diff options
Diffstat (limited to 'init-sh')
-rwxr-xr-x | init-sh/custom.sh | 1 | ||||
-rwxr-xr-x | init-sh/level0.sh | 14 | ||||
-rwxr-xr-x | init-sh/level1.sh | 15 | ||||
-rwxr-xr-x | init-sh/level2.sh | 17 | ||||
-rwxr-xr-x | init-sh/level3.sh | 12 | ||||
-rwxr-xr-x | init-sh/level4.sh | 13 | ||||
-rwxr-xr-x | init-sh/level5.sh | 13 | ||||
-rw-r--r-- | init-sh/lib.sh | 88 | ||||
-rw-r--r-- | init-sh/lib.sh.usermode | 385 |
9 files changed, 496 insertions, 62 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh index d597255..aed9d57 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -184,6 +184,7 @@ echo "Do you want security report to be done by mail ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf + AddRules "MAIL_USER=root" /etc/security/msec/security.conf else AddRules "MAIL_WARN=no" /etc/security/msec/security.conf fi diff --git a/init-sh/level0.sh b/init-sh/level0.sh index 9f4f4ee..4329773 100755 --- a/init-sh/level0.sh +++ b/init-sh/level0.sh @@ -72,19 +72,15 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from everywhere :" -AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet -AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet # Group echo "Adding system users to specific groups :" /usr/share/msec/grpuser.sh --refresh echo -e "done.\n" +AllowAutologin + # Boot on a shell / authorize ctrl-alt-del -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +AllowUserList diff --git a/init-sh/level1.sh b/init-sh/level1.sh index 172c29b..ac72a91 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -72,8 +72,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec # Group echo "Adding system users to specific groups :" @@ -81,12 +80,8 @@ echo "Adding system users to specific groups :" grpconv echo -e "done.\n" +AllowAutologin + # Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +AllowUserList diff --git a/init-sh/level2.sh b/init-sh/level2.sh index eb2641a..3ffe407 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -73,8 +73,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec # group echo "Adding system users to specifics groups :" @@ -82,14 +81,8 @@ echo "Adding system users to specifics groups :" grpconv echo -e "done.\n" -# Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." - +AllowAutologin +# Do not boot on a shell +AllowReboot +AllowUserList diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 74f72a6..e2808f9 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -79,15 +79,11 @@ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/zprofile quiet AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +ForbidAutologin # Group were modified in lib.sh... grpconv + +AllowUserList diff --git a/init-sh/level4.sh b/init-sh/level4.sh index c23d576..b0dded8 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -115,14 +115,9 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then fi # Do not boot on a shell -echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +ForbidReboot + +ForbidAutologin # Group were modified in lib.sh... grpconv @@ -132,3 +127,5 @@ grpconv + +ForbidUserList diff --git a/init-sh/level5.sh b/init-sh/level5.sh index a58f2df..13b02bb 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -132,15 +132,8 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then fi # Do not boot on a shell -echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." - +ForbidReboot +ForbidAutologin echo echo "You are now running your system in security level 5," @@ -171,3 +164,5 @@ grpconv + +ForbidUserList diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 2c7009c..1be738a 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -222,6 +222,81 @@ CleanLoaderRules() { fi } +AllowAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + grep -v AUTOLOGIN < ${file} > ${file}.new + echo "AUTOLOGIN=yes" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + cat ${file} | grep -v AUTOLOGIN > ${file}.new + echo "AUTOLOGIN=no" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} + fi +} + +AllowUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} + fi +} + +ForbidReboot() { + echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." + echo -n "Forbid console users to reboot/shutdown : " + for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do + rm -f ${pamfile} 2>&1 > /dev/null + done + echo "done." +} + +AllowReboot() { + echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." + echo -n "Allow console users to reboot/shutdown : " + for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do + touch -f ${pamfile} + done + echo "done." +} + # If we are currently installing our # system with DrakX, we don't ask anything to the user... # Instead, DrakX do it and give us a file with some variable. @@ -250,8 +325,13 @@ CleanRules /etc/logrotate.conf CleanRules /etc/rc.d/rc.local CleanRules /etc/rc.d/rc.firewall CleanRules /etc/crontab -CleanRules /etc/X11/xdm/Xsession -CleanRules /etc/X11/xinit/xinitrc + +if [[ -f /etc/X11/xinit.d/msec ]]; then + CleanRules /etc/X11/xinit.d/msec +else + touch /etc/X11/xinit.d/msec + chmod 755 /etc/X11/xinit.d/msec +fi echo -e "\nStarting to reconfigure the system : " # For all secure level @@ -266,10 +346,6 @@ groupadd xgrp >& /dev/null groupadd ntools >& /dev/null groupadd ctools >& /dev/null -#Fix the big security hole introduced in cooker -userdel mandrake >& /dev/null -groupdel mandrake >& /dev/null - usermod -G xgrp xfs /usr/share/msec/grpuser.sh --clean diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode new file mode 100644 index 0000000..6f1f65e --- /dev/null +++ b/init-sh/lib.sh.usermode @@ -0,0 +1,385 @@ +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +# Need root access +if [[ ${UID} != 0 ]]; then + echo "You need to be root in order to change secure level." + exit 1 +fi + +export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." + +WaitAnswer() { + answer="nothing" + + while [[ ${answer} != yes && ${answer} != no ]]; do + echo -n "yes/no : " + read answer + done +} + +AddRules() { + string=$1 + file=$2 + quiet=$3 + + if [[ -z ${string} ]]; then + return; + fi + + if [[ -z ${quiet} ]]; then + echo "Modifying config in ${file}..." + fi + + if ! grep -Eqx "^${string}" ${file}; then + echo -e "${COMMENT}" >> ${file}; + echo -e "${string}" >> ${file}; + fi + + if [[ -z ${3} ]]; then + echo -e "done.\n" + fi +} + +AddBegRules() { + echo "Modifying config in ${2}..." + + if [[ ! -f ${file} ]]; then + return; + fi + + export VAL=$1 + perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 + + echo -e "done.\n" +} + + +OLD_CleanRules() { + file=$1 + ctrl=0 + + if [[ ! -f ${file} ]]; then + echo "${file} do not exist... can not clean." + return; + fi + + echo -en "\t- Cleaning msec appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp ${file} ${tmpfile} + + while read line; do + if [[ ${ctrl} == 1 ]]; then + ctrl=0 + continue; + fi + + if echo "${line}" | grep -qx "${COMMENT}"; then + ctrl=1 + fi + + if [[ ${ctrl} == 0 ]]; then + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +CleanRules() { + echo -en "\t- Cleaning msec appended line in $1 : " + + perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 + + echo "done." +} + +CommentUserRules() { + file=$1 + + if [[ ! -f ${file} ]]; then + return; + fi + + echo -en "\t- Cleaning user appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp -f ${file} ${tmpfile} + + while read line; do + if ! echo "${line}" | grep -qE "^#"; then + echo "# ${line}" + else + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + /sbin/initlog --string=${1} + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do + echo -e ${1} > /dev/$i + done + fi +} + + +LoaderUpdate() { + + # Ask only if we're not inside DrakX. + if [[ ! ${DRAKX_PASSWORD+set} ]]; then + echo "Do you want a password authentication at boot time ?" + echo "Be very carefull," + echo "this will prevent your server to reboot without an operator to enter password". + WaitAnswer; + if [[ ${answer} == yes ]]; then + echo -n "Please enter the password which will be used at boot time : " + read password + else + password="" + fi + + if [[ ! -z ${password} ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$password" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $password" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi + fi +} + +# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) +LoaderDrakX() { + if [[ -n "${DRAKX_PASSWORD}" ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + + +CleanLoaderRules() { + if [[ -f /etc/lilo.conf ]]; then + CleanRules /etc/lilo.conf + chmod 644 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + CleanRules /boot/grub/menu.lst + chmod 644 /boot/grub/menu.lst + fi + + if [[ -z ${DRAKX_PASSWORD} ]]; then + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + +AllowAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + grep -v AUTOLOGIN < ${file} > ${file}.new + echo "AUTOLOGIN=yes" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + cat ${file} | grep -v AUTOLOGIN > ${file}.new + echo "AUTOLOGIN=no" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} + fi +} + +AllowUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} + fi +} + +ForbidReboot() { + echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +AllowReboot() { + echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +# If we are currently installing our +# system with DrakX, we don't ask anything to the user... +# Instead, DrakX do it and give us a file with some variable. +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +fi + +clear +echo "Preparing to run security script : " +CleanRules /etc/syslog.conf +CleanRules /etc/hosts.deny +CommentUserRules /etc/hosts.deny +CleanRules /etc/hosts.allow +CommentUserRules /etc/hosts.allow +CleanRules /etc/securetty +CommentUserRules /etc/securetty +CleanRules /etc/security/msec/security.conf +CommentUserRules /etc/security/msec/security.conf +CleanRules /etc/profile +CleanRules /etc/ld.so.preload + +CleanLoaderRules +LoaderDrakX + +CleanRules /etc/logrotate.conf +CleanRules /etc/rc.d/rc.local +CleanRules /etc/rc.d/rc.firewall +CleanRules /etc/crontab + +if [[ -f /etc/X11/xinit.d/msec ]]; then + CleanRules /etc/X11/xinit.d/msec +else + touch /etc/X11/xinit.d/msec + chmod 755 /etc/X11/xinit.d/msec +fi + +echo -e "\nStarting to reconfigure the system : " +# For all secure level +echo "Setting spoofing protection : " +AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall + +# default group which must exist on the system +# groupadd already check for their existance... +groupadd nogroup >& /dev/null +groupadd audio >& /dev/null +groupadd xgrp >& /dev/null +groupadd ntools >& /dev/null +groupadd ctools >& /dev/null + +usermod -G xgrp xfs + +/usr/share/msec/grpuser.sh --clean +echo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + |