diff options
| author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-29 15:06:21 +0000 |
|---|---|---|
| committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-29 15:06:21 +0000 |
| commit | 7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c (patch) | |
| tree | 21c7cbbd63b9d06fe2b6b93efefd4f80a00e8c0e /init-sh | |
| parent | d78302ebe04bdbb0bb4f9479708bf85d96cbefef (diff) | |
| download | msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.gz msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.bz2 msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.xz msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.zip | |
*** empty log message ***
Diffstat (limited to 'init-sh')
| -rwxr-xr-x | init-sh/custom.sh | 110 | ||||
| -rwxr-xr-x | init-sh/init.sh | 1 | ||||
| -rw-r--r-- | init-sh/lib.sh | 19 |
3 files changed, 125 insertions, 5 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh index e69de29..eac0cc8 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + + +clear + +### +echo "Do you want your log file to be in append mode only ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + find /var/log/ -type f -exec chattr +a {} \; +fi +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [ ${answer} == "yes" ]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [ "${answer}" == "yes" ]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Writable file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +fi +### +LiloUpdate; +/sbin/lilo >& /dev/null +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile +fi +### +AddRules "SECURE_LEVEL=\"custom\"" /etc/profile +export SECURE_LEVEL="custom" +### +AddRules "umask 077" /etc/profile + + + + + + + + + diff --git a/init-sh/init.sh b/init-sh/init.sh index fa8e9b3..361eb1e 100755 --- a/init-sh/init.sh +++ b/init-sh/init.sh @@ -9,6 +9,7 @@ fi if [ "${1}" == "custom" ]; then /etc/security/msec/init-sh/custom.sh + exit 0; fi if [ -f /etc/security/msec/init-sh/level$1.sh ]; then diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 578c4e4..81c62c0 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -26,6 +26,15 @@ fi USERNAME="blah" COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." +WaitAnswer() { + answer="nothing" + + while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do + echo -n "yes/no : " + read answer + done +} + AddRules () { string=$1 file=$2 @@ -113,9 +122,8 @@ LiloUpdate() { echo "Do you want a password authentication at boot time ?" echo "Be very carefull," echo "this will prevent your server to reboot without an operator to enter password". - echo -n "[yes]/no : " - read answer - if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then + WaitAnswer + if [ "${answer}" == "yes" ]; then echo -n "Please enter the password which will be used at boot time : " read password else @@ -131,9 +139,10 @@ LiloUpdate() { if ! echo "${line}" | grep -q "password"; then echo "${line}" >> /etc/lilo.conf fi - done < /etc/secure.tmp + done < /tmp/secure.tmp - rm -f /etc/secure.tmp + rm -f /tmp/secure.tmp + clear AddRules "password=$PASSWORD" /etc/lilo.conf fi } |