aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--AUTHORS1
-rw-r--r--COPYING339
-rw-r--r--Makefile36
-rw-r--r--README23
-rw-r--r--cron-sh/Makefile5
-rwxr-xr-xcron-sh/file_check.sh191
-rwxr-xr-xcron-sh/promisc_check.sh40
-rw-r--r--doc/msec.spec76
-rw-r--r--doc/security.txt94
-rwxr-xr-xinit-sh/file_perm.sh19
-rwxr-xr-xinit-sh/grpuser152
-rwxr-xr-xinit-sh/init.sh19
-rwxr-xr-xinit-sh/level1.sh49
-rwxr-xr-xinit-sh/level2.sh57
-rwxr-xr-xinit-sh/level3.sh60
-rwxr-xr-xinit-sh/level4.sh67
-rwxr-xr-xinit-sh/level5.sh96
-rw-r--r--init-sh/lib.sh175
-rw-r--r--init-sh/perm.171
-rw-r--r--init-sh/perm.272
-rw-r--r--init-sh/perm.368
-rw-r--r--init-sh/perm.472
-rw-r--r--init-sh/perm.567
-rw-r--r--init-sh/server.46
-rw-r--r--init-sh/server.56
-rw-r--r--src/promisc_check/Makefile13
-rw-r--r--src/promisc_check/promisc_check.c137
27 files changed, 2011 insertions, 0 deletions
diff --git a/AUTHORS b/AUTHORS
new file mode 100644
index 0000000..73afd8c
--- /dev/null
+++ b/AUTHORS
@@ -0,0 +1 @@
+Vandoorselaere Yoann <yoann@mandrakesoft.com>
diff --git a/COPYING b/COPYING
new file mode 100644
index 0000000..916d1f0
--- /dev/null
+++ b/COPYING
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ Appendix: How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) 19yy <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) 19yy name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..a7e1e15
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,36 @@
+all: promisc_check
+
+clean:
+ find . -name *.o -exec rm -f {} \;
+ find . -name *~ -exec rm -f {} \;
+ rm -f src/promisc_check/promisc_check
+
+promisc_check:
+ (cd src/promisc_check; make)
+
+install:
+ (rm -rf /etc/security/msec)
+ (mkdir -p /etc/security/msec/init-sh)
+ (cp init-sh/level* /etc/security/msec/init-sh)
+ (cp init-sh/init.sh /etc/security/msec/init.sh);
+ (cp init-sh/lib.sh /etc/security/msec/init-sh);
+ (cp init-sh/grpuser /etc/security/msec/init-sh);
+ (cp init-sh/file_perm.sh /etc/security/msec/init-sh);
+ (cp init-sh/*.[1-5] /etc/security/msec/init-sh/)
+ (cp init-sh/server.* /etc/security/msec/init-sh)
+ (touch /etc/security/msec/security.conf)
+ (cd src/promisc_check; make install)
+ (cd cron-sh; make install)
+
+ @echo
+ @echo
+ @echo "BE CAREFULL !!!"
+ @echo "This is *alpha* release & it does not contains all planned features..."
+ @echo "Please help debuging it..."
+ @echo "See security.txt to know what is done & all :-)"
+ @echo
+ @echo
+ @echo "To switch between runlevel, just launch init.sh ( in init-sh dir )"
+ @echo
+ @echo
+
diff --git a/README b/README
new file mode 100644
index 0000000..3852e7d
--- /dev/null
+++ b/README
@@ -0,0 +1,23 @@
+This is really basic stuff at the moment...
+
+init-sh :
+ this is where all script / library to switch security level are,
+ use init.sh only.
+
+cron-sh :
+ Here are all security script that will be used in crontab.
+
+src:
+ C program for security check.
+
+Note : i know my Makefile are dirty,
+ so if someone wish to clean them :-)
+
+
+******************
+
+All stuff are installed in /etc/security/msec/
+use init.sh to change security level
+
+Suggest & Comment :
+yoann@mandrakesoft.com
diff --git a/cron-sh/Makefile b/cron-sh/Makefile
new file mode 100644
index 0000000..d2993db
--- /dev/null
+++ b/cron-sh/Makefile
@@ -0,0 +1,5 @@
+all:
+
+install:
+ mkdir -p /etc/security/msec/cron-sh
+ cp *.sh /etc/security/msec/cron-sh
diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh
new file mode 100755
index 0000000..5118ebc
--- /dev/null
+++ b/cron-sh/file_check.sh
@@ -0,0 +1,191 @@
+#!/bin/bash
+
+#
+# Basic security checking for suid files.
+# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+else
+ exit 1
+fi
+
+if [ SECURITY_CHECK == "no" ]; then
+ exit 0
+fi
+
+# Modified filters coming from debian security scripts.
+CS_NFSAFS='(nfs|afs|xfs|coda)'
+CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')'
+CS_DEVS='^/dev/fd'
+CS_DIRS='on /mnt'
+FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS"
+DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3`
+###
+
+SUID_ROOT_TODAY="/var/log/security/suid_root.today"
+SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
+SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
+SUID_GROUP_TODAY="/var/log/security/suid_group.today"
+SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday"
+SUID_GROUP_DIFF="/var/log/security/suid_group.diff"
+WRITABLE_TODAY=/var/log/security/writable.today
+WRITABLE_YESTERDAY=/var/log/security/writable.yesterday
+WRITABLE_DIFF=/var/log/security/writable.diff
+UNOWNED_TODAY=/var/log/security/unowned.today
+UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday
+UNOWNED_DIFF=/var/log/security/unowned.diff
+
+
+if [ ! -d /var/log/security ]; then
+ mkdir /var/log/security
+fi
+
+chattr -a /var/log/security
+
+### Functions ###
+
+Syslog() {
+ if [ $SYS_LOG=="yes" ]; then
+ /sbin/initlog --string=$1
+ fi
+}
+
+Ttylog() {
+ if [ $TTY_LOG=="yes" ]; then
+ for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+ echo -e $1 > /dev/$i
+ done
+ fi
+}
+
+##################
+
+
+### New Suid root file detection ###
+if [ $CHECK_SUID_ROOT=="yes" ]; then
+ if [ -f $SUID_ROOT_TODAY ]; then
+ mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm +04000 -user root \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY
+
+ if [ -f $SUID_ROOT_YESTERDAY ]; then
+ if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then
+ Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF"
+ Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m"
+ fi
+ fi
+fi
+#############################
+
+
+### New Suid group file detection ###
+if [ $CHECK_SUID_GROUP ]; then
+ if [ -f $SUID_GROUP_TODAY ]; then
+ mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm +02000 \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY
+
+ if [ -f $SUID_GROUP_YESTERDAY ]; then
+ if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then
+ Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF"
+ Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m"
+ fi
+ fi
+fi
+#############################
+
+### Writable file detection ###
+
+if [ $CHECK_WRITABLE=="yes" ]; then
+ if [ -f $WRITABLE_TODAY ]; then
+ mv $WRITABLE_TODAY $WRITABLE_YESTERDAY
+ fi
+
+ find $DIR -xdev -type f -perm -2 \
+ -ls -print | sort > $WRITABLE_TODAY
+
+ if [ -f $WRITABLE_YESTERDAY ]; then
+ if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then
+ Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF"
+ Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m"
+ fi
+ fi
+fi
+#################################
+
+### Search Un Owned file ###
+if [ $CHECK_UNOWNED=="yes" ]; then
+ if [ -f $UNOWNED_TODAY ]; then
+ mv $UNOWNED_TODAY $UNOWNED_YESTERDAY
+ fi
+
+ find $DIR -xdev -nouser -o -nogroup -print \
+ -ls | sort > $UNOWNED_TODAY
+
+ if [ -f $UNOWNED_YESTERDAY ]; then
+ if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then
+ Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF"
+ Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m"
+ Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m"
+ fi
+ fi
+fi
+
+
+chattr +a /var/log/security
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh
new file mode 100755
index 0000000..fa5b538
--- /dev/null
+++ b/cron-sh/promisc_check.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+else
+ exit 1
+fi
+
+PROMISC_CHECK="/usr/bin/promisc_check -q"
+#
+# Check if a network interface is in promisc check...
+# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com>
+#
+
+LogPromisc() {
+ Syslog "Security warning : $1 is in promiscuous mode. (sniffer running ?)"
+ Ttylog "\\033[1;31mSecurity warning : $1 is in promiscuous mode.\\033[0;39m"
+ Ttylog "\\033[1;31mA sniffer is probably running on your system.\\033[0;39m
+}
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+else
+ exit 1
+fi
+
+if [ CHECK_PROMISC == "no" ]; then
+ exit 0;
+fi
+
+for INTERFACE in `$PROMISC_CHECK`; do
+ LogPromisc $INTERFACE
+done
+
+
+
+
+
+
+
diff --git a/doc/msec.spec b/doc/msec.spec
new file mode 100644
index 0000000..5324cbf
--- /dev/null
+++ b/doc/msec.spec
@@ -0,0 +1,76 @@
+Summary: Security Level & Program for the Linux Mandrake distribution
+Name: msec
+Version: 0.3
+Release: 5mdk
+Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz
+Copyright: GPL
+Group: System Environment/Base
+BuildRoot: /var/tmp/msec
+Requires: /bin/bash setup chkconfig
+
+%description
+The Mandrake-Security package is designed to provide generic
+secure level to the Mandrake-Linux users...
+It will permit you to choose between level 1 to 5 for a
+less -> more secured distribution.
+This packages includes several program that will be run periodically
+in order to test the security of your system and alert you if needed.
+
+%prep
+%setup
+
+%build
+make CFLAGS="$RPM_OPT_FLAGS"
+
+%install
+mkdir -p $RPM_BUILD_ROOT/etc/security/msec/init-sh
+mkdir -p $RPM_BUILD_ROOT/etc/security/msec/cron-sh
+mkdir -p $RPM_BUILD_ROOT/usr/bin
+
+cp init-sh/level*.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/lib.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/init.sh $RPM_BUILD_ROOT/etc/security/msec
+cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh
+touch $RPM_BUILD_ROOT/etc/security/msec/security.conf
+cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+/etc/security/msec
+/usr/bin/promisc_check
+
+%changelog
+* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Cleaned up tree.
+
+* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Removed touched file /-i
+
+* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Create rc.firewall to avoid error,
+- Call grpuser with the good path,
+- Call groupadd before usermod.
+
+* Tue Nov 23 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- New release (0.3) :
+ Now each security level has it's own set of permissions.
+ Add "." at the end of $PATH for level 1.
+ Corrected some grave bug, it should work properly now.
+
+* Thu Nov 18 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- New release (0.2) :
+ Fixed the path for promisc_check.sh :
+ now /etc/security/msec/cron-sh/promisc_check.sh
+ In level 1 & 2, user is now automagically added to the audio group.
+
+* Tue Nov 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- First packaging attempt :-).
+
+
+
diff --git a/doc/security.txt b/doc/security.txt
new file mode 100644
index 0000000..4d22ca5
--- /dev/null
+++ b/doc/security.txt
@@ -0,0 +1,94 @@
+
+****************************
+
+Security level 1 :
+OK - Access to the system as a normal user.
+OK - . in $PATH
+OK - Login as root from the console granted.
+OK - No rules check for password.
+OK - Permission for /dev & /etc = 755
+OK - Permission for /home = 755
+OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
+OK - xhost + localhost
+
+****************************
+
+Security level 2 :
+OK - Access to the system as a normal user.
+OK - Login as root from the console granted.
+
+ - No rules check for password.
+ ---> Waiting for Chmouel to verify password...
+
+OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
+OK - Permission for /dev & /etc = 755
+OK - Permission for /home = 755
+OK xhost + localhost
+
+****************************
+
+Security level 3 :
+OK - Access to the system as a normal user.
+OK - Login as root from the console denied.
+
+ - Low level rules check on password.
+ ---> Waiting for Chmouel to verify password...
+
+OK - Permission for /dev & /etc = 755
+OK - Permission for /home/* = 750
+OK - Detection of interface in promiscuous mode ( one time a minute )
+
+
+****************************
+
+Security level 4 :
+OK - lilo pass -> only if the user want it .
+- kernel patch -> Secure linux ?
+OK - Access to the system as a normal user.
+OK - Login as root from the console denied.
+
+ - Medium level rules check on password.
+ ---> Waiting for Chmouel to verify password...
+
+OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
+OK - Device only accessible by root as a default.
+OK - Deny all kind of connection except from local network.
+OK - Permission for /dev & /etc directories = 755
+OK - Permission for /home = 711
+OK - Permission for /home/* = 750
+OK - Detection of interface in promiscuous mode ( one time a minute )
+
+*****************************
+
+Security level 5 : *Server Only*
+
+OK - lilo pass -> only if the user want it .
+- kernel patch -> Secure linux
+OK - Access to the system as a normal user.
+OK - Login as root from the console denied.
+
+ - High level rules check on password.
+ ---> Waiting for Chmouel to verify password...
+
+OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
+OK - Device only accessible by root as a default.
