diff options
Diffstat (limited to 'init-sh/level5.sh')
-rwxr-xr-x | init-sh/level5.sh | 178 |
1 files changed, 0 insertions, 178 deletions
diff --git a/init-sh/level5.sh b/init-sh/level5.sh deleted file mode 100755 index 070c770..0000000 --- a/init-sh/level5.sh +++ /dev/null @@ -1,178 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -echo -e "Changing attribute of /var/log/* to append only...\n" - -# All events logged on tty12 -echo "Loging all messages on tty12 : " -AddRules "*.* /dev/tty12" /etc/syslog.conf - -# Prevent all kind of connection -echo "Denying all kind of connection : " -AddRules "ALL:ALL:DENY" /etc/hosts.deny - -# No login as root -echo "Login as root is denied : " -echo "Modified file : /etc/securetty..." -echo -e "done.\n\n" - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : yes." - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : yes." - AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : yes." - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : yes." - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : yes." - AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : yes." - AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : yes." - AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : yes." - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet - AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -################ Crontab things ################### -# Check every 1 minutes for promisc problem -echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab - -echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab - -################################################### - -# setup BSD accounting. - -echo "Setting up BSD process accounting..." -if [[ -f /sbin/accton ]]; then - AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf - AddRules " postrotate" /etc/logrotate.conf - AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf - AddRules " }" /etc/logrotate.conf - touch /var/log/security/pacct.log - chown root.root /var/log/security/pacct.log - chmod 600 /var/log/security/pacct.log - /sbin/accton /var/log/security/pacct.log -fi - -# Wanna password ? -LoaderUpdate; - -# Disable all server : -export SECURE_LEVEL=4 -echo "Setting secure level variable to 5 :" -AddRules "SECURE_LEVEL=5" /etc/sysconfig/msec - -IFS=" -" - -export SECURE_LEVEL=5 -echo -n "Disabling all service, except : {" -for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/server.5; then - echo -n " ${service}" - fi -done -echo " } : " - -for service in `chkconfig --list | awk '{print $1}'`; do - chkconfig --del "${service}" - if ! chkconfig --msec --add "${service}"; then - echo -e "\t- Services ${service} scheduled to be disabled at next boot." - fi -done -echo -e "done.\n"; - -echo "Setting umask to 077 (u=rw) :" -AddRules "UMASK_ROOT=077" /etc/sysconfig/msec -AddRules "UMASK_USER=077" /etc/sysconfig/msec - -if [[ -f /lib/libsafe.so.2 ]]; then - echo "Enabling stack overflow protection :" - AddRules "/lib/libsafe.so.2" /etc/ld.so.preload -fi - -# Console timeout -echo "Setting console timeout :" -AddRules "TMOUT=180" /etc/sysconfig/msec - -# No history file -echo "No history file :" -AddRules "HISTFILESIZE=0" /etc/sysconfig/msec - -# Ip spoofing protection -echo "IP spoofing protection :" -AddRules "nospoof on" /etc/host.conf -AddRules "spoofalert on" /etc/host.conf - -# icmp echo -echo "Ignoring icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf - -# bad error -echo "Enabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf - -# log strange packets -echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf - -LoadSysctl - -# issues -echo "Removing /etc/issue and /etc/issue.net :" -RemoveIssue -RemoveIssueNet - -# Do not boot on a shell -ForbidReboot -ForbidAutologin - -echo -echo "You are now running your system in security level 5," -echo "All services are disabled : try the chkconfig to enable one..." -echo "If you're on a senssible machine, ( which is probably the case )" -echo "you should compile the server from the sources". -echo -echo "In order to launch X in this security level," -echo "you need to add your user to the \"xgrp\" group..." -echo "Use : usermod -G xgrp username" -echo - -# Group were modified in lib.sh... -grpconv - -ForbidUserList -RootSshLogin 5 |