diff options
Diffstat (limited to 'init-sh')
| -rwxr-xr-x | init-sh/file_perm.sh | 19 | ||||
| -rwxr-xr-x | init-sh/grpuser | 152 | ||||
| -rwxr-xr-x | init-sh/init.sh | 19 | ||||
| -rwxr-xr-x | init-sh/level1.sh | 49 | ||||
| -rwxr-xr-x | init-sh/level2.sh | 57 | ||||
| -rwxr-xr-x | init-sh/level3.sh | 60 | ||||
| -rwxr-xr-x | init-sh/level4.sh | 67 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 96 | ||||
| -rw-r--r-- | init-sh/lib.sh | 175 | ||||
| -rw-r--r-- | init-sh/perm.1 | 71 | ||||
| -rw-r--r-- | init-sh/perm.2 | 72 | ||||
| -rw-r--r-- | init-sh/perm.3 | 68 | ||||
| -rw-r--r-- | init-sh/perm.4 | 72 | ||||
| -rw-r--r-- | init-sh/perm.5 | 67 | ||||
| -rw-r--r-- | init-sh/server.4 | 6 | ||||
| -rw-r--r-- | init-sh/server.5 | 6 |
16 files changed, 1056 insertions, 0 deletions
diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh new file mode 100755 index 0000000..9f76791 --- /dev/null +++ b/init-sh/file_perm.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +IFS=" +" + +for line in `cat /$1`; do + file=`echo ${line} | awk '{print $1}'` + owner=`echo ${line} | awk '{print $2}'` + perm=`echo ${line} | awk '{print $3}'` + + if [ -a "${file}" ]; then + if [ ${owner} != "current" ]; then + chown ${owner} ${file} + fi + chmod ${perm} ${file} + fi +done + + diff --git a/init-sh/grpuser b/init-sh/grpuser new file mode 100755 index 0000000..408e384 --- /dev/null +++ b/init-sh/grpuser @@ -0,0 +1,152 @@ +#!/bin/sh + +# +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# Thanks to Francis Galiegue. +# + +file="group" +group_line="" +new_group_line="" +group_name=$2 +user_name=$3 + +Usage() { + echo "Usage :" + echo " --add [ groupname ] [ username ] ---> Add an user to a group." + echo " --del [ groupname ] [ username ] ---> Delete an user from a group." +} + +ModifyFile() { + mv /etc/${file} /tmp/${file}.old + + head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file} + echo "${new_group_line}" >> /etc/${file} + tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file} + + rm -f /tmp/${file}.old +} + +RemoveUserFromGroup() { + new_group_line=${group}`echo ${group_users} | + sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g` +} + +AppendUserToGroup() { + if [ -z "${group_users}" ]; then + new_group_line=${group_line}${user_name} + else + new_group_line=${group_line}",${user_name}" + fi +} + +IsUserAlreadyInGroup() { + if echo "${group_users}" | grep -qw "${user_name}"; then + return 1 + fi + + return 0 +} + +IsGroupExisting() { + group_line="" + group_line_number="" + + # We get some group infos as well, will be used later + tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "` + + group_line_number=`echo ${tmp} | awk -F: '{print $1}'` + group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'` + group_users=`echo ${tmp} | awk -F: '{print $5}'` + group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'` + + [ -z "${tmp}" ] && return 0 + return 1 +} + +IsUserExisting() { + grep -qn "^${user_name}:" /etc/passwd + if [ $? == 0 ]; then + return 0; + fi + + return 1; +} + +Add() { + IsGroupExisting; + if [ $? == 0 ]; then + echo "Sorry, group \"${group_name}\" does not exist." + echo "Please create it using the \"groupadd\" command." + exit 1 + fi + + IsUserExisting; + if [ $? == 1 ]; then + echo "Sorry, user \"${user_name}\" does not exist." + exit 1 + fi + + IsUserAlreadyInGroup; + if [ $? == 1 ]; then + echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"." + exit 1 + fi + + AppendUserToGroup; + ModifyFile; + + exit 0 +} + +Del() { + IsGroupExisting; + if [ $? == 0 ]; then + echo "Sorry, group \"${group_name}\" does not exist." + exit 1 + fi + + IsUserAlreadyInGroup; + if [ $? == 0 ]; then + echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"." + exit 1 + fi + + RemoveUserFromGroup; + ModifyFile; + + exit 0 +} + +Perm() { + if [ ! -w /etc/${file} ]; then + echo "You're not allowed to write to /etc/group..." + exit 1 + fi +} + +if [ $# == 3 ]; then + case $1 in + "--add") + Perm; + Add; + exit 0 + ;; + "--del") + Perm; + Del; + exit 0 + ;; + esac + Usage; + exit 0 +else + Usage; +fi + + + + + + + diff --git a/init-sh/init.sh b/init-sh/init.sh new file mode 100755 index 0000000..4e89cb9 --- /dev/null +++ b/init-sh/init.