+OK - No server installed by default. ( except maybe the crontab )
+OK - Deny all kind of connection ( hosts.deny -> ALL:ALL:DENY )
+OK - Permission for /dev & /etc directories = 711
+OK - Permission for /home = 711
+OK - Permission for /home/* = 700
+OK - Permission for /tmp = 700
+OK - Detection of interface in promiscuous mode ( one time a minute )
+
+
+
+
+
+*** Future Release : ***
+- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
+
+
+
+
+
+
diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh
new file mode 100755
index 0000000..9f76791
--- /dev/null
+++ b/init-sh/file_perm.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+IFS="
+"
+
+for line in `cat /$1`; do
+ file=`echo ${line} | awk '{print $1}'`
+ owner=`echo ${line} | awk '{print $2}'`
+ perm=`echo ${line} | awk '{print $3}'`
+
+ if [ -a "${file}" ]; then
+ if [ ${owner} != "current" ]; then
+ chown ${owner} ${file}
+ fi
+ chmod ${perm} ${file}
+ fi
+done
+
+
diff --git a/init-sh/grpuser b/init-sh/grpuser
new file mode 100755
index 0000000..408e384
--- /dev/null
+++ b/init-sh/grpuser
@@ -0,0 +1,152 @@
+#!/bin/sh
+
+#
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+# Thanks to Francis Galiegue.
+#
+
+file="group"
+group_line=""
+new_group_line=""
+group_name=$2
+user_name=$3
+
+Usage() {
+ echo "Usage :"
+ echo " --add [ groupname ] [ username ] ---> Add an user to a group."
+ echo " --del [ groupname ] [ username ] ---> Delete an user from a group."
+}
+
+ModifyFile() {
+ mv /etc/${file} /tmp/${file}.old
+
+ head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file}
+ echo "${new_group_line}" >> /etc/${file}
+ tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file}
+
+ rm -f /tmp/${file}.old
+}
+
+RemoveUserFromGroup() {
+ new_group_line=${group}`echo ${group_users} |
+ sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g`
+}
+
+AppendUserToGroup() {
+ if [ -z "${group_users}" ]; then
+ new_group_line=${group_line}${user_name}
+ else
+ new_group_line=${group_line}",${user_name}"
+ fi
+}
+
+IsUserAlreadyInGroup() {
+ if echo "${group_users}" | grep -qw "${user_name}"; then
+ return 1
+ fi
+
+ return 0
+}
+
+IsGroupExisting() {
+ group_line=""
+ group_line_number=""
+
+ # We get some group infos as well, will be used later
+ tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "`
+
+ group_line_number=`echo ${tmp} | awk -F: '{print $1}'`
+ group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'`
+ group_users=`echo ${tmp} | awk -F: '{print $5}'`
+ group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'`
+
+ [ -z "${tmp}" ] && return 0
+ return 1
+}
+
+IsUserExisting() {
+ grep -qn "^${user_name}:" /etc/passwd
+ if [ $? == 0 ]; then
+ return 0;
+ fi
+
+ return 1;
+}
+
+Add() {
+ IsGroupExisting;
+ if [ $? == 0 ]; then
+ echo "Sorry, group \"${group_name}\" does not exist."
+ echo "Please create it using the \"groupadd\" command."
+ exit 1
+ fi
+
+ IsUserExisting;
+ if [ $? == 1 ]; then
+ echo "Sorry, user \"${user_name}\" does not exist."
+ exit 1
+ fi
+
+ IsUserAlreadyInGroup;
+ if [ $? == 1 ]; then
+ echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"."
+ exit 1
+ fi
+
+ AppendUserToGroup;
+ ModifyFile;
+
+ exit 0
+}
+
+Del() {
+ IsGroupExisting;
+ if [ $? == 0 ]; then
+ echo "Sorry, group \"${group_name}\" does not exist."
+ exit 1
+ fi
+
+ IsUserAlreadyInGroup;
+ if [ $? == 0 ]; then
+ echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"."
+ exit 1
+ fi
+
+ RemoveUserFromGroup;
+ ModifyFile;
+
+ exit 0
+}
+
+Perm() {
+ if [ ! -w /etc/${file} ]; then
+ echo "You're not allowed to write to /etc/group..."
+ exit 1
+ fi
+}
+
+if [ $# == 3 ]; then
+ case $1 in
+ "--add")
+ Perm;
+ Add;
+ exit 0
+ ;;
+ "--del")
+ Perm;
+ Del;
+ exit 0
+ ;;
+ esac
+ Usage;
+ exit 0
+else
+ Usage;
+fi
+
+
+
+
+
+
+
diff --git a/init-sh/init.sh b/init-sh/init.sh
new file mode 100755
index 0000000..4e89cb9
--- /dev/null
+++ b/init-sh/init.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if [ -z $1 ]; then
+ echo "Usage : $0 [0-5]"
+ exit 1
+fi
+
+
+if [ -f /etc/security/msec/init-sh/level$1.sh ]; then
+ /etc/security/msec/init-sh/level$1.sh
+ if [ -f /etc/security/msec/init-sh/perm.$1 ]; then
+ /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1
+ else
+ echo "Couldn't find the default permissions for level $1."
