Updated to working version of new msec.

Conflicts:
	Makefile
	cron-sh/security_check.sh
	share/msec.py

2 files changed, 579 insertions, 284 deletions

diff --git a/man/C/msec.8 b/man/C/msec.8
index 16768ad..8a0c098 100644
--- a/man/C/msec.8
+++ b/man/C/msec.8
@@ -1,69 +1,592 @@
-.TH msec 8 "29 Sep 2001" "Mandriva" "Mandriva Linux"
-.IX msec
+.ds q \N'34'
+.TH msec 0.60.1 msec "Mandriva Linux"
 .SH NAME
 msec \- Mandriva Linux security tools
 .SH SYNOPSIS
-.B msec
-([-o <option>=<value>...]) ([0-5])
+.nf
+.B msec [options]
+.B msecperms [options]
+.B msecgui [options]
+.fi
 .SH DESCRIPTION
-\fPmsec\fP is the main script of the msec package. It enables the
-system administrator to change the security level for that system.
-msec is provided with six preconfigured security levels. These levels
-range from poor security and ease of use, to paranoid config, suitable
-for very sensitive server applications.
-.PP
-You must be root to run \fPmsec\fP.
-.br
-Launch "msec x" to set you security level to x (x=[0-5]). It'll modify
-your system according to security level x features. Called without
-argument, it will enforce the current security level without lowering
-security.
-.br
-All the changes are logged to syslog(8) at the AUTH facility when called
-non interactivelly (by cron for example) or at the LOCAL1 facility
-when called interactivelly (on the command line or from Mandriva Linux
-Control Center for example).
-.br
-For a fine description of each security level, consult the
-documentation under /usr/share/doc/msec-*/security.txt.
-.PP
-If you want to make changes to the current level, use
-/etc/security/msec/perm.local to override the
-permissions/owners/groups (use the same syntax as /usr/share/msec/perm.*
-or use the drakperm graphical utility) and /etc/security/msec/level.local to
-override the rules (see mseclib(3) for details or use the draksec graphical utility).
-.PP
-Available options:
+.B msec
+is responsible to maintain system security in Mandriva. It supports different security
+configurations, which can be organized into several security levels. Currently, three
+preconfigured security levels are provided:
+
 .TP
-\fB\-o all-local-files=<value>\fR
-if <value> is 1, consider that all the files are local.
+\fBnone\fR
+this level aims to provide the most basic security. It should be used when you want to
+manage all aspects of system security on your own.
+
 .TP
-\fB\-o log=<value>\fR
-if <value> is different of syslog do not log to syslog but to the standard error output.
+\fBdefault\fR
+this is the default security level, which configures a reasonably safe set of security
+features. It activates several periodic system checks, and sends the results of their
+execution by email (by default, the local 'root' account is used).
+
 .TP
-\fB\-o nolocal=<path>\fR
-do not load the /etc/security/msec/level.local rules.
+\fBsecure\fR
+this level is configured to provide maximum system security, even at the cost of limiting
+the remote access to the system, and local user permissions. It also runs a wider set of
+periodic checks, enforces the local password settings, and periodically checks if the
+system security settings, configured by msec, were modified directly or by some other
+application.
+
+.PP
+
+The security settings are stored in \fB/etc/security/msec/security.conf\fR
+file, and default settings for each predefined level are stored in
+\fB/etc/security/msec/level.LEVEL\fR.  Permissions for files and directories
+that should be enforced or checked for changes are stored in
+\fB/etc/security/msec/perms.conf\fR, and default permissions for each
+predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR.  Note
+that user-modified parameters take precedence over default level settings. For
+example, when default level configuration forbids direct root logins, this
+setting can be overridden by the user.
+
+.PP
+
+The following options are supported by msec applications:
+
 .TP
-\fB\-o non-local-fstypes=<value>\fR
-<value> is a list of non local file system types separated by spaces.
