diff options
author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-29 15:06:21 +0000 |
---|---|---|
committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-29 15:06:21 +0000 |
commit | 7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c (patch) | |
tree | 21c7cbbd63b9d06fe2b6b93efefd4f80a00e8c0e /init-sh/custom.sh | |
parent | d78302ebe04bdbb0bb4f9479708bf85d96cbefef (diff) | |
download | msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.gz msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.bz2 msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.xz msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.zip |
*** empty log message ***
Diffstat (limited to 'init-sh/custom.sh')
-rwxr-xr-x | init-sh/custom.sh | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh index e69de29..eac0cc8 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + + +clear + +### +echo "Do you want your log file to be in append mode only ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + find /var/log/ -type f -exec chattr +a {} \; +fi +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [ ${answer} == "yes" ]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [ "${answer}" == "yes" ]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Writable file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +fi +### +LiloUpdate; +/sbin/lilo >& /dev/null +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile +fi +### +AddRules "SECURE_LEVEL=\"custom\"" /etc/profile +export SECURE_LEVEL="custom" +### +AddRules "umask 077" /etc/profile + + + + + + + + + |