+ fi
+else
+ echo "Security level $1 not availlable..."
+fi
+
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
new file mode 100755
index 0000000..acd0622
--- /dev/null
+++ b/init-sh/level1.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# login as root on console granted...
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID=no" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# umask
+AddRules "umask 022" /etc/profile
+
+# Group
+usermod -G audio "${USERNAME}"
+
+# For X auth :
+xhost + localhost 2>&1 >& /dev/null
+
+# lilo update
+lilo
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin:." /etc/profile
+else
+ AddRUles "PATH=$PATH:." /etc/profile
+fi
+
+
+
+
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
new file mode 100755
index 0000000..8d20ea1
--- /dev/null
+++ b/init-sh/level2.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# login as root on console granted...
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Permissions
+AddRules "umask 002" /etc/profile
+
+# Group
+usermod -G audio ${USERNAME} >& /dev/null
+
+# For X auth :
+xhost + localhost 2>&1 >& /dev/null
+
+# lilo update
+/sbin/lilo
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+else
+ AddRules "PATH=$PATH" /etc/profile
+fi
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
new file mode 100755
index 0000000..400305a
--- /dev/null
+++ b/init-sh/level3.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# login as root from the console allowed
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+
+# Permissions
+AddRules "umask 022" /etc/profile
+
+/sbin/lilo
+
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin"
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
new file mode 100755
index 0000000..283817a
--- /dev/null
+++ b/init-sh/level4.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# Log in append only mode
+chattr +a /var/log/*
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# Prevent all kind of connection except from localhost
+AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+
+# Login as root on the console allowed :
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Check every 1 minutes for promisc problem
+AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+# Do you want a password ?
+LiloUpdate;
+/sbin/lilo
+
+# Permissions
+AddRules "umask 022" /etc/profile
+
+# Path
+
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+fi
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
new file mode 100755
index 0000000..f2b7a55
--- /dev/null
+++ b/init-sh/level5.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+fi
+
+chattr +a /var/log/*
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# Prevent all kind of connection
+AddRules "ALL:ALL:DENY" /etc/hosts.deny
+
+# No login as root
+AddRules "" /etc/securetty
+
+# Suid check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Check every 1 minutes for promisc problem
+AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+
+# Wanna a password ?
+LiloUpdate;
+/sbin/lilo
+
+# Disable all server :
+IFS="
+"
+
+for service in `chkconfig --list | awk '{print $1}'`; do
+ if [ "${service}" == "xfs" ]; then
+ if [ ${HAVE_X}==1 ]; then
+ continue;
+ fi
+ fi
+
+ if [ "${service}" == "network" ]; then continue; fi
+ if [ "${service}" == "keytable" ]; then continue; fi
+ if [ "${service}" == "crond" ]; then continue; fi
+ if [ "${service}" == "gpm" ]; then continue; fi
+ if [ "${service}" == "syslog" ]; then continue; fi
+
+
+ chkconfig --del "${service}"
+done
+
+# Permissions
+AddRules "umask 077" /etc/profile
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+fi
+
+echo
+echo "You are now running your system in security level 5,"
+echo "All services are disabled : try the chkconfig to enable one..."
+echo "If you're on a senssible machine, ( which is probably the case )"
+echo "you should compile the server from the sources".
+echo
+echo "Good luck. :-)"
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
new file mode 100644
index 0000000..a48c945
--- /dev/null
+++ b/init-sh/lib.sh
@@ -0,0 +1,175 @@
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+# Need root access
+if [ $UID != 0 ]; then
+ echo "You need to be root in order to change secure level."
+ exit 1
+fi
+
+# To avoid error, while new initscript package isn't released...
+touch /etc/rc.d/rc.firewall
+
+# If we are currently installing our
+# system with DrakX, we don't ask anything to the user...
+# Instead, DrakX do it and give us a file with some variable.
+if [ -f /tmp/secure.DrakX ]; then
+ . /tmp/secure.DrakX
+fi
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+fi
+
+if rpm -q XFree86 2>&1 > /dev/null; then
+ HAVE_X=1
+else
+ HAVE_X=0
+fi
+
+USERNAME="blah"
+COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+
+AddRules () {
+ string=$1
+ file=$2
+
+ if [ -z "${string}" ]; then
+ return;
+ fi
+
+ if ! grep -qx "${string}" ${file}; then
+ echo "${COMMENT}" >> ${file};
+ echo "${string}" >> ${file};
+ fi
+}
+
+CleanRules() {
+ file=$1
+ ctrl=0
+
+ mv -f ${file} /tmp/secure.tmp
+ touch ${file}
+
+ while read line; do
+ if [ ${ctrl} == 1 ]; then
+ ctrl=0
+ continue;
+ fi
+
+ if echo "${line}" | grep -qx "${COMMENT}"; then
+ ctrl=1
+ fi
+
+ if [ ${ctrl} == 0 ]; then
+ echo "${line}" >> ${file}
+ fi
+ done < /tmp/secure.tmp
+
+ rm -f /tmp/secure.tmp
+
+}
+
+CommentUserRules() {
+ file=$1
+
+ mv -f ${file} /tmp/secure.tmp
+ touch ${file}
+
+ while read line; do
+ if ! echo "${line}" | grep -qE "^#"; then
+ echo "# ${line}" >> ${file}
+ fi
+ done < /tmp/secure.tmp
+
+ rm -f /tmp/secure.tmp
+}
+
+Syslog() {
+ if [ "${SYS_LOG}" == "yes" ]; then
+ /sbin/initlog --string=${1}
+ fi
+}
+
+Ttylog() {
+ if [ "${TTY_LOG}" == "yes" ]; then
+ for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+ echo -e ${1} > /dev/$i
+ done
+ fi
+}
+
+
+LiloUpdate() {
+ if [ ! -f /tmp/secure.DrakX ]; then
+ echo "Do you want a password authentication at boot time ?"
+ echo "Be very carefull,"
+ echo "this will prevent your server to reboot without an operator to enter password".
+ echo -n "[yes]/no : "
+ read answer
+ if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then
+ echo -n "Please enter the password which will be used at boot time : "
+ read password
+ else
+ password=""
+ fi
+ else
+ password=${DRAKX_PASSWORD}
+ fi
+
+ if [ ! -z "${password}" ]; then
+ mv /etc/lilo.conf /tmp/secure.tmp
+ while read line; do
+ if ! echo "${line}" | grep -q "password"; then
+ echo "${line}" >> /etc/lilo.conf
+ fi
+ done < /etc/secure.tmp
+
+ rm -f /etc/secure.tmp
+ AddRules "password=$PASSWORD" /etc/lilo.conf
+ fi
+}
+
+
+CleanRules /etc/syslog.conf
+
+CleanRules /etc/hosts.deny
+CommentUserRules /etc/hosts.deny
+
+CleanRules /etc/hosts.allow
+CommentUserRules /etc/hosts.allow
+
+CleanRules /etc/securetty
+CommentUserRules /etc/securetty
+
+CleanRules /etc/security/msec/security.conf
+CommentUserRules /etc/security/msec/security.conf
+
+CleanRules /etc/profile
+CleanRules /etc/lilo.conf
+CleanRules /etc/rc.d/rc.firewall
+CleanRules /etc/crontab
+
+
+# For all secure level
+AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
+
+# default group which must exist on the system
+groupadd audio >& /dev/null
+groupadd xgrp >& /dev/null
+usermod -G xgrp xfs
+
+if ! /etc/security/msec/init-sh/grpuser --del audio "${USERNAME}"; then
+ echo "Problem removing user \"${USERNAME}\" from group audio."
+fi
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/perm.1 b/init-sh/perm.1
new file mode 100644
index 0000000..c63483a
--- /dev/null
+++ b/init-sh/perm.1
@@ -0,0 +1,71 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 1
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 755
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
+
+
+
diff --git a/init-sh/perm.2 b/init-sh/perm.2
new file mode 100644
index 0000000..dcaf293
--- /dev/null
+++ b/init-sh/perm.2
@@ -0,0 +1,72 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 2
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
+
+
+
+
diff --git a/init-sh/perm.3 b/init-sh/perm.3
new file mode 100644
index 0000000..94d12e7
--- /dev/null
+++ b/init-sh/perm.3
@@ -0,0 +1,68 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 3
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 700
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
diff --git a/init-sh/perm.4 b/init-sh/perm.4
new file mode 100644
index 0000000..8e422df
--- /dev/null
+++ b/init-sh/perm.4
@@ -0,0 +1,72 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Welcome in Level 4, aka secure & usable.
