listitem> + + <listitem> + <para>Level <emphasis role="bold">secure</emphasis>. This level is + intended when you want to ensure your system is secure, yet usable. + It further restricts system permissions and executes more periodic + checks. Moreover, access to the system is more restricted. (This + level is similar to levels 4 (High) and 5 (Paranoid) from old msec + versions).</para> + </listitem> + + <listitem> + <para>Besides those levels, different task-oriented security are + also provided, such as the <emphasis role="bold">fileserver + </emphasis>, <emphasis role="bold">webserver</emphasis> and + <emphasis role="bold">netbook</emphasis> levels. Such levels + attempt to pre-configure system security according to the most common + use cases.</para> + </listitem> + + <listitem> + <para>The last two levels called <emphasis role="bold">audit_daily + </emphasis> and <emphasis role="bold">audit_weekly</emphasis> are + not really security levels but rather tools for periodic checks + only.</para> + </listitem> + </orderedlist> + + <para>These levels are saved in + <filename>/etc/security/msec/level.<levelname></filename>. You can + define your own customised security levels, saving them into specific + files called <filename>level.<levelname></filename>, placed into + the folder <filename>/etc/security/msec/.</filename> This function is + intended for power users which require a customised or more secure + system configuration.</para> + + <caution> + <para>Keep in mind that user-modified parameters take precedence over + default level settings.</para> + </caution> + + <para> + <emphasis role="underline">Security alerts:</emphasis> + </para> + + <para>If you check the box <guibutton>Send security alerts by email + to:</guibutton>, the security alerts generated by msec are going to be + sent by local e-mail to the security administrator named in the nearby + field. You can fill either a local user or a complete e-mail address + (the local e-mail and the e-mail manager must be set accordingly). At + last, you can receive the security alerts directly on your desktop. + Check the relevant box to enable it.</para> + + <important> + <para>It is strongly advisable to enable the security alerts option + in order to immediately inform the security administrator of possible + security problems. If not, the administrator will have to regularly + check the logs files available in + <filename>/var/log/security.</filename></para></important> + + <para><emphasis role="underline">Security options:</emphasis></para> + + <para>Creating a customised level is not the only way to customise the + computer security, it is also possible to use the tabs presented here + after to change any option you want. Current configuration for msec is + stored in <filename>/etc/security/msec/security.conf</filename>. This + file contains the current security level name and the list of all the + modifications done to the options.</para> + </section> + + <section> + <title>System security tab</title> + + <para>This tab displays all the security options on the left side + column, a description in the centre column, and their current values on + the right side column.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui3.png"/> + </imageobject> + </mediaobject> + + <para>To modify an option, double click on it and a new window appears + (see screenshot below). It displays the option name, a short + description, the actual and default values, and a drop down list where + the new value can be selected. Click on the <guibutton>OK</guibutton> + button to validate the choice.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui11.png"/> + </imageobject> + </mediaobject> + + <caution> + <para>Do not forget when leaving msecgui to save definitively your + configuration using the menu <guimenu>File -> Save the + configuration</guimenu>. If you have changed the settings, msecgui + allows you to preview the changes before saving them.</para> + </caution> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui10.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Network security</title> + + <para>This tab displays all the network options and works like the + previous tab</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui4.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Periodic checks tab</title> + + <para>Periodic checks aim to inform the security administrator by means + of security alerts of all situations msec thinks potentially + dangerous.</para> + + <para>This tab displays all the periodic checks done by msec and their + frequency if the box <guibutton>Enable periodic security + checks</guibutton> is checked. Changes are done like in the previous + tabs.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui5.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Exceptions tab</title> + + <para>Sometimes alert messages are due to well known and wanted + situations. In these cases they are useless and wasted time for the + administrator. This tab allows you to create as many exceptions as you + want to avoid unwanted alert messages. It is obviously empty at the + first msec start. The screenshot below shows four exceptions.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui6.png"/> + </imageobject> + </mediaobject> + + <para>To create an exception, click on the <guibutton>Add a + rule</guibutton> button</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui7.png"/> + </imageobject> + </mediaobject> + + <para>Select the wanted periodic check in the drop down list called + <guilabel>Check</guilabel> and then, enter the + <guilabel>Exception</guilabel> in the text area. Adding an exception is + obviously not definitive, you can either delete it using the + <guibutton>Delete</guibutton> button of the + <guilabel>Exceptions</guilabel> tab or modify it with a double + clicK.</para> + </section> + + <section> + <title>Permissions</title> + <para>This tab is intended for file and directory permissions checking and + enforcement.</para> + <para>Like for the security, msec owns different permissions levels + (standard, secure, ..), they are enabled accordingly with the chosen + security level. You can create your own customised permissions levels, + saving them into specific files called <filename>perm.<levelname> + </filename> placed into the folder <filename>/etc/security/msec/</filename> + . This function is intended for power users which require a customised + configuration. It is also possible to use the tab presented here after to + change any permission you want. Current configuration is stored in + <filename>/etc/security/msec/perms.conf.</filename> This file contains the + list of all the modifications done to the permissions.</para> + <mediaobject> + <imageobject> + <imagedata fileref="msecgui8.png"/> + </imageobject> + </mediaobject> + <para>Default permissions are visible as a list of rules + (a rule per line). You can see on the left side, the file or folder + concerned by the rule, then the owner, then the group and then the + permissions given by the rule. If, for a given rule:</para> + <itemizedlist> + <listitem> + <para>the box <guilabel>Enforce</guilabel> is not checked, msec only + checks if the defined permissions for this rule are respected and + sends an alert message if not, but does not change anything.</para> + </listitem> + + <listitem> + <para>the box <guilabel>Enforce</guilabel> is checked, then msec + will rule the permissions respect at the first periodic check and + overwrite the permissions.</para></listitem> + </itemizedlist> + <important><para>For this to work, the option CHECK_PERMS in + the <emphasis role="bold">Periodic check tab</emphasis> must be configured + accordingly.</para></important><para>To create a new rule, click on the + <guibutton> Add a rule</guibutton> button and fill the fields as shown in + the example below. The joker * is allowed in the <guilabel>File</guilabel> + field. “current” means no modification.</para> + <mediaobject> + <imageobject> + <imagedata fileref="msecgui9.png"/> + </imageobject> + </mediaobject> + <para>Click on the <guibutton>OK</guibutton> button to + validate the choice and do not forget when leaving to save definitively + your configuration using the menu <guimenu>File -> Save the + configuration</guimenu>. If you have changed the settings, msecgui allows + you to preview the changes before saving them. </para> + <note><para>It is also possible to create or modify the rules by editing + the configuration file <filename>/etc/security/msec/perms.conf</filename>. + </para></note> + <caution><para>Changes in the <emphasis role="bold">Permission + tab</emphasis> (or directly in the configuration file) are taken into + account at the first periodic check (see the option CHECK_PERMS in the + <emphasis role="bold">Periodic checks tab</emphasis>). If you want them to + be taken immediately into account, use the msecperms command in a console + with root rights. You can use before, the msecperms -p command to know the + permissions that will be changed by msecperms.</para></caution> + <caution><para>Do not forget that if you modify the permissions in a + console or in a file manager, for a file where the box <guilabel>Enforce + </guilabel> is checked in the <emphasis role="bold">Permissions tab + </emphasis>, msecgui will write the old permissions back after a while, + accordingly to the configuration of the options CHECK_PERMS and + CHECK_PERMS_ENFORCE in the <emphasis role="bold">Periodic Checks tab + </emphasis>.</para></caution> + </section> + </section> +</section> |