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +if [ -z $1 ]; then + echo "Usage : $0 [0-5]" + exit 1 +fi + + +if [ -f /etc/security/msec/init-sh/level$1.sh ]; then + /etc/security/msec/init-sh/level$1.sh + if [ -f /etc/security/msec/init-sh/perm.$1 ]; then + /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1 + else + echo "Couldn't find the default permissions for level $1." + fi +else + echo "Security level $1 not availlable..." +fi + diff --git a/init-sh/level1.sh b/init-sh/level1.sh new file mode 100755 index 0000000..acd0622 --- /dev/null +++ b/init-sh/level1.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# login as root on console granted... +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID=no" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# umask +AddRules "umask 022" /etc/profile + +# Group +usermod -G audio "${USERNAME}" + +# For X auth : +xhost + localhost 2>&1 >& /dev/null + +# lilo update +lilo + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin:." /etc/profile +else + AddRUles "PATH=$PATH:." /etc/profile +fi + + + + diff --git a/init-sh/level2.sh b/init-sh/level2.sh new file mode 100755 index 0000000..8d20ea1 --- /dev/null +++ b/init-sh/level2.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# login as root on console granted... +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Permissions +AddRules "umask 002" /etc/profile + +# Group +usermod -G audio ${USERNAME} >& /dev/null + +# For X auth : +xhost + localhost 2>&1 >& /dev/null + +# lilo update +/sbin/lilo + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +else + AddRules "PATH=$PATH" /etc/profile +fi + + + + + + + + + + + + diff --git a/init-sh/level3.sh b/init-sh/level3.sh new file mode 100755 index 0000000..400305a --- /dev/null +++ b/init-sh/level3.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# login as root from the console allowed +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Permissions +AddRules "umask 022" /etc/profile + +/sbin/lilo + + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" +fi + + + + + + + + + + + + + diff --git a/init-sh/level4.sh b/init-sh/level4.sh new file mode 100755 index 0000000..283817a --- /dev/null +++ b/init-sh/level4.sh @@ -0,0 +1,67 @@ +#!/bin/bash + + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# Log in append only mode +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection except from localhost +AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + +# Login as root on the console allowed : +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + +# Do you want a password ? +LiloUpdate; +/sbin/lilo + +# Permissions +AddRules "umask 022" /etc/profile + +# Path + +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + + + + + + + + + + diff --git a/init-sh/level5.sh b/init-sh/level5.sh new file mode 100755 index 0000000..f2b7a55 --- /dev/null +++ b/init-sh/level5.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection +AddRules "ALL:ALL:DENY" /etc/hosts.deny + +# No login as root +AddRules "" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Wanna a password ? +LiloUpdate; +/sbin/lilo + +# Disable all server : +IFS=" +" + +for service in `chkconfig --list | awk '{print $1}'`; do + if [ "${service}" == "xfs" ]; then + if [ ${HAVE_X}==1 ]; then + continue; + fi + fi + + if [ "${service}" == "network" ]; then continue; fi + if [ "${service}" == "keytable" ]; then continue; fi + if [ "${service}" == "crond" ]; then continue; fi + if [ "${service}" == "gpm" ]; then continue; fi + if [ "${service}" == "syslog" ]; then continue; fi + + + chkconfig --del "${service}" +done + +# Permissions +AddRules "umask 077" /etc/profile + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + +echo +echo "You are now running your system in security level 5," +echo "All services are disabled : try the chkconfig to enable one..." +echo "If you're on a senssible machine, ( which is probably the case )" +echo "you should compile the server from the sources". +echo +echo "Good luck. :-)" +echo + + + + + + + + + + + + + + + + + + + diff --git a/init-sh/lib.sh b/init-sh/lib.sh new file mode 100644 index 0000000..a48c945 --- /dev/null +++ b/init-sh/lib.sh @@ -0,0 +1,175 @@ +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +# Need root access +if [ $UID != 0 ]; then + echo "You need to be root in order to change secure level." + exit 1 +fi + +# To avoid error, while new initscript package isn't released... +touch /etc/rc.d/rc.firewall + +# If we are currently installing our +# system with DrakX, we don't ask anything to the user... +# Instead, DrakX do it and give us a file with some variable. +if [ -f /tmp/secure.DrakX ]; then + . /tmp/secure.DrakX +fi + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +fi + +if rpm -q XFree86 2>&1 > /dev/null; then + HAVE_X=1 +else + HAVE_X=0 +fi + +USERNAME="blah" +COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." + +AddRules () { + string=$1 + file=$2 + + if [ -z "${string}" ]; then + return; + fi + + if ! grep -qx "${string}" ${file}; then + echo "${COMMENT}" >> ${file}; + echo "${string}" >> ${file}; + fi +} + +CleanRules() { + file=$1 + ctrl=0 + + mv -f ${file} /tmp/secure.tmp + touch ${file} + + while read line; do + if [ ${ctrl} == 1 ]; then + ctrl=0 + continue; + fi + + if echo "${line}" | grep -qx "${COMMENT}"; then + ctrl=1 + fi + + if [ ${ctrl} == 0 ]; then + echo "${line}" >> ${file} + fi + done < /tmp/secure.tmp + + rm -f /tmp/secure.tmp + +} + +CommentUserRules() { + file=$1 + + mv -f ${file} /tmp/secure.tmp + touch ${file} + + while read line; do + if ! echo "${line}" | grep -qE "^#"; then + echo "# ${line}" >> ${file} + fi + done < /tmp/secure.tmp + + rm -f /tmp/secure.tmp +} + +Syslog() { + if [ "${SYS_LOG}" == "yes" ]; then + /sbin/initlog --string=${1} + fi +} + +Ttylog() { + if [ "${TTY_LOG}" == "yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e ${1} > /dev/$i + done + fi +} + + +LiloUpdate() { + if [ ! -f /tmp/secure.DrakX ]; then + echo "Do you want a password authentication at boot time ?" + echo "Be very carefull," + echo "this will prevent your server to reboot without an operator to enter password". + echo -n "[yes]/no : " + read answer + if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then + echo -n "Please enter the password which will be used at boot time : " + read password + else + password="" + fi + else + password=${DRAKX_PASSWORD} + fi + + if [ ! -z "${password}" ]; then + mv /etc/lilo.conf /tmp/secure.tmp + while read line; do + if ! echo "${line}" | grep -q "password"; then + echo "${line}" >> /etc/lilo.conf + fi + done < /etc/secure.tmp + + rm -f /etc/secure.tmp + AddRules "password=$PASSWORD" /etc/lilo.conf + fi +} + + +CleanRules /etc/syslog.conf + +CleanRules /etc/hosts.deny +CommentUserRules /etc/hosts.deny + +CleanRules /etc/hosts.allow +CommentUserRules /etc/hosts.allow + +CleanRules /etc/securetty +CommentUserRules /etc/securetty + +CleanRules /etc/security/msec/security.conf +CommentUserRules /etc/security/msec/security.conf + +CleanRules /etc/profile +CleanRules /etc/lilo.conf +CleanRules /etc/rc.d/rc.firewall +CleanRules /etc/crontab + + +# For all secure level +AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall + +# default group which must exist on the system +groupadd audio >& /dev/null +groupadd xgrp >& /dev/null +usermod -G xgrp xfs + +if ! /etc/security/msec/init-sh/grpuser --del audio "${USERNAME}"; then + echo "Problem removing user \"${USERNAME}\" from group audio." +fi + + + + + + + + + diff --git a/init-sh/perm.1 b/init-sh/perm.1 new file mode 100644 index 0000000..c63483a --- /dev/null +++ b/init-sh/perm.1 @@ -0,0 +1,71 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 1 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 755 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + + + + diff --git a/init-sh/perm.2 b/init-sh/perm.2 new file mode 100644 index 0000000..dcaf293 --- /dev/null +++ b/init-sh/perm.2 @@ -0,0 +1,72 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 2 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + + + + + diff --git a/init-sh/perm.3 b/init-sh/perm.3 new file mode 100644 index 0000000..94d12e7 --- /dev/null +++ b/init-sh/perm.3 @@ -0,0 +1,68 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 3 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 700 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + diff --git a/init-sh/perm.4 b/init-sh/perm.4 new file mode 100644 index 0000000..8e422df --- /dev/null +++ b/init-sh/perm.4 @@ -0,0 +1,72 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Welcome in Level 4, aka secure & usable. + +/bin root.root 711 +/boot root.root 700 +/dev root.root 711 +/dev/audio* root.audio 600 +/dev/dsp* root.audio 600 +/etc/ root.adm 711 +/etc/conf.modules root.adm 640 +/etc/cron.daily/ root.adm 750 +/etc/cron.hourly/ root.adm 750 +/etc/cron.monthly/ root.adm 750 +/etc/cron.weekly/ root.adm 750 +/etc/crontab root.adm 640 +/etc/dhcpcd/ root.adm 750 +/etc/dhcpcd/* root.adm 640 +/etc/esd.conf root.audio 640 +/etc/ftpaccess root.adm 640 +/etc/ftpconversions root.adm 640 +/etc/ftpgroups root.adm 640 +/etc/ftphosts root.adm 640 +/etc/ftpusers root.adm 640 +/etc/gettydefs root.adm 640 +/etc/hosts.allow root.adm 640 +/etc/hosts.deny root.adm 640 +/etc/hosts.equiv root.adm 640 +/etc/inetd.conf root.adm 640 +/etc/inittab root.adm 640 +/etc/ld.so.conf root.adm 640 +/etc/lilo.conf root.adm 640 +/etc/modules.conf root.adm 640 +/etc/motd root.adm 644 +/etc/printcap root.adm 640 +/etc/profile root.root 644 +/etc/rc.d/ root.adm 640 +/etc/securetty root.adm 640 +/etc/sendmail.cf root.adm 640 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.adm 640 +/etc/ssh_host_key.pub root.adm 644 +/etc/sshd_config root.adm 640 +/etc/syslog.conf root.adm 640 +/etc/updatedb.conf root.adm 640 + +/home/ root.adm 751 +/home/* current 700 +/lib root.adm 751 +/mnt root.adm 750 +/root root.root 700 +/sbin root.adm 751 +/tmp root.root 1777 +/usr root.adm 751 +/usr/* root.adm 751 +/usr/X11R6/ root.xgrp 751 +/usr/bin/ root.adm 751 +/usr/bin/* root.root 755 +/usr/sbin/ root.adm 751 +/usr/sbin/* root.root 755 +/var root.root 755 + + + + + + + diff --git a/init-sh/perm.5 b/init-sh/perm.5 new file mode 100644 index 0000000..1965860 --- /dev/null +++ b/init-sh/perm.5 @@ -0,0 +1,67 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Welcome in Level 5, aka paranoid. + +/bin root.root 711 +/boot root.root 700 +/dev root.root 711 +/dev/audio* root.audio 600 +/dev/dsp* root.audio 600 +/etc/ root.root 711 +/etc/conf.modules root.root 600 +/etc/cron.daily/ root.root 700 +/etc/cron.hourly/ root.root 700 +/etc/cron.monthly/ root.root 700 +/etc/cron.weekly/ root.root 700 +/etc/crontab root.root 600 +/etc/dhcpcd/ root.root 700 +/etc/dhcpcd/* root.root 600 +/etc/esd.conf root.audio 640 +/etc/ftpaccess root.root 600 +/etc/ftpconversions root.root 600 +/etc/ftpgroups root.root 600 +/etc/ftphosts root.root 600 +/etc/ftpusers root.root 600 +/etc/gettydefs root.root 600 +/etc/hosts.allow root.root 600 +/etc/hosts.deny root.root 600 +/etc/hosts.equiv root.root 600 +/etc/inetd.conf root.root 600 +/etc/inittab root.root 600 +/etc/ld.so.conf root.root 600 +/etc/lilo.conf root.root 600 +/etc/modules.conf root.root 600 +/etc/motd root.root 644 +/etc/printcap root.root 640 +/etc/profile root.root 644 +/etc/rc.d/ root.root 600 +/etc/securetty root.root 600 +/etc/sendmail.cf root.root 600 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 600 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 600 +/etc/syslog.conf root.root 600 +/etc/updatedb.conf root.root 600 + +/home/ root.root 711 +/home/* current 700 +/lib root.root 711 +/mnt root.root 710 +/root root.root 700 +/sbin root.root 711 +/tmp root.root 1777 +/usr root.root 711 +/usr/* root.root 711 +/usr/X11R6/ root.xgrp 710 +/usr/bin/ root.root 711 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 711 +/usr/sbin/* root.root 700 +/usr/sbin/sendmail root.root 755 +/var root.root 755 + diff --git a/init-sh/server.4 b/init-sh/server.4 new file mode 100644 index 0000000..044f0bf --- /dev/null +++ b/init-sh/server.4 @@ -0,0 +1,6 @@ +crond +syslog +keytable +network +gpm +xfs diff --git a/init-sh/server.5 b/init-sh/server.5 new file mode 100644 index 0000000..044f0bf --- /dev/null +++ b/init-sh/server.5 @@ -0,0 +1,6 @@ +crond +syslog +keytable +network +gpm +xfs |