+
+/bin root.root 711
+/boot root.root 700
+/dev root.root 711
+/dev/audio* root.audio 600
+/dev/dsp* root.audio 600
+/etc/ root.adm 711
+/etc/conf.modules root.adm 640
+/etc/cron.daily/ root.adm 750
+/etc/cron.hourly/ root.adm 750
+/etc/cron.monthly/ root.adm 750
+/etc/cron.weekly/ root.adm 750
+/etc/crontab root.adm 640
+/etc/dhcpcd/ root.adm 750
+/etc/dhcpcd/* root.adm 640
+/etc/esd.conf root.audio 640
+/etc/ftpaccess root.adm 640
+/etc/ftpconversions root.adm 640
+/etc/ftpgroups root.adm 640
+/etc/ftphosts root.adm 640
+/etc/ftpusers root.adm 640
+/etc/gettydefs root.adm 640
+/etc/hosts.allow root.adm 640
+/etc/hosts.deny root.adm 640
+/etc/hosts.equiv root.adm 640
+/etc/inetd.conf root.adm 640
+/etc/inittab root.adm 640
+/etc/ld.so.conf root.adm 640
+/etc/lilo.conf root.adm 640
+/etc/modules.conf root.adm 640
+/etc/motd root.adm 644
+/etc/printcap root.adm 640
+/etc/profile root.root 644
+/etc/rc.d/ root.adm 640
+/etc/securetty root.adm 640
+/etc/sendmail.cf root.adm 640
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.adm 640
+/etc/ssh_host_key.pub root.adm 644
+/etc/sshd_config root.adm 640
+/etc/syslog.conf root.adm 640
+/etc/updatedb.conf root.adm 640
+
+/home/ root.adm 751
+/home/* current 700
+/lib root.adm 751
+/mnt root.adm 750
+/root root.root 700
+/sbin root.adm 751
+/tmp root.root 1777
+/usr root.adm 751
+/usr/* root.adm 751
+/usr/X11R6/ root.xgrp 751
+/usr/bin/ root.adm 751
+/usr/bin/* root.root 755
+/usr/sbin/ root.adm 751
+/usr/sbin/* root.root 755
+/var root.root 755
+
+
+
+
+
+
+
diff --git a/init-sh/perm.5 b/init-sh/perm.5
new file mode 100644
index 0000000..1965860
--- /dev/null
+++ b/init-sh/perm.5
@@ -0,0 +1,67 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Welcome in Level 5, aka paranoid.
+
+/bin root.root 711
+/boot root.root 700
+/dev root.root 711
+/dev/audio* root.audio 600
+/dev/dsp* root.audio 600
+/etc/ root.root 711
+/etc/conf.modules root.root 600
+/etc/cron.daily/ root.root 700
+/etc/cron.hourly/ root.root 700
+/etc/cron.monthly/ root.root 700
+/etc/cron.weekly/ root.root 700
+/etc/crontab root.root 600
+/etc/dhcpcd/ root.root 700
+/etc/dhcpcd/* root.root 600
+/etc/esd.conf root.audio 640
+/etc/ftpaccess root.root 600
+/etc/ftpconversions root.root 600
+/etc/ftpgroups root.root 600
+/etc/ftphosts root.root 600
+/etc/ftpusers root.root 600
+/etc/gettydefs root.root 600
+/etc/hosts.allow root.root 600
+/etc/hosts.deny root.root 600
+/etc/hosts.equiv root.root 600
+/etc/inetd.conf root.root 600
+/etc/inittab root.root 600
+/etc/ld.so.conf root.root 600
+/etc/lilo.conf root.root 600
+/etc/modules.conf root.root 600
+/etc/motd root.root 644
+/etc/printcap root.root 640
+/etc/profile root.root 644
+/etc/rc.d/ root.root 600
+/etc/securetty root.root 600
+/etc/sendmail.cf root.root 600
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 600
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 600
+/etc/syslog.conf root.root 600
+/etc/updatedb.conf root.root 600
+
+/home/ root.root 711
+/home/* current 700
+/lib root.root 711
+/mnt root.root 710
+/root root.root 700
+/sbin root.root 711
+/tmp root.root 1777
+/usr root.root 711
+/usr/* root.root 711
+/usr/X11R6/ root.xgrp 710
+/usr/bin/ root.root 711
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 711
+/usr/sbin/* root.root 700
+/usr/sbin/sendmail root.root 755
+/var root.root 755
+
diff --git a/init-sh/server.4 b/init-sh/server.4
new file mode 100644
index 0000000..044f0bf
--- /dev/null
+++ b/init-sh/server.4
@@ -0,0 +1,6 @@
+crond
+syslog
+keytable
+network
+gpm
+xfs
diff --git a/init-sh/server.5 b/init-sh/server.5
new file mode 100644
index 0000000..044f0bf
--- /dev/null