+\fBmsec\fR:
+.PP
+
+This is the console version of msec. It is responsible for system security configuration
+and checking and transitions between security levels.
+
+When executed without parameters, msec will read the system configuration file
+(/etc/security/msec/security.conf), and enforce the specified security
+settings. The operations are logged to \fB/var/log/msec.log\fP file, and also
+to syslog, using \fBLOG_AUTHPRIV\fR facility.  Please note that msec should
+by run as root.
+
+\fB\-h, --help\fR
+    This option will display the list of supported command line options.
+
+\fB\-l, --level <level>\fR
+    List the default configuration for given security level.
+
+\fB\-f, --force <level>\fR
+    Apply the specified security level to the system, overwritting all
+local changes. This is necessary to initialize a security level, either on first
+install, on when a change to a different level is required.
+
+\fB\-d\fR
+    Enable debugging messages.
+
+\fB\-p, --pretend\fR
+    Verify the actions that will be performed by msec, without actually
+doing anything to the system. In this mode of operation, msec performs all the
+required tasks, except effectively writting data back to disk.
+
 .TP
-\fB\-o print=<value>\fR
-if <value> is equal to 1, output the default values of the rules.
+\fBmsecperms\fR:
+.PP
+
+This application is responsible for system permission checking and enforcements.
+
+When executed without parameters, msecperms will read the permissions
+configuration file (/etc/security/msec/perms.conf), and enforce the specified
+security settings. The operations are logged to \fB/var/log/msec.log\fP file,
+and also to syslog, using \fBLOG_AUTHPRIV\fR facility.  Please note that msecperms
+should by run as root.
+
+\fB\-h, --help\fR
+    This option will display the list of supported command line options.
+
+\fB\-l, --level <level>\fR
+    List the default configuration for given security level.
+
+\fB\-f, --force <level>\fR
+    Apply the specified security level to the system, overwritting all
+local changes. This is necessary to initialize a security level, either on first
+install, on when a change to a different level is required.
+
+\fB\-e, --enforce\fR
+    Enforce the default permissions on all files.
+
+\fB\-d\fR
+    Enable debugging messages.
+
+\fB\-p, --pretend\fR
+    Verify the actions that will be performed by msec, without actually
+doing anything to the system. In this mode of operation, msec performs all the
+required tasks, except effectively writting data back to disk.
+
 .TP
-\fB\-o root=<path>\fR
-use <path> as the root of the file system.
-.SH FILES
-/usr/sbin/msec
-.br
-The \fPmsec\fP executable (sh script)
+\fBmsecgui\fR:
 .PP
-/var/lib/msec/security.conf
-.br
-Contains the configuration of the current active security level. These
-settings can be overridden in /etc/security/msec/security.conf.
 
-.SH "SEE ALSO"
-mseclib(3), draksec, drakperm
+This is the GTK version of msec. It acts as frontend to all msec functionalities.
+
+\fB\-h, --help\fR
+    This option will display the list of supported command line options.
+
+\fB\-d\fR
+    Enable debugging messages.
+
+.SH "SECURITY OPTIONS"
+
+The following security options are supported by msec:
+
+
+
+.TP 4
+.B \fIenable_dns_spoofing_protection\fP
+Enable/Disable name resolution spoofing protection.  If \fIalert\fP is true, also reports to syslog.
+
+MSEC parameter: \fIENABLE_IP_SPOOFING_PROTECTION\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fImail_empty_content\fP
+Enables sending of empty mail reports.
+
+MSEC parameter: \fIMAIL_EMPTY_CONTENT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIaccept_broadcasted_icmp_echo\fP
+Accept/Refuse broadcasted icmp echo.
+
+MSEC parameter: \fIACCEPT_BROADCASTED_ICMP_ECHO\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_xserver_to_listen\fP
+The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not.
+
+MSEC parameter: \fIALLOW_XSERVER_TO_LISTEN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_chkrootkit\fP
+Enables checking for known rootkits using chkrootkit.
