diff options
| author | Eugeni Dodonov <eugeni@mandriva.org> | 2009-09-09 00:04:15 +0000 |
|---|---|---|
| committer | Eugeni Dodonov <eugeni@mandriva.org> | 2009-09-09 00:04:15 +0000 |
| commit | 7d9bf9988b2ea0960741aa09e794c2c365c5f09b (patch) | |
| tree | 98dcb52fad0b956aafc6ecd7ae49535b817d6a8a /src | |
| parent | e016f205c03f71445c28899257cf20beaefd454f (diff) | |
| download | msec-7d9bf9988b2ea0960741aa09e794c2c365c5f09b.tar msec-7d9bf9988b2ea0960741aa09e794c2c365c5f09b.tar.gz msec-7d9bf9988b2ea0960741aa09e794c2c365c5f09b.tar.bz2 msec-7d9bf9988b2ea0960741aa09e794c2c365c5f09b.tar.xz msec-7d9bf9988b2ea0960741aa09e794c2c365c5f09b.zip | |
added documentation for check exceptions
Diffstat (limited to 'src')
| -rw-r--r-- | src/msec/config.py | 7 | ||||
| -rwxr-xr-x | src/msec/man.py | 35 |
2 files changed, 42 insertions, 0 deletions
diff --git a/src/msec/config.py b/src/msec/config.py index 2be993e..e30677b 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -137,6 +137,13 @@ SETTINGS_PERIODIC = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHEC "TTY_WARN", "SYSLOG_WARN", "MAIL_EMPTY_CONTENT", ] +# checks that support exceptions +CHECKS_WITH_EXCEPTIONS = ["CHECK_PERMS", "CHECK_USER_FILES", "CHECK_SUID_ROOT", "CHECK_SUID_MD5", "CHECK_SGID", + "CHECK_WRITABLE", "CHECK_UNOWNED", "CHECK_OPEN_PORT", "CHECK_FIREWALL", + "CHECK_PASSWD", "CHECK_SHADOW", "CHECK_RPM_PACKAGES", "CHECK_RPM_INTEGRITY", + "CHECK_SHOSTS", "CHECK_USERS", "CHECK_GROUPS" + ] + # localized help try: from help import HELP diff --git a/src/msec/man.py b/src/msec/man.py index 890bfe8..2bd1439 100755 --- a/src/msec/man.py +++ b/src/msec/man.py @@ -191,6 +191,38 @@ This is the GTK version of msec. It acts as frontend to all msec functionalities edit /etc/security/msec/level.my msecperms -f my +.SH "DEFINING EXCEPTIONS FOR PERIODIC CHECKS" +.B msec +is capable of excluding certain patterns from periodic check reports. For +this, it is possible to define the exceptions in +\\fB/etc/security/msec/exceptions\\fP file, for each supported check. + +.PP +For example, to exclude all items that match \\fB/mnt\\fP, Mandriva-based +chrooted installations in \\fB/chroot\\fP and all backup files from the +results of of check for unowned files on the system, it is sufficient to +define the following entry in the exceptions file: + +.TP + CHECK_UNOWNED /mnt +.TP + CHECK_UNOWNED /chroot/mdv_.*/ +.TP + CHECK_UNOWNED .*~ + +.PP +In a similar way, it is possible to exclude the results for the +\\fBdeluge\\fP application from the list of open ports as follows: + +.TP + CHECK_OPEN_PORT /deluge + +.PP +Each exception entry is a regular exception, and you might define as many +exceptions as necessary. See below for all msec options that support this +feature. + + .SH "SECURITY OPTIONS" The following security options are supported by msec: @@ -232,6 +264,9 @@ for variable in config.SETTINGS: func = msec.get_action(callback) if func: print function_str % (callback, func.__doc__.strip(), variable, ", ".join(params)) + if variable in config.CHECKS_WITH_EXCEPTIONS: + # this check supports exceptions + print """(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)""" % variable print footer |