diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | doc/msec.lyx | 1025 |
2 files changed, 1029 insertions, 0 deletions
@@ -1,3 +1,7 @@ +1999-12-16 Chmouel Boudjnah <chmouel@mandrakesoft.com> + + * msec.lyx: add new file from camille. + 1999-15-10 Yoann Vandoorselaere <yoann@mandrakesoft.com> * grpuser.sh take only one opt ( --refresh ), take group name from /etc/security/msec/group.conf diff --git a/doc/msec.lyx b/doc/msec.lyx new file mode 100644 index 0000000..e43063c --- /dev/null +++ b/doc/msec.lyx @@ -0,0 +1,1025 @@ +#This file was created by <camille> Wed Dec 15 19:34:13 1999 +#LyX 0.12 (C) 1995-1998 Matthias Ettrich and the LyX Team +\lyxformat 2.15 +\textclass article +\language american +\inputencoding latin1 +\fontscheme default +\graphics default +\paperfontsize default +\spacing single +\papersize Default +\paperpackage a4 +\use_geometry 0 +\use_amsmath 0 +\paperorientation portrait +\secnumdepth 3 +\tocdepth 3 +\paragraph_separation skip +\defskip medskip +\quotes_language english +\quotes_times 2 +\papercolumns 1 +\papersides 2 +\paperpagestyle default + +\layout Title + + +\size huge +msec +\size default + +\noun on +[Mandrake SECurity tools] +\layout Author + +Camille Begnis <camille@mandrakesoft.com> +\layout Date + +15/12/1999 +\layout Section + +Introducing msec +\layout Standard + +While Linux is being used for a very wide range of applications, from basic + office work to high availability servers, came the need for different security + levels. + It is obvious that constraints inherent to highly secured servers do not + match the needs of a secretary. + In the other hand a big public server is more sensitive to malicious people + than my isolated Linux box. +\layout Standard + +It is in that aim that were designed the msec package. + It is made of two parts: +\layout Enumerate + +Scripts that modify the whole system to lead it to one of the five security + levels provided with msec. + These levels range from poor security and ease of use, to paranoid config, + suitable for very sensitive applications, managed by experts. +\layout Enumerate + +Cron jobs, that will periodically check the integrity of the system upon + security level configuration, and eventually detect and warn you of possible + intrusion of the system or security leak. +\layout Standard + +Note that the user may also define his own security level, adjusting parameters + to his own needs. + +\layout Section + +Installation +\layout Standard + +Installing the rpm will create a msec directory into /etc/security, containing + all is needed to secure your system. +\layout Standard + +Then just login as root and type +\begin_inset Quotes erd +\end_inset + +/etc/security/msec/init.sh x +\begin_inset Quotes erd +\end_inset + +, x being the security level you want or +\begin_inset Quotes eld +\end_inset + +custom +\begin_inset Quotes erd +\end_inset + + to create your own security level. + The script will begin to remove all modifications made by a previous runlevel + change, and apply the features of the chosen security level to your system. + If you choose +\begin_inset Quotes eld +\end_inset + +custom +\begin_inset Quotes erd +\end_inset + +, then you will be asked a series of questions for each security feature + msec propose. + At the end, these features will be applied to your system. +\layout Standard + +Note that whatever the level you chose, your configuration will be stored + into +\begin_inset Quotes eld +\end_inset + +/etc/security/msec/security.conf +\begin_inset Quotes erd +\end_inset + +. +\layout Section + +Security levels features +\layout Standard + +Follows the description of the different security features each level brings + to the system. + These features are of various types: +\layout Itemize + +file permissions, +\layout Itemize + +warnings dispatching, +\layout Itemize + +periodicall security checks: +\layout Quotation + +- on files: suid root, writeable, unowned; +\layout Quotation + +- listening ports: active, promiscuous; +\layout Quotation + +- passwords files. +\layout Itemize + +X display connections, +\layout Itemize + +listening port check, +\layout Itemize + +services available, +\layout Itemize + +boot password, +\layout Itemize + +authorized clients. +\layout Standard +\LyXTable +multicol5 +26 6 0 0 -1 -1 -1 -1 +1 1 0 0 +1 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +0 1 0 0 +2 1 0 "80mm" "" +8 1 0 "" "" +8 1 0 "" "" +8 1 0 "" "" +8 1 0 "" "" +8 1 1 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 2 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 2 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" +0 8 0 1 0 0 0 "" "" + + +\series bold +\emph on +Feature +\backslash + Security level +\newline +1 +\newline +2 +\newline +3 +\newline +4 +\newline +5 +\series default +\emph toggle + +\newline +Global security check +\newline +* +\newline +* +\newline +* +\newline +* +\newline +* +\newline +umask users +\newline +002 +\newline +022 +\newline +022 +\newline +077 +\newline +077 +\newline +umask root +\newline +002 +\newline +022 +\newline +022 +\newline +022 +\newline +077 +\newline +localhost authorized to connect to X display +\newline +* +\newline +* +\newline + +\newline + +\newline + +\newline +User in audio group +\newline +* +\newline +* +\newline + +\newline + +\newline + +\newline +. + in $PATH +\newline +* +\newline + +\newline + +\newline + +\newline + +\newline +Warning in /var/log/security.log +\newline +* +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Warning directly on tty +\newline + +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Warning in syslog +\newline + +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Suid root file check +\newline + +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Suid root file md5sum check +\newline + +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Writeable file check +\newline + +\newline +* +\newline +* +\newline +* +\newline +* +\newline +Permissions check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Suid group file check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Unowned file check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Promiscuous check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Listening port check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Passwd file integrity check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Shadow file integrity check +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +System security check every midnight +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +All system events additionally logged to /dev/tty12 +\newline + +\newline + +\newline +* +\newline +* +\newline +* +\newline +Services not known disabled +\newline + +\newline + +\newline + +\newline +* +\newline +* +\newline +Boot password +\newline + +\newline + +\newline + +\newline +* +\newline +* +\newline +Disable connections from all but localhost +\newline + +\newline + +\newline + +\newline +* +\newline + +\newline +Disable connections from all +\newline + +\newline + +\newline + +\newline + +\newline +* +\layout Standard + +Note that six out of the ten periodical checks can detect changes on the + system. + They store into files located in +\begin_inset Quotes eld +\end_inset + +/var/log/security/ +\begin_inset Quotes erd +\end_inset + + the configuration of the system during the last check (one day ago), and + warn you of any changes occurred meanwhile. + These checks are: +\layout Itemize + +Suid root file check +\layout Itemize + +Suid root file md5sum check +\layout Itemize + +Writeable file check +\layout Itemize + +Suid group file check +\layout Itemize + +Unowned file check +\layout Itemize + +Listening port check +\layout Subsection + +Global security check +\layout Itemize + +NFS filesystems globally exported. + This is regarded as insecure, as there is no restriction for who may mount + these filesystems +\layout Itemize + +NFS mounts with missing nosuid. + These filesystems are exported without the +\begin_inset Quotes eld +\end_inset + +nosuid +\begin_inset Quotes erd +\end_inset + + option. +\layout Itemize + +Host trusting files contains +\begin_inset Quotes eld +\end_inset + ++ +\begin_inset Quotes erd +\end_inset + +sign. + That means that one of the files +\begin_inset Quotes eld +\end_inset + +/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd +\begin_inset Quotes erd +\end_inset + + is containing hosts which are allowed to connect without proper authentication. +\layout Itemize + +Executables found in the aliases file. + It issues a warning naming the executables run through files "/etc/aliases +\begin_inset Quotes erd +\end_inset + + and +\begin_inset Quotes eld +\end_inset + +/etc/postfix/aliases". +\layout Subsection + +umask users +\layout Standard + +Simply sets the umask for normal users to the value corresponding to the + security level. +\layout Subsection + +umask root +\layout Standard + +The same but for the root. +\layout Subsection + +localhost authorized to connect to X display +\layout Standard + +Runs +\begin_inset Quotes eld +\end_inset + +xhost + localhost +\begin_inset Quotes erd +\end_inset + + on every boot. +\layout Subsection + +User in audio group +\layout Standard + +Each user is a member of the +\begin_inset Quotes eld +\end_inset + +audio +\begin_inset Quotes erd +\end_inset + + group. + That means that every user connected to the system is given access to sound + card. +\layout Subsection + +. + in $PATH +\layout Standard + +the +\begin_inset Quotes eld +\end_inset + +. +\begin_inset Quotes erd +\end_inset + + entry is added to $PATH environment variable, allowing execution of programs + within the current working directory. +\layout Subsection + +Warning in /var/log/security.log +\layout Standard + +Each warning issued by msec is logged into +\begin_inset Quotes eld +\end_inset + +/var/log/security.log +\begin_inset Quotes erd +\end_inset + +. +\layout Subsection + +Warning directly on tty +\layout Standard + +Each warning issued by msec is directly printed on currentconsole. +\layout Subsection + +Warning in syslog +\layout Standard + +Warnings of msec are directed to syslog service. +\layout Subsection + +Suid root file check +\layout Standard + +Check for new or removed suid root files on the system. + If such files are encountered a list of these files is issued as a warning. +\layout Subsection + +Suid root file md5sum check +\layout Standard + +Checks the md5sum signature of each suid root file that is on the system. + If the signature has changed, it means that a modification has been made + to this program, probably a backdoor. + A warning is then issued. +\layout Subsection + +Writeable file check +\layout Standard + +Check wether files are world writable on the system. + If so, issues a warning containing the list of these naughty files. +\layout Subsection + +Permissions check +\layout Standard + +This one checks permissions for some special files such as .netrc or user's + config files. + It also checks permissions of users home dir. + If their permissions are too loose or owners unusual, it issues a warning. +\layout Subsection + +Suid group file check +\layout Standard + +Check for new or removed suid group files on the system. + If such files are encountered, a list of these files is issued as a warning. +\layout Subsection + +Unowned file check +\layout Standard + +This check searches for files owned by users/groups(or more accurately by + uids/gids) not known into /etc/password, If such files are found, the owner + is automatically changed to user/group +\begin_inset Quotes eld +\end_inset + +nobody +\begin_inset Quotes erd +\end_inset + +. +\layout Subsection + +Promiscuous check +\layout Standard + +This test checks every ethernet card to determine wether they are in promiscuous + mode. + This mode allows the card to intercept every packet received by the card, + even those that are not directed to it. + It may mean that a sniffer is running on your machine. +\layout Standard + +Note that this check is setted up to be run every minute. +\layout Subsection + +Listening port check +\layout Standard + +Issues a warning with all listening ports. +\layout Subsection + +Passwd file integrity check +\layout Standard + +Verify that each user has a password ( no blank password) and if it is shadowed. +\layout Subsection + +Shadow file integrity check +\layout Standard + +Verify that each user into the shadow file has a password ( no blank password). +\layout Subsection + +System security check every midnight +\layout Standard + +All previous checks will be performed everyday at midnight. + This relies on the addition of cron scripts in crontab file. +\layout Subsection + +All system events additionally logged to /dev/tty12 +\layout Standard + +*All* system messages directed to syslog are copied to tty12 console. +\layout Subsection + +Services not known disabled +\layout Standard + +All services not contained into +\begin_inset Quotes eld +\end_inset + +/etc/security/msec/init-sh/server.4/5 +\begin_inset Quotes erd +\end_inset + + will be disabled. + They are not removed, but simply not started when loading a runlevel. + If you need some of them, just add them again with the +\begin_inset Quotes eld +\end_inset + +chkconfig +\begin_inset Quotes erd +\end_inset + + utility (you might also need to restart them with init scripts in /etc/rc.d/init. +d/ ). +\layout Subsection + +Disable connections from all but localhost +\layout Standard + +Adds the rule "ALL:ALL EXCEPT localhost:DENY" into +\begin_inset Quotes eld +\end_inset + +/etc/hosts.deny +\begin_inset Quotes erd +\end_inset + + file. + +\layout Standard + +This prevents all clients but localhost to connect to open ports. +\layout Subsection + +Disable connections from all +\layout Standard + +Adds the rule "ALL:ALL:DENY" into +\begin_inset Quotes eld +\end_inset + +/etc/hosts.deny +\begin_inset Quotes erd +\end_inset + + file. + +\layout Standard + +This prevents all clients (even localhost) to connect to open ports. + +\layout Section + +ToDo +\layout Standard + +- Automatic tty locking ( unlock by passwd ) after X time of inactivity. +\layout Standard + +- In high security level, only user having access to group "sugrp" can use + the su command. +\layout Section + +Author +\layout Standard + +Vandoorselaere Yoann <yoann@mandrakesoft.com> +\the_end
\ No newline at end of file |