+
+MSEC parameter: \fICHECK_CHKROOTKIT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_suid_root\fP
+Enables checking for additions/removals of suid root files.
+
+MSEC parameter: \fICHECK_SUID_ROOT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_at_crontab\fP
+Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
+
+MSEC parameter: \fIENABLE_AT_CRONTAB\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIaccept_bogus_error_responses\fP
+Accept/Refuse bogus IPv4 error messages.
+
+MSEC parameter: \fIACCEPT_BOGUS_ERROR_RESPONSES\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_suid_md5\fP
+Enables checksum verification for suid files.
+
+MSEC parameter: \fICHECK_SUID_MD5\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fImail_user\fP
+Defines email to receive security notifications.
+
+MSEC parameter: \fIMAIL_USER\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIallow_autologin\fP
+Allow/Forbid autologin.
+
+MSEC parameter: \fIALLOW_AUTOLOGIN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_pam_wheel_for_su\fP
+Enabling su only from members of the wheel group or allow su from any user.
+
+MSEC parameter: \fIENABLE_PAM_WHEEL_FOR_SU\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcreate_server_link\fP
+Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages.
+
+MSEC parameter: \fICREATE_SERVER_LINK\fP
+
+Accepted values: \fIno, default, secure\fP
+
+
+.TP 4
+.B \fIset_shell_timeout\fP
+Set the shell timeout. A value of zero means no timeout.
+
+MSEC parameter: \fISHELL_TIMEOUT\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIcheck_user_files\fP
+Enables permission checking on users' files that should not be owned by someone else, or writable.
+
+MSEC parameter: \fICHECK_USER_FILES\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_shadow\fP
+Enables checking for empty passwords.
+
+MSEC parameter: \fICHECK_SHADOW\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_password\fP
+Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable.
+
+MSEC parameter: \fIENABLE_PASSWORD\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIset_win_parts_umask\fP
+Set umask option for mounting vfat and ntfs partitions. A value of None means default umask.
+
+MSEC parameter: \fIWIN_PARTS_UMASK\fP
+
+Accepted values: \fIno, *\fP
+
+
+.TP 4
+.B \fIcheck_open_port\fP
+Enables checking for open network ports.
+
+MSEC parameter: \fICHECK_OPEN_PORT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_log_strange_packets\fP
+Enable/Disable the logging of IPv4 strange packets.
+
+MSEC parameter: \fIENABLE_LOG_STRANGE_PACKETS\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_rpm\fP
+Enables verification of installed packages.
+
+MSEC parameter: \fICHECK_RPM\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_pam_root_from_wheel\fP
+Allow root access without password for the members of the wheel group.
+
+MSEC parameter: \fIENABLE_PAM_ROOT_FROM_WHEEL\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fImail_warn\fP
+Enables security results submission by email.
+
+MSEC parameter: \fIMAIL_WARN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIpassword_length\fP
+Set the password minimum length and minimum number of digit and minimum number of capitalized letters.
+
+MSEC parameter: \fIPASSWORD_LENGTH\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIset_root_umask\fP
+Set the root umask.
+
+MSEC parameter: \fIROOT_UMASK\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIcheck_sgid\fP
+Enables checking for additions/removals of sgid files.
+
+MSEC parameter: \fICHECK_SGID\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_promisc\fP
+Activate/Disable ethernet cards promiscuity check.
+
+MSEC parameter: \fICHECK_PROMISC\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_x_connections\fP
+Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection).
+
+MSEC parameter: \fIALLOW_X_CONNECTIONS\fP
+
+Accepted values: \fIyes, no, local\fP
+
+
+.TP 4
+.B \fIcheck_writable\fP
+Enables checking for files/directories writable by everybody.
+
+MSEC parameter: \fICHECK_WRITABLE\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_console_log\fP
+Enable/Disable syslog reports to console 12. \fIexpr\fP is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log.
+
+MSEC parameter: \fIENABLE_CONSOLE_LOG\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_ip_spoofing_protection\fP
+Enable/Disable IP spoofing protection.
+
+MSEC parameter: \fIENABLE_DNS_SPOOFING_PROTECTION\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_perms\fP
+Enables periodic permission checking for system files.
+
+MSEC parameter: \fICHECK_PERMS\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIset_shell_history_size\fP
+Set shell commands history size. A value of -1 means unlimited.
+
+MSEC parameter: \fISHELL_HISTORY_SIZE\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIallow_reboot\fP
+Allow/Forbid system reboot and shutdown to local users.
+
+MSEC parameter: \fIALLOW_REBOOT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIsyslog_warn\fP
+Enables logging to system log.
+
+MSEC parameter: \fISYSLOG_WARN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_shosts\fP
+Enables checking for dangerous options in users' .rhosts/.shosts files.
+
+MSEC parameter: \fICHECK_SHOSTS\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_passwd\fP
+Enables password-related checks, such as empty passwords and strange super-user accounts.
+
+MSEC parameter: \fICHECK_PASSWD\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIpassword_history\fP
+Set the password history length to prevent password reuse. This is not supported by pam_tcb.
+
+MSEC parameter: \fIPASSWORD_HISTORY\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIcheck_security\fP
+Enables daily security checks.
+
+MSEC parameter: \fICHECK_SECURITY\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_root_login\fP
+Allow/Forbid direct root login.
+
+MSEC parameter: \fIALLOW_ROOT_LOGIN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIcheck_unowned\fP
+Enables checking for unowned files.
+
+MSEC parameter: \fICHECK_UNOWNED\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_user_list\fP
+Allow/Forbid the list of users on the system on display managers (kdm and gdm).
+
+MSEC parameter: \fIALLOW_USER_LIST\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_remote_root_login\fP
+Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information.
+
+MSEC parameter: \fIALLOW_REMOTE_ROOT_LOGIN\fP
+
+Accepted values: \fIyes, no, without_password\fP
+
+
+.TP 4
+.B \fIenable_msec_cron\fP
+Enable/Disable msec hourly security check.
+
+MSEC parameter: \fIENABLE_MSEC_CRON\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIenable_sulogin\fP
+Enable/Disable sulogin(8) in single user level.
+
+MSEC parameter: \fIENABLE_SULOGIN\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIallow_xauth_from_root\fP
+Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details.
+
+MSEC parameter: \fIALLOW_XAUTH_FROM_ROOT\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIset_user_umask\fP
+Set the user umask.
+
+MSEC parameter: \fIUSER_UMASK\fP
+
+Accepted values: \fI*\fP
+
+
+.TP 4
+.B \fIaccept_icmp_echo\fP
+Accept/Refuse icmp echo.
+
+MSEC parameter: \fIACCEPT_ICMP_ECHO\fP
+
+Accepted values: \fIyes, no\fP
+
+
+.TP 4
+.B \fIauthorize_services\fP
+Configure access to tcp_wrappers services (see hosts.deny(5)).  If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)).
+
+MSEC parameter: \fIAUTHORIZE_SERVICES\fP
+
+Accepted values: \fIyes, no, local\fP
+
+
+.TP 4
+.B \fItty_warn\fP
+Enables periodic security check results to terminal.
+
+MSEC parameter: \fITTY_WARN\fP
+
+Accepted values: \fIyes, no\fP
+
+.RE
+.SH NOTES
+Msec applications must be run by root.
