diff options
Diffstat (limited to 'docs/mcc-help/en/msecgui.xml')
| -rw-r--r-- | docs/mcc-help/en/msecgui.xml | 372 |
1 files changed, 0 insertions, 372 deletions
diff --git a/docs/mcc-help/en/msecgui.xml b/docs/mcc-help/en/msecgui.xml deleted file mode 100644 index 161c25d6..00000000 --- a/docs/mcc-help/en/msecgui.xml +++ /dev/null @@ -1,372 +0,0 @@ -<?xml version='1.0' encoding='utf-8'?><section xmlns="http://docbook.org/ns/docbook" xmlns:ns5="http://www.w3.org/1998/Math/MathML" xmlns:ns4="http://www.w3.org/2000/svg" xmlns:ns3="http://www.w3.org/1999/xhtml" xmlns:ns2="http://www.w3.org/1999/xlink" xmlns:ns="http://docbook.org/ns/docbook" version="5.0" xml:id="msecgui"> - <info> - <title xml:id="msecgui-ti1">MSEC: System Security and Audit</title> - - <subtitle>msecgui</subtitle> - </info> - - <!-- written by Lebarhon 2014/01/03 To be checked--> - - - <mediaobject> - <imageobject> - <imagedata xml:id="msecgui-im1" revision="1" fileref="msecgui.png" align="center" format="PNG"/> - </imageobject> - </mediaobject> - - - <section> - <title>Presentation</title> - - <para>msecgui<footnote><para>You can start this tool from the command - line, by typing <emphasis role="bold">msecgui</emphasis> as root.</para> - </footnote> is a graphic user interface for msec that allows to configure - your system security according to two approaches:</para> - - <itemizedlist> - <listitem> - <para>It sets the system behaviour, msec imposes modifications to the - system to make it more secure.</para> - </listitem> - - <listitem> - <para>It carries on periodic checks automatically on the system in - order to warn you if something seems dangerous.</para> - </listitem> - </itemizedlist> - - <para>msec uses the concept of "security levels" which are intended to - configure a set of system permissions, which can be audited for changes or - enforcement. Several of them are proposed by Mageia, but you can define - your own customised security levels.</para> - </section> - - <section> - <title>Overview tab</title> - - <para>See the screenshot above</para> - - <para>The first tab takes up the list of the different security tools with - a button on the right side to configure them:</para> - - <itemizedlist> - <listitem> - <para>Firewall, also found in the MCC / Security / Set up your - personal firewall</para> - </listitem> - - <listitem> - <para>Updates, also found in MCC / Software Management / Update your - system</para> - </listitem> - - <listitem> - <para>msec itself with some information:</para> - - <itemizedlist> - <listitem> - <para>enabled or not</para> - </listitem> - - <listitem> - <para>the configured Base security level</para> - </listitem> - - <listitem> - <para>the date of the last Periodic checks and a button to see a - detailed report and another button to execute the checks just - now.</para> - </listitem> - </itemizedlist> - </listitem> - </itemizedlist> - </section> - - <section> - <title>Security settings tab</title> - - <para>A click on the second tab or on the Security - <guibutton>Configure</guibutton> button leads to the same screen shown - below.</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui2.png"/> - </imageobject> - </mediaobject> - - - <section> - <title>Basic security tab</title> - - <para role="underline"> - <emphasis role="underline">Security levels:</emphasis> - </para> - - <para>After having checked the box <guilabel>Enable MSEC - tool</guilabel>, this tab allows you by a double click to choose the - security level that appears then in bold. If the box is not checked, the - level « none » is applied. The following levels are available:</para> - - <orderedlist numeration="arabic"> - <listitem> - <para>Level <emphasis role="bold">none</emphasis>. This level is - intended if you do not want to use msec to control system security, - and prefer tuning it on your own. It disables all security checks - and puts no restrictions or constraints on system configuration and - settings. Please use this level only if you are knowing what you are - doing, as it would leave your system vulnerable to attack.</para> - </listitem> - - <listitem> - <para>Level <emphasis role="bold">standard</emphasis>. This is the - default configuration when installed and is intended for casual users. - It constrains several system settings and executes daily security - checks which detect changes in system files, system accounts, and - vulnerable directory permissions. (This level is similar to levels 2 - and 3 from past msec versions).</para> - </listitem> - - <listitem> - <para>Level <emphasis role="bold">secure</emphasis>. This level is - intended when you want to ensure your system is secure, yet usable. - It further restricts system permissions and executes more periodic - checks. Moreover, access to the system is more restricted. (This - level is similar to levels 4 (High) and 5 (Paranoid) from old msec - versions).