1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
|
<?xml version='1.0' encoding='utf-8'?><section xmlns="http://docbook.org/ns/docbook" xmlns:ns5="http://www.w3.org/1998/Math/MathML" xmlns:ns4="http://www.w3.org/2000/svg" xmlns:ns3="http://www.w3.org/1999/xhtml" xmlns:ns2="http://www.w3.org/1999/xlink" xmlns:ns="http://docbook.org/ns/docbook" version="5.0" xml:id="msecgui">
<info>
<title xml:id="msecgui-ti1">MSEC: System Security and Audit</title>
<subtitle>msecgui</subtitle>
</info>
<!-- written by Lebarhon 2014/01/03 To be checked-->
<mediaobject>
<imageobject>
<imagedata xml:id="msecgui-im1" revision="1" fileref="msecgui.png" align="center" format="PNG"/>
</imageobject>
</mediaobject>
<section>
<title>Presentation</title>
<para>msecgui<footnote><para>You can start this tool from the command
line, by typing <emphasis role="bold">msecgui</emphasis> as root.</para>
</footnote> is a graphic user interface for msec that allows to configure
your system security according to two approaches:</para>
<itemizedlist>
<listitem>
<para>It sets the system behaviour, msec imposes modifications to the
system to make it more secure.</para>
</listitem>
<listitem>
<para>It carries on periodic checks automatically on the system in
order to warn you if something seems dangerous.</para>
</listitem>
</itemizedlist>
<para>msec uses the concept of "security levels" which are intended to
configure a set of system permissions, which can be audited for changes or
enforcement. Several of them are proposed by Mageia, but you can define
your own customised security levels.</para>
</section>
<section>
<title>Overview tab</title>
<para>See the screenshot above</para>
<para>The first tab takes up the list of the different security tools with
a button on the right side to configure them:</para>
<itemizedlist>
<listitem>
<para>Firewall, also found in the MCC / Security / Set up your
personal firewall</para>
</listitem>
<listitem>
<para>Updates, also found in MCC / Software Management / Update your
system</para>
</listitem>
<listitem>
<para>msec itself with some information:</para>
<itemizedlist>
<listitem>
<para>enabled or not</para>
</listitem>
<listitem>
<para>the configured Base security level</para>
</listitem>
<listitem>
<para>the date of the last Periodic checks and a button to see a
detailed report and another button to execute the checks just
now.</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</section>
<section>
<title>Security settings tab</title>
<para>A click on the second tab or on the Security
<guibutton>Configure</guibutton> button leads to the same screen shown
below.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui2.png"/>
</imageobject>
</mediaobject>
<section>
<title>Basic security tab</title>
<para role="underline">
<emphasis role="underline">Security levels:</emphasis>
</para>
<para>After having checked the box <guilabel>Enable MSEC
tool</guilabel>, this tab allows you by a double click to choose the
security level that appears then in bold. If the box is not checked, the
level « none » is applied. The following levels are available:</para>
<orderedlist numeration="arabic">
<listitem>
<para>Level <emphasis role="bold">none</emphasis>. This level is
intended if you do not want to use msec to control system security,
and prefer tuning it on your own. It disables all security checks
and puts no restrictions or constraints on system configuration and
settings. Please use this level only if you are knowing what you are
doing, as it would leave your system vulnerable to attack.</para>
</listitem>
<listitem>
<para>Level <emphasis role="bold">standard</emphasis>. This is the
default configuration when installed and is intended for casual users.
It constrains several system settings and executes daily security
checks which detect changes in system files, system accounts, and
vulnerable directory permissions. (This level is similar to levels 2
and 3 from past msec versions).</para>
</listitem>
<listitem>
<para>Level <emphasis role="bold">secure</emphasis>. This level is
intended when you want to ensure your system is secure, yet usable.
It further restricts system permissions and executes more periodic
checks. Moreover, access to the system is more restricted. (This
level is similar to levels 4 (High) and 5 (Paranoid) from old msec
versions).</para>
</listitem>
<listitem>
<para>Besides those levels, different task-oriented security are
also provided, such as the <emphasis role="bold">fileserver
</emphasis>, <emphasis role="bold">webserver</emphasis> and
<emphasis role="bold">netbook</emphasis> levels. Such levels
attempt to pre-configure system security according to the most common
use cases.</para>
</listitem>
<listitem>
<para>The last two levels called <emphasis role="bold">audit_daily
</emphasis> and <emphasis role="bold">audit_weekly</emphasis> are
not really security levels but rather tools for periodic checks
only.</para>
</listitem>
</orderedlist>
<para>These levels are saved in
<filename>/etc/security/msec/level.<levelname></filename>. You can
define your own customised security levels, saving them into specific
files called <filename>level.<levelname></filename>, placed into
the folder <filename>/etc/security/msec/.</filename> This function is
intended for power users which require a customised or more secure
system configuration.</para>
<caution>
<para>Keep in mind that user-modified parameters take precedence over
default level settings.</para>
</caution>
<para>
<emphasis role="underline">Security alerts:</emphasis>
</para>
<para>If you check the box <guibutton>Send security alerts by email
to:</guibutton>, the security alerts generated by msec are going to be
sent by local e-mail to the security administrator named in the nearby
field. You can fill either a local user or a complete e-mail address
(the local e-mail and the e-mail manager must be set accordingly). At
last, you can receive the security alerts directly on your desktop.
