aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/security.txt179
1 files changed, 112 insertions, 67 deletions
diff --git a/doc/security.txt b/doc/security.txt
index 4d22ca5..ae44383 100644
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -1,84 +1,127 @@
-
****************************
-
Security level 1 :
-OK - Access to the system as a normal user.
-OK - . in $PATH
-OK - Login as root from the console granted.
-OK - No rules check for password.
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home = 755
-OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
-OK - xhost + localhost
-****************************
+- Global security check.
+- umask is 002 ( user = read,write | greoup = read,write | other = read )
+- easy file permission.
+- localhost authorized to connect to X display.
+- User in audio group.
+- . in $PATH
+- Warning in /var/log/security.log
+****************************
Security level 2 :
-OK - Access to the system as a normal user.
-OK - Login as root from the console granted.
- - No rules check for password.
- ---> Waiting for Chmouel to verify password...
+- Global security check
+- Suid root file check
+- Suid root file md5sum check
+- Writeable file check
+- Warning directly on tty
+- Warning in syslog
+- Warning in /var/log/security.log
-OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home = 755
-OK xhost + localhost
+- umask is 022 ( user = read,write | group = read | other = read )
+- easy file permission.
+- localhost authorized to connect to X display.
+- User in audio group.
****************************
-
-Security level 3 :
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
-
- - Low level rules check on password.
- ---> Waiting for Chmouel to verify password...
-
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home/* = 750
-OK - Detection of interface in promiscuous mode ( one time a minute )
-
+Security level 3 ( Aka normal system ) :
+
+- Global security check
+- Permissions check
+- Suid root file check
+- Suid root file md5sum check
+- Suid group file check
+- Writeable file check
+- Unowned file check
+- Promiscuous check
+- Listening port check
+- Passwd file integrity check
+- Shadow file integrity check
+- Warning in syslog
+- Warning in /var/log/security.log
+
+- umask is 022 ( user = read,write | group = read | other = read )
+- Normal file permission.
+- All system events additionally logged to /dev/tty12
+- Some system security check launched every midnight from the ( crontab ).
****************************
-
-Security level 4 :
-OK - lilo pass -> only if the user want it .
-- kernel patch -> Secure linux ?
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
-
- - Medium level rules check on password.
- ---> Waiting for Chmouel to verify password...
-
-OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
-OK - Device only accessible by root as a default.
-OK - Deny all kind of connection except from local network.
-OK - Permission for /dev & /etc directories = 755
-OK - Permission for /home = 711
-OK - Permission for /home/* = 750
-OK - Detection of interface in promiscuous mode ( one time a minute )
-
-*****************************
-
-Security level 5 : *Server Only*
+Security level 4 ( Aka Secured system ) :
+
+- Global security check
+- Permissions check
+- Suid root file check
+- Suid root file md5sum check
+- Suid group file check
+- Writeable file check
+- Unowned file check
+- Promiscuous check
+- Listening port check
+- Passwd file integrity check
+- Shadow file integrity check
+- Warning in syslog
+- Warning in /var/log/security.log
+- Warning directly on tty
+
+- umask 022 ( user = read,write | group = read | other = read ) for root
+- umask 077 ( user = read,write | group = | other = ) for normal users
+- restricted file permissions.
+- All system events additionally logged to /dev/tty12
+- System security check every midnight ( crontab ).
+* - Services not contained in /etc/security/msec/init-sh/server.4 are disabled (
+ considered as not really secure ) ( but the user can reenable it with
+ chkconfig ).
+- Ask for a boot password ( if the user want ).
+- Connection to the system denyied for all except localhost.
+
+*******************************
+Security level 5 ( Aka Paranoid system ) :
+
+- Global security check
+- Permissions check
+- Suid root file check
+- Suid root file md5sum check
+- Suid group file check
+- Writeable file check
+- Unowned file check
+- Promiscuous check
+- Listening port check
+- Passwd file integrity check
+- Shadow file integrity check
+- Warning in syslog
+- Warning in /var/log/security.log
+- Warning directly on tty
+
+- umask 077 ( user = read,write | group = | other = )
+- Highly restricted file permission
+- All system events additionally logged to /dev/tty12
+- System security check every midnight ( crontab ).
+* - Services not contained in /etc/security/msec/init-sh/server.5 are disabled (
+ considered as not really secure ) ( but the user can reenable it with
+ chkconfig ).
+- Ask for a boot password ( if the user want ).
+- Connection to the system denyied for all.
+
+******************
+
+* level4/level5 : "services disabled" explanations :
+
+- Some server aren't really considered as secure,
+ these one, should for exemple be compiled from sources.
+ server considered as secure are specified in /etc/security/msec/init-sh/server.4/5
+
+ When enabling level4/5, all server which aren't considered as secure are
+ disabled ( NOT uninstalled, just disabled ) user can reenable them using the
+ chkconfig utility ( server will be launched at next boot ).
-OK - lilo pass -> only if the user want it .
-- kernel patch -> Secure linux
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
+ In these level, we are also denying rpm to enable any server considered as insecure
+ ( off course rpm can install the server ).
+ The user have the choise : chkconfig --add servername will enable the server.
+ Or add the server in the secured server list
- - High level rules check on password.
- ---> Waiting for Chmouel to verify password...
-OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
-OK - Device only accessible by root as a default.
-OK - No server installed by default. ( except maybe the crontab )
-OK - Deny all kind of connection ( hosts.deny -> ALL:ALL:DENY )
-OK - Permission for /dev & /etc directories = 711
-OK - Permission for /home = 711
-OK - Permission for /home/* = 700
-OK - Permission for /tmp = 700
-OK - Detection of interface in promiscuous mode ( one time a minute )
@@ -86,6 +129,8 @@ OK - Detection of interface in promiscuous mode ( one time a minute )
*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
+- In high security level, only user having access to group "sugrp" can use the su command.
+***