diff options
author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-25 19:44:10 +0000 |
---|---|---|
committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-25 19:44:10 +0000 |
commit | 78b13ca5f0677f9e6e5a07a18473a2d7724b51d0 (patch) | |
tree | 1aa278480009928f545f8668bc87c4eaafbc7e7b /init-sh/level5.sh | |
parent | 7f3bfad3df657529ee81b741c6fb10d847315c85 (diff) | |
download | msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.gz msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.bz2 msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.xz msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.zip |
Initial revision
Diffstat (limited to 'init-sh/level5.sh')
-rwxr-xr-x | init-sh/level5.sh | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/init-sh/level5.sh b/init-sh/level5.sh new file mode 100755 index 0000000..f2b7a55 --- /dev/null +++ b/init-sh/level5.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection +AddRules "ALL:ALL:DENY" /etc/hosts.deny + +# No login as root +AddRules "" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Wanna a password ? +LiloUpdate; +/sbin/lilo + +# Disable all server : +IFS=" +" + +for service in `chkconfig --list | awk '{print $1}'`; do + if [ "${service}" == "xfs" ]; then + if [ ${HAVE_X}==1 ]; then + continue; + fi + fi + + if [ "${service}" == "network" ]; then continue; fi + if [ "${service}" == "keytable" ]; then continue; fi + if [ "${service}" == "crond" ]; then continue; fi + if [ "${service}" == "gpm" ]; then continue; fi + if [ "${service}" == "syslog" ]; then continue; fi + + + chkconfig --del "${service}" +done + +# Permissions +AddRules "umask 077" /etc/profile + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + +echo +echo "You are now running your system in security level 5," +echo "All services are disabled : try the chkconfig to enable one..." +echo "If you're on a senssible machine, ( which is probably the case )" +echo "you should compile the server from the sources". +echo +echo "Good luck. :-)" +echo + + + + + + + + + + + + + + + + + + + |