Check the relevant box to enable it.</para>
<important>
<para>It is strongly advisable to enable the security alerts option
in order to immediately inform the security administrator of possible
security problems. If not, the administrator will have to regularly
check the logs files available in
<filename>/var/log/security.</filename></para></important>
<para><emphasis role="underline">Security options:</emphasis></para>
<para>Creating a customised level is not the only way to customise the
computer security, it is also possible to use the tabs presented here
after to change any option you want. Current configuration for msec is
stored in <filename>/etc/security/msec/security.conf</filename>. This
file contains the current security level name and the list of all the
modifications done to the options.</para>
</section>
<section>
<title>System security tab</title>
<para>This tab displays all the security options on the left side
column, a description in the centre column, and their current values on
the right side column.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui3.png"/>
</imageobject>
</mediaobject>
<para>To modify an option, double click on it and a new window appears
(see screenshot below). It displays the option name, a short
description, the actual and default values, and a drop down list where
the new value can be selected. Click on the <guibutton>OK</guibutton>
button to validate the choice.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui11.png"/>
</imageobject>
</mediaobject>
<caution>
<para>Do not forget when leaving msecgui to save definitively your
configuration using the menu <guimenu>File -> Save the
configuration</guimenu>. If you have changed the settings, msecgui
allows you to preview the changes before saving them.</para>
</caution>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui10.png"/>
</imageobject>
</mediaobject>
</section>
<section>
<title>Network security</title>
<para>This tab displays all the network options and works like the
previous tab</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui4.png"/>
</imageobject>
</mediaobject>
</section>
<section>
<title>Periodic checks tab</title>
<para>Periodic checks aim to inform the security administrator by means
of security alerts of all situations msec thinks potentially
dangerous.</para>
<para>This tab displays all the periodic checks done by msec and their
frequency if the box <guibutton>Enable periodic security
checks</guibutton> is checked. Changes are done like in the previous
tabs.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui5.png"/>
</imageobject>
</mediaobject>
</section>
<section>
<title>Exceptions tab</title>
<para>Sometimes alert messages are due to well known and wanted
situations. In these cases they are useless and wasted time for the
administrator. This tab allows you to create as many exceptions as you
want to avoid unwanted alert messages. It is obviously empty at the
first msec start. The screenshot below shows four exceptions.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui6.png"/>
</imageobject>
</mediaobject>
<para>To create an exception, click on the <guibutton>Add a
rule</guibutton> button</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui7.png"/>
</imageobject>
</mediaobject>
<para>Select the wanted periodic check in the drop down list called
<guilabel>Check</guilabel> and then, enter the
<guilabel>Exception</guilabel> in the text area. Adding an exception is
obviously not definitive, you can either delete it using the
<guibutton>Delete</guibutton> button of the
<guilabel>Exceptions</guilabel> tab or modify it with a double
clicK.</para>
</section>
<section>
<title>Permissions</title>
<para>This tab is intended for file and directory permissions checking and
enforcement.</para>
<para>Like for the security, msec owns different permissions levels
(standard, secure, ..), they are enabled accordingly with the chosen
security level. You can create your own customised permissions levels,
saving them into specific files called <filename>perm.<levelname>
</filename> placed into the folder <filename>/etc/security/msec/</filename>
. This function is intended for power users which require a customised
configuration. It is also possible to use the tab presented here after to
change any permission you want. Current configuration is stored in
<filename>/etc/security/msec/perms.conf.</filename> This file contains the
list of all the modifications done to the permissions.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui8.png"/>
</imageobject>
</mediaobject>
<para>Default permissions are visible as a list of rules
(a rule per line). You can see on the left side, the file or folder
concerned by the rule, then the owner, then the group and then the
permissions given by the rule. If, for a given rule:</para>
<itemizedlist>
<listitem>
<para>the box <guilabel>Enforce</guilabel> is not checked, msec only
checks if the defined permissions for this rule are respected and
sends an alert message if not, but does not change anything.</para>
</listitem>
<listitem>
<para>the box <guilabel>Enforce</guilabel> is checked, then msec
will rule the permissions respect at the first periodic check and
overwrite the permissions.</para></listitem>
</itemizedlist>
<important><para>For this to work, the option CHECK_PERMS in
the <emphasis role="bold">Periodic check tab</emphasis> must be configured
accordingly.</para></important><para>To create a new rule, click on the
<guibutton> Add a rule</guibutton> button and fill the fields as shown in
the example below. The joker * is allowed in the <guilabel>File</guilabel>
field. “current” means no modification.</para>
<mediaobject>
<imageobject>
<imagedata fileref="msecgui9.png"/>
</imageobject>
</mediaobject>
<para>Click on the <guibutton>OK</guibutton> button to
validate the choice and do not forget when leaving to save definitively
your configuration using the menu <guimenu>File -> Save the
configuration</guimenu>. If you have changed the settings, msecgui allows
you to preview the changes before saving them. </para>
<note><para>It is also possible to create or modify the rules by editing
the configuration file <filename>/etc/security/msec/perms.conf</filename>.
</para></note>
<caution><para>Changes in the <emphasis role="bold">Permission
tab</emphasis> (or directly in the configuration file) are taken into
account at the first periodic check (see the option CHECK_PERMS in the
<emphasis role="bold">Periodic checks tab</emphasis>). If you want them to
be taken immediately into account, use the msecperms command in a console
with root rights. You can use before, the msecperms -p command to know the
permissions that will be changed by msecperms.</para></caution>
<caution><para>Do not forget that if you modify the permissions in a
console or in a file manager, for a file where the box <guilabel>Enforce
</guilabel> is checked in the <emphasis role="bold">Permissions tab
</emphasis>, msecgui will write the old permissions back after a while,
accordingly to the configuration of the options CHECK_PERMS and
CHECK_PERMS_ENFORCE in the <emphasis role="bold">Periodic Checks tab
</emphasis>.</para></caution>
</section>
</section>
</section>
|