</para> - </listitem> - - <listitem> - <para>Besides those levels, different task-oriented security are - also provided, such as the <emphasis role="bold">fileserver - </emphasis>, <emphasis role="bold">webserver</emphasis> and - <emphasis role="bold">netbook</emphasis> levels. Such levels - attempt to pre-configure system security according to the most common - use cases.</para> - </listitem> - - <listitem> - <para>The last two levels called <emphasis role="bold">audit_daily - </emphasis> and <emphasis role="bold">audit_weekly</emphasis> are - not really security levels but rather tools for periodic checks - only.</para> - </listitem> - </orderedlist> - - <para>These levels are saved in - <filename>/etc/security/msec/level.<levelname></filename>. You can - define your own customised security levels, saving them into specific - files called <filename>level.<levelname></filename>, placed into - the folder <filename>/etc/security/msec/.</filename> This function is - intended for power users which require a customised or more secure - system configuration.</para> - - <caution> - <para>Keep in mind that user-modified parameters take precedence over - default level settings.</para> - </caution> - - <para> - <emphasis role="underline">Security alerts:</emphasis> - </para> - - <para>If you check the box <guibutton>Send security alerts by email - to:</guibutton>, the security alerts generated by msec are going to be - sent by local e-mail to the security administrator named in the nearby - field. You can fill either a local user or a complete e-mail address - (the local e-mail and the e-mail manager must be set accordingly). At - last, you can receive the security alerts directly on your desktop. - Check the relevant box to enable it.</para> - - <important> - <para>It is strongly advisable to enable the security alerts option - in order to immediately inform the security administrator of possible - security problems. If not, the administrator will have to regularly - check the logs files available in - <filename>/var/log/security.</filename></para></important> - - <para><emphasis role="underline">Security options:</emphasis></para> - - <para>Creating a customised level is not the only way to customise the - computer security, it is also possible to use the tabs presented here - after to change any option you want. Current configuration for msec is - stored in <filename>/etc/security/msec/security.conf</filename>. This - file contains the current security level name and the list of all the - modifications done to the options.</para> - </section> - - <section> - <title>System security tab</title> - - <para>This tab displays all the security options on the left side - column, a description in the centre column, and their current values on - the right side column.</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui3.png"/> - </imageobject> - </mediaobject> - - <para>To modify an option, double click on it and a new window appears - (see screenshot below). It displays the option name, a short - description, the actual and default values, and a drop down list where - the new value can be selected. Click on the <guibutton>OK</guibutton> - button to validate the choice.</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui11.png"/> - </imageobject> - </mediaobject> - - <caution> - <para>Do not forget when leaving msecgui to save definitively your - configuration using the menu <guimenu>File -> Save the - configuration</guimenu>. If you have changed the settings, msecgui - allows you to preview the changes before saving them.</para> - </caution> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui10.png"/> - </imageobject> - </mediaobject> - </section> - - <section> - <title>Network security</title> - - <para>This tab displays all the network options and works like the - previous tab</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui4.png"/> - </imageobject> - </mediaobject> - </section> - - <section> - <title>Periodic checks tab</title> - - <para>Periodic checks aim to inform the security administrator by means - of security alerts of all situations msec thinks potentially - dangerous.</para> - - <para>This tab displays all the periodic checks done by msec and their - frequency if the box <guibutton>Enable periodic security - checks</guibutton> is checked. Changes are done like in the previous - tabs.