diff options
Diffstat (limited to 'man/C/mseclib.3')
-rw-r--r-- | man/C/mseclib.3 | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/man/C/mseclib.3 b/man/C/mseclib.3 new file mode 100644 index 0000000..d86d9fd --- /dev/null +++ b/man/C/mseclib.3 @@ -0,0 +1,217 @@ +.ds q \N'34' +.TH mseclib 3 V0 msec "Mandrakelinux" +.SH NAME +mseclib +.SH SYNOPSIS +.nf +.B from mseclib import * +.B function1(yes) +.B function2(ignore) +.fi +.SH DESCRIPTION +.B mseclib +is a python library to access the function used by the msec program. This functions can be used +in /etc/security/msec/level.local to override the behaviour of the msec program or in standalone +scripts. The first argument of the functions takes a value of 1 or 0 or -1 (or yes/no/ignore) +except when specified otherwise. + +.TP 4 +.B \fIaccept_bogus_error_responses(arg)\fP +Accept/Refuse bogus IPv4 error messages. + +.TP 4 +.B \fIaccept_broadcasted_icmp_echo(arg)\fP + Accept/Refuse broadcasted icmp echo. + +.TP 4 +.B \fIaccept_icmp_echo(arg)\fP + Accept/Refuse icmp echo. + +.TP 4 +.B \fIallow_autologin(arg)\fP +Allow/Forbid autologin. + +.TP 4 +.B \fIallow_issues(arg)\fP +If \fIarg\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \fIarg\fP = NONE no issues are +allowed else only /etc/issue is allowed. + +.TP 4 +.B \fIallow_reboot(arg)\fP +Allow/Forbid reboot by the console user. + +.TP 4 +.B \fIallow_remote_root_login(arg)\fP +Allow/Forbid remote root login. + +.TP 4 +.B \fIallow_root_login(arg)\fP +Allow/Forbid direct root login. + +.TP 4 +.B \fIallow_user_list(arg)\fP +Allow/Forbid the list of users on the system on display managers (kdm and gdm). + +.TP 4 +.B \fIallow_x_connections(arg, listen_tcp=None)\fP +Allow/Forbid X connections. First arg specifies what is done +on the client side: ALL (all connections are allowed), LOCAL (only +local connection) and NONE (no connection). + +.TP 4 +.B \fIallow_xauth_from_root(arg)\fP +llow/forbid to export display when passing from the root account +to the other users. See pam_xauth(8) for more details. + +.TP 4 +.B \fIallow_xserver_to_listen(arg)\fP +The argument specifies if clients are authorized to connect +to the X server on the tcp port 6000 or not. + +.TP 4 +.B \fIauthorize_services(arg)\fP +Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \fIarg\fP = ALL. Only local ones +if \fIarg\fP = LOCAL and none if \fIarg\fP = NONE. To authorize the services you need, use /etc/hosts.allow +(see hosts.allow(5)). + +.TP 4 +.B \fIcreate_server_link()\fP +If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 +in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server +to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server +is used by chkconfig --add to decide to add a service if it is present in the file +during the installation of packages. + +.TP 4 +.B \fIenable_at_crontab(arg)\fP +Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow +(see man at(1) and crontab(1)). + +.TP 4 +.B \fIenable_console_log(arg, expr='*.*', dev='tty12')\fP +Enable/Disable syslog reports to console 12. \fIexpr\fP