diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | doc/security.txt | 4 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 46 |
3 files changed, 48 insertions, 3 deletions
@@ -1,5 +1,6 @@ 2000-01-04 Yoann Vandoorselaere <yoann@mandrakesoft.com> * shutdown.allow is 600 in level 4/5; 644 else. + * updated doc/security.txt 2000-01-03 Yoann Vandoorselaere <yoann@mandrakesoft.com> * level 0-3 -> ctrl-alt-del allowed. diff --git a/doc/security.txt b/doc/security.txt index 86c101c..ff1280b 100644 --- a/doc/security.txt +++ b/doc/security.txt @@ -74,6 +74,7 @@ Security level 4 ( Aka Secured system ) : chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all except localhost. +- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ). ******************************* Security level 5 ( Aka Paranoid system ) : @@ -97,11 +98,12 @@ Security level 5 ( Aka Paranoid system ) : - Highly restricted file permission - All system events additionally logged to /dev/tty12 - System security check every midnight ( crontab ). -* - Services not contained in /etc/security/msec/init-sh/server.5 are disabled ( +- Services not contained in /etc/security/msec/init-sh/server.5 are disabled ( considered as not really secure ) ( but the user can reenable it with chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all. +- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) . ****************** diff --git a/init-sh/custom.sh b/init-sh/custom.sh index 99154f9..057a288 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -9,7 +9,6 @@ if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh fi - clear ### @@ -20,6 +19,21 @@ if [[ ${answer} == yes ]]; then fi ### +echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" +echo "( or if an user present in /etc/shutdown.allow is logged locally )" +WaitAnswer; clear +tmpfile=`mktemp tmp/secure.XXXXXX` +cp /etc/inittab ${tmpfile} +if [[ ${answer} == yes ]]; then + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab +else + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab +fi +rm -f ${tmpfile} + +### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer if [[ ${answer} == yes ]]; then @@ -36,7 +50,7 @@ fi echo "Do you want root console login to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then - AddRules "tty1" /etc/securetty quiet +g AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet @@ -117,6 +131,34 @@ if [[ ${answer} == yes ]]; then fi ### +echo "Do you want security report to be done directly on the console ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +else + AddRules "TTY_WARN=no" /etc/security/msec/security.conf +fi +### + +echo "Do you want security report to be done in syslog ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf +else + AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf +fi +### + +echo "Do you want security report to be done by mail ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf +else + AddRules "MAIL_WARN=no" /etc/security/msec/security.conf +fi +### + + LiloUpdate; /sbin/lilo >& /dev/null |