aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrederic Lepied <flepied@mandriva.com>2002-07-24 23:16:46 +0000
committerFrederic Lepied <flepied@mandriva.com>2002-07-24 23:16:46 +0000
commit184c7a0eebaf3a76c697db3488871bff5fe27de9 (patch)
treeb9905902ffae8d67c76aa3790e68ea3a562e7402
parent97535e1b1f1f0d6a14218be13ad495909d338459 (diff)
downloadmsec-184c7a0eebaf3a76c697db3488871bff5fe27de9.tar
msec-184c7a0eebaf3a76c697db3488871bff5fe27de9.tar.gz
msec-184c7a0eebaf3a76c697db3488871bff5fe27de9.tar.bz2
msec-184c7a0eebaf3a76c697db3488871bff5fe27de9.tar.xz
msec-184c7a0eebaf3a76c697db3488871bff5fe27de9.zip
* describe file permissions according to the levels.
* correct description of X server security.
-rw-r--r--doc/security.txt24
1 files changed, 21 insertions, 3 deletions
diff --git a/doc/security.txt b/doc/security.txt
index 1977e15..ea7b620 100644
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -13,7 +13,8 @@ Security level 1 :
- Global security check.
- umask is 002 ( user = read,write | greoup = read,write | other = read )
- easy file permission.
-- localhost authorized to connect to X display.
+- localhost authorized to connect to X display and X server listens to
+tcp connections.
- . in $PATH
- Warning in /var/log/security.log
@@ -29,7 +30,8 @@ Security level 2 ( Aka normal system ) :
- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
-- localhost authorized to connect to X display.
+- localhost authorized to connect to X display and X server listens to
+tcp connections.
****************************
Security level 3 ( Aka more secure system ) :
@@ -51,11 +53,13 @@ Security level 3 ( Aka more secure system ) :
- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
-- localhost authorized to connect to X display.
+- X server listens to tcp connections.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
- no autologin
+- home directories are accesible but not readable by others and group members.
+
****************************
Security level 4 ( Aka Secured system ) :
@@ -96,6 +100,13 @@ chkconfig -add ).
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
+- most sensible files and directories are restricted to the members of the adm group.
+- home directories are not accesible by others and group members.
+- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
+- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
+- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
+- rpm command restricted to the members of the rpm group.
+
*******************************
Security level 5 ( Aka Paranoid system ) :
@@ -135,6 +146,13 @@ chkconfig -add ).
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .
+- most sensible files and directories are restricted to the root account.
+- home directories are not accesible by others and group members.
+- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
+- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
+- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
+- rpm command restricted to the members of the rpm group.
+
******************
* level4/level5 : "services disabled" explanations :