+.SH AUTHORS
+Frederic Lepied <flepied@mandriva.com>
+
+Eugeni Dodonov <eugeni@mandriva.com>
 
-.SH AUTHOR
-Vandoorselaere Yoann, Mandriva
diff --git a/man/C/mseclib.3 b/man/C/mseclib.3
deleted file mode 100644
index d5999a5..0000000
--- a/man/C/mseclib.3
+++ /dev/null
@@ -1,228 +0,0 @@
-.ds q \N'34'
-.TH mseclib 3 V0 msec "Mandriva Linux"
-.SH NAME
-mseclib
-.SH SYNOPSIS
-.nf
-.B from mseclib import *
-.B function1(yes)
-.B function2(ignore)
-.fi
-.SH DESCRIPTION
-.B mseclib
-is a python library to access the function used by the msec program. This functions can be used
-in /etc/security/msec/level.local to override the behaviour of the msec program or in standalone
-scripts. The first argument of the functions takes a value of 1 or 0 or -1 (or yes/no/ignore)
-except when specified otherwise.
-
-.TP 4
-.B \fIaccept_bogus_error_responses(arg)\fP
-Accept/Refuse bogus IPv4 error messages.
-
-.TP 4
-.B \fIaccept_broadcasted_icmp_echo(arg)\fP
- Accept/Refuse broadcasted icmp echo.
-
-.TP 4
-.B \fIaccept_icmp_echo(arg)\fP
- Accept/Refuse icmp echo.
-
-.TP 4
-.B \fIallow_autologin(arg)\fP
-Allow/Forbid autologin.
-
-.TP 4
-.B \fIallow_issues(arg)\fP
-If \fIarg\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \fIarg\fP = NONE no issues are
-allowed else only /etc/issue is allowed.
-
-.TP 4
-.B \fIallow_reboot(arg)\fP
-Allow/Forbid reboot by the console user.
-
-.TP 4
-.B \fIallow_remote_root_login(arg)\fP
-Allow/Forbid remote root login via sshd. You can specify
-yes, no and without-password. See sshd_config(5) man page for more
-information.
-
-.TP 4
-.B \fIallow_root_login(arg)\fP
-Allow/Forbid direct root login.
-
-.TP 4
-.B \fIallow_user_list(arg)\fP
-Allow/Forbid the list of users on the system on display managers (kdm and gdm).
-
-.TP 4
-.B \fIallow_x_connections(arg, listen_tcp=None)\fP
-Allow/Forbid X connections. First arg specifies what is done
-on the client side: ALL (all connections are allowed), LOCAL (only
-local connection) and NONE (no connection).
-
-.TP 4
-.B \fIallow_xauth_from_root(arg)\fP
-llow/forbid to export display when passing from the root account
-to the other users. See pam_xauth(8) for more details.
-
-.TP 4
-.B \fIallow_xserver_to_listen(arg)\fP
-The argument specifies if clients are authorized to connect
-to the X server on the tcp port 6000 or not.
-
-.TP 4
-.B \fIauthorize_services(arg)\fP
-Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \fIarg\fP = ALL. Only local ones
-if \fIarg\fP = LOCAL and none if \fIarg\fP = NONE. To authorize the services you need, use /etc/hosts.allow
-(see hosts.allow(5)).
-
-.TP 4
-.B \fIcreate_server_link()\fP
-If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3
-in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server
-to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server
-is used by chkconfig --add to decide to add a service if it is present in the file
-during the installation of packages.
-
-.TP 4
-.B \fIenable_at_crontab(arg)\fP
-Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow
-(see man at(1) and crontab(1)).
-
-.TP 4
-.B \fIenable_console_log(arg, expr='*.*', dev='tty12')\fP
-Enable/Disable syslog reports to console 12. \fIexpr\fP is the
-expression describing what to log (see syslog.conf(5) for more details) and
-dev the device to report the log.
-
-.TP 4
-.B \fIenable_dns_spoofing_protection(arg, alert=1)\fP
-Enable/Disable name resolution spoofing protection.  If
-\fIalert\fP is true, also reports to syslog.
-
-.TP 4
-.B \fIenable_ip_spoofing_protection(arg, alert=1)\fP
-Enable/Disable IP spoofing protection.
-
-.TP 4
-.B \fIenable_libsafe(arg)\fP
-Enable/Disable libsafe if libsafe is found on the system.