</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui5.png"/> - </imageobject> - </mediaobject> - </section> - - <section> - <title>Exceptions tab</title> - - <para>Sometimes alert messages are due to well known and wanted - situations. In these cases they are useless and wasted time for the - administrator. This tab allows you to create as many exceptions as you - want to avoid unwanted alert messages. It is obviously empty at the - first msec start. The screenshot below shows four exceptions.</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui6.png"/> - </imageobject> - </mediaobject> - - <para>To create an exception, click on the <guibutton>Add a - rule</guibutton> button</para> - - <mediaobject> - <imageobject> - <imagedata fileref="msecgui7.png"/> - </imageobject> - </mediaobject> - - <para>Select the wanted periodic check in the drop down list called - <guilabel>Check</guilabel> and then, enter the - <guilabel>Exception</guilabel> in the text area. Adding an exception is - obviously not definitive, you can either delete it using the - <guibutton>Delete</guibutton> button of the - <guilabel>Exceptions</guilabel> tab or modify it with a double - clicK.</para> - </section> - - <section> - <title>Permissions</title> - <para>This tab is intended for file and directory permissions checking and - enforcement.</para> - <para>Like for the security, msec owns different permissions levels - (standard, secure, ..), they are enabled accordingly with the chosen - security level. You can create your own customised permissions levels, - saving them into specific files called <filename>perm.<levelname> - </filename> placed into the folder <filename>/etc/security/msec/</filename> - . This function is intended for power users which require a customised - configuration. It is also possible to use the tab presented here after to - change any permission you want. Current configuration is stored in - <filename>/etc/security/msec/perms.conf.</filename> This file contains the - list of all the modifications done to the permissions.</para> - <mediaobject> - <imageobject> - <imagedata fileref="msecgui8.png"/> - </imageobject> - </mediaobject> - <para>Default permissions are visible as a list of rules - (a rule per line). You can see on the left side, the file or folder - concerned by the rule, then the owner, then the group and then the - permissions given by the rule. If, for a given rule:</para> - <itemizedlist> - <listitem> - <para>the box <guilabel>Enforce</guilabel> is not checked, msec only - checks if the defined permissions for this rule are respected and - sends an alert message if not, but does not change anything.</para> - </listitem> - - <listitem> - <para>the box <guilabel>Enforce</guilabel> is checked, then msec - will rule the permissions respect at the first periodic check and - overwrite the permissions.</para></listitem> - </itemizedlist> - <important><para>For this to work, the option CHECK_PERMS in - the <emphasis role="bold">Periodic check tab</emphasis> must be configured - accordingly.</para></important><para>To create a new rule, click on the - <guibutton> Add a rule</guibutton> button and fill the fields as shown in - the example below. The joker * is allowed in the <guilabel>File</guilabel> - field. “current” means no modification.</para> - <mediaobject> - <imageobject> - <imagedata fileref="msecgui9.png"/> - </imageobject> - </mediaobject> - <para>Click on the <guibutton>OK</guibutton> button to - validate the choice and do not forget when leaving to save definitively - your configuration using the menu <guimenu>File -> Save the - configuration</guimenu>. If you have changed the settings, msecgui allows - you to preview the changes before saving them. </para> - <note><para>It is also possible to create or modify the rules by editing - the configuration file <filename>/etc/security/msec/perms.conf</filename>. - </para></note> - <caution><para>Changes in the <emphasis role="bold">Permission - tab</emphasis> (or directly in the configuration file) are taken into - account at the first periodic check (see the option CHECK_PERMS in the - <emphasis role="bold">Periodic checks tab</emphasis>). If you want them to - be taken immediately into account, use the msecperms command in a console - with root rights. You can use before, the msecperms -p command to know the - permissions that will be changed by msecperms.</para></caution> - <caution><para>Do not forget that if you modify the permissions in a - console or in a file manager, for a file where the box <guilabel>Enforce - </guilabel> is checked in the <emphasis role="bold">Permissions tab - </emphasis>, msecgui will write the old permissions back after a while, - accordingly to the configuration of the options CHECK_PERMS and - CHECK_PERMS_ENFORCE in the <emphasis role="bold">Periodic Checks tab - </emphasis>.</para></caution> - </section> - </section> -</section> |