+++ b/init-sh/server.5
@@ -0,0 +1,6 @@
+crond
+syslog
+keytable
+network
+gpm
+xfs
diff --git a/src/promisc_check/Makefile b/src/promisc_check/Makefile
new file mode 100644
index 0000000..b7bb4e9
--- /dev/null
+++ b/src/promisc_check/Makefile
@@ -0,0 +1,13 @@
+CC=gcc
+NAME=promisc_check
+
+CFLAGS = -ggdb -Wall -Wmissing-prototypes -Wmissing-declarations \
+-Wpointer-arith -m486 -O2 -finline-functions -fkeep-inline-functions
+
+OBJ=promisc_check.o
+
+promisc_check: $(OBJ)
+ $(CC) $(OBJ) -o $(NAME)
+
+install:
+ cp $(NAME) /usr/bin
diff --git a/src/promisc_check/promisc_check.c b/src/promisc_check/promisc_check.c
new file mode 100644
index 0000000..411fe12
--- /dev/null
+++ b/src/promisc_check/promisc_check.c
@@ -0,0 +1,137 @@
+/*****************************************************************************
+ * Mandrake Security *
+ * Written by Vandoorselaere Yoann *
+ * (C) 1999, Mandrakesoft *
+ *****************************************************************************/
+
+/*****
+*
+* Copyright (C) 1999 Mandrakesoft
+* All Rights Reserved
+*
+* This file is part of the Mandrake Security program.
+*
+* This program is free software; you can redistribute it and/or modify
+* it under the terms of the GNU General Public License as published by
+* the Free Software Foundation; either version 2, or (at your option)
+* any later version.
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU General Public License for more details.
+*
+* You should have received a copy of the GNU General Public License
+* along with this program; see the file COPYING. If not, write to
+* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
+*
+*****/
+
+/*
+ * This program will verify each interface on the machine to
+ * see if one of them is in promisc state.
+ *
+ * In this program, buf is an array containing many structure ifreq...
+ * this allow you to print out :
+ * ( BUFSIZ / sizeof(struct ifreq )) number of ether card configuration.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <net/if.h>
+
+static int quiet_mode = 0;
+
+void usage(void);
+void check_args(int argc, char **argv);
+void PrintResult(struct ifreq *ifr);
+
+int main(int argc, char **argv)
+{
+ struct ifconf ifc;
+ char buf[BUFSIZ], *ptr, *ptr_end;
+ int ret, sock;
+
+ check_args(argc, argv);
+
+ sock = socket(AF_INET, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ perror("socket");
+ exit(1);
+ }
+
+ ifc.ifc_len = sizeof(buf);
+ ifc.ifc_buf = buf;
+
+ ret = ioctl(sock, SIOCGIFCONF, (char *) &ifc);
+ if (ret < 0) {
+ perror("ioctl: SIOCGIFCONF");
+ exit(1);
+ }
+
+ ptr_end = buf + ifc.ifc_len;
+ for (ptr = ifc.ifc_buf; ptr < ptr_end; ptr += sizeof(struct ifreq)) {
+ struct ifreq *ifr;
+
+ ifr = (struct ifreq *) ptr;
+
+ ret = ioctl(sock, SIOCGIFFLAGS, (char *) ifr);
+ if (ret < 0) {
+ perror("ioctl : SIOCGIFFLAGS");
+ exit(1);
+ }
+
+ PrintResult(ifr);
+ }
+
+ close(sock);
+ exit(0);
+}
+
+void PrintResult(struct ifreq *ifr)
+{
+ if (quiet_mode == 0) {
+ if ((ifr->ifr_flags & IFF_PROMISC) != 0)
+ printf("%s : Promiscuous mode detected.\n",
+ ifr->ifr_name);
+ else
+ printf("%s : Not in promiscuous mode.\n",
+ ifr->ifr_name);
+ } else {
+ if ((ifr->ifr_flags & IFF_PROMISC) != 0)
+ printf("%s\n", ifr->ifr_name);
+ }
+}
+
+
+
+void check_args(int argc, char **argv)
+{
+ while (1) {
+ int c;
+
+ c = getopt(argc, argv, "qh");
+ if (c == -1)
+ break;
+
+ switch (c) {
+ case 'q':
+ quiet_mode = 1;
+ break;
+ case 'h':
+ usage();
+ exit(0);
+ default:
+ exit(1);
+ }
+ }
+}
+
+void usage(void)
+{
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr,
+ "\t-q Quiet mode ( only report interface name ).\n\n");
+}