-
-.TP 4
-.B \fIenable_log_strange_packets(arg)\fP
-Enable/Disable the logging of IPv4 strange packets.
-
-.TP 4
-.B \fIenable_msec_cron(arg)\fP
-Enable/Disable msec hourly security check.
-
-.TP 4
-.B \fIenable_pam_root_from_wheel(arg)\fP
- Allow root access without password for the members of the wheel group.
-
-.TP 4
-.B \fIenable_pam_wheel_for_su(arg)\fP
- Enabling su only from members of the wheel group or allow su from any user.
-
-.TP 4
-.B \fIenable_password(arg)\fP
-Use password to authenticate users.
-
-.TP 4
-.B \fIenable_promisc_check(arg)\fP
-Activate/Disable ethernet cards promiscuity check.
-
-.TP 4
-.B \fIenable_security_check(arg)\fP
- Activate/Disable daily security check.
-
-.TP 4
-.B \fIenable_sulogin(arg)\fP
- Enable/Disable sulogin(8) in single user level.
-
-.TP 4
-.B \fIno_password_aging_for(name)\fP
-Add the name as an exception to the handling of password aging by msec.
-Name must be put between '. Msec will then no more manage password aging for
-name so you have to use chage(1) to manage it by hand.
-
-.TP 4
-.B \fIpassword_aging(max, inactive=-1)\fP
-Set password aging to \fImax\fP days and delay to change to \fIinactive\fP.
-
-.TP 4
-.B \fIpassword_history(arg)\fP
-Set the password history length to prevent password reuse.
-
-.TP 4
-.B \fIpassword_length(length, ndigits=0, nupper=0)\fP
-Set the password minimum length and minimum number of digit and minimum number of capitalized letters.
-
-.TP 4
-.B \fIset_root_umask(umask)\fP
-Set the root umask.
-
-.TP 4
-.B \fIset_security_conf(var, value)\fP
-Set the variable \fIvar\fP to the value \fIvalue\fP in /var/lib/msec/security.conf.
-The best way to override the default setting is to create /etc/security/msec/security.conf
-with the value you want. These settings are used to configure the daily check run each night.
-
-The following variables are currentrly recognized by msec:
-
-CHECK_UNOWNED if set to yes, report unowned files.
-
-CHECK_SHADOW if set to yes, check empty password in /etc/shadow.
-
-CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files.
-
-CHECK_SECURITY if set to yes, run the daily security checks.
-
-CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root.
-
-SYSLOG_WARN if set to yes, report check result to syslog.
-
-CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files.
-
-CHECK_PERMS if set to yes, check permissions of files in the users' home.
-
-CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.
-
-CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode.
-
-RPM_CHECK if set to yes, run some checks against the rpm database.
-
-TTY_WARN if set to yes, reports check result to tty.
-
-CHECK_WRITABLE if set to yes, check files/directories writable by everybody.
-
-MAIL_WARN if set to yes, report check result by mail.
-
-MAIL_USER if set, send the mail report to this email address else send it to root.
-
-CHECK_OPEN_PORT if set to yes, check open ports.
-
-CHECK_SGID if set to yes, check additions/removals of sgid files.
-
-EXCLUDE_REGEXP is used to exclude files from consideration by msec.
-
-.TP 4
-.B \fIset_shell_history_size(size)\fP
-Set shell commands history size. A value of -1 means unlimited.
-
-.TP 4
-.B \fIset_shell_timeout(val)\fP
-Set the shell timeout. A value of zero means no timeout.
-
-.TP 4
-.B \fIset_user_umask(umask)\fP
-Set the user umask.
-
-.TP 4
-.B \fIset_win_parts_umask(umask)\fP
-Set umask option for mounting vfat and ntfs partitions. A value of None means default umask.
-.RE
-.SH "SEE ALSO"
-msec(8)
-.SH AUTHORS
-Frederic Lepied <flepied@mandriva.com>