aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh/custom.sh
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>2000-03-22 17:39:12 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>2000-03-22 17:39:12 +0000
commit80a65450bd92bd7d24c8e5087856053bbacfe9d9 (patch)
tree5e8858584f8e33a80645e9284b7616741d142fbf /init-sh/custom.sh
parentee50375647abff0b29c25673938835cbac434eb7 (diff)
downloadmsec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.gz
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.bz2
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.xz
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.zip
*** empty log message ***
Diffstat (limited to 'init-sh/custom.sh')
-rwxr-xr-xinit-sh/custom.sh156
1 files changed, 148 insertions, 8 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index 253d9d9..3018f75 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -1,10 +1,23 @@
#!/bin/bash
+
#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
+###
+clear
+echo "This script allows you to customize the security on your system."
+echo "If you feel at all you don't know what you're doing abort now!!!"
+# can't use ctrl-c, we trap all signal.
+echo -n "continue [yes/no] : "
+read answer;
+
+if [[ ${answer} != yes ]]; then
+ exit 1
+fi
+
if [[ -f /usr/share/msec/lib.sh ]]; then
. /usr/share/msec/lib.sh
else
@@ -17,13 +30,7 @@ clear
WRITE_CRON="false"
###
-echo "Do you want all system events to be logged on tty12 ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "*.* /dev/tty12" /etc/syslog.conf
-fi
-###
echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
echo "( or if an user present in /etc/shutdown.allow is logged locally )"
WaitAnswer; clear
@@ -186,7 +193,8 @@ LiloUpdate;
/sbin/lilo >& /dev/null
###
-echo "Do you want to disable your running server ( except important one )"
+clear
+echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )"
echo "This is only valuable for server installed with rpm."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
@@ -229,7 +237,7 @@ echo "paranoid ( 077 ) = user = rwx, group = , other ="
answer="nothing"
while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
echo -n "easy/normal/restricted/paranoid : "
- read answer
+ read answer
done
case "${answer}" in
"easy")
@@ -247,6 +255,129 @@ case "${answer}" in
esac
###
+
+echo "Do you want easy, normal, restricted, or paranoid permission ?"
+answer="nothing"
+while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
+ echo -n "easy/normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "easy")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.2
+ ;;
+ "normal")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.3
+ ;;
+ "restricted")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.4
+ ;;
+ "paranoid")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.5
+ ;;
+esac
+
+#Logging
+clear
+echo "Would you like set to up additional logging ?"
+echo "Logging will still go to its respected places in /var/log as well."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ echo "Would you like all system events to be logged on a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "*.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like for auth and warnings to a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like kernel logging to go on a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like mail logging to a specific tty ?"
+ echo "This is only useful if you're running a mail server."
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ /etc/rc.d/init.d/syslog restart >& /dev/null
+fi
+
+clear
+
+###
+clear
+echo "We can setup your system to log who does what commands and when..."
+echo "May we set up proccess accounting ?"
+echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..."
+echo "You need the psacct package."
+WaitAnswer;
+
+if [[ ${answer} == yes ]]; then
+ AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
+ AddRules " postrotate" /etc/logrotate.conf
+ AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
+ AddRules " }" /etc/logrotate.conf
+ touch /var/log/security/pacct.log
+ chown root.root /var/log/security/pacct.log
+ chmod 600 /var/log/security/pacct.log
+ /sbin/accton /var/log/security/pacct.log
+fi
+
+### Pam
+clear
+
+dfsize=40000
+echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)"
+echo "By setting a limit on how big user files may get and how many processes a user may run."
+
+echo "Would you like to set up some PAM configuration ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "# Limit user processes" /etc/security/limits.conf
+ AddRules "* soft nproc 100" /etc/security/limits.conf
+ AddRules "* hard nproc 150" /etc/security/limits.conf
+
+ echo "Would you like to set a maximum file size a user is allowed ?"
+ WaitAnswer; clear
+ if [[ ${answer} == yes ]]; then
+ echo "What shall be the maximum file size(default is $(dfsize))"
+ echo -n "Size : "
+ read fsize
+ if [[ -z ${fsize} ]]; then
+ AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+ AddRules "* hard $dfsize" /etc/security/limits.conf
+ else
+ AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+ AddRules "* hard $fsize" /etc/security/limits.conf
+ fi
+ fi
+fi
+
+
+
+###
echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
@@ -273,3 +404,12 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+
+
+
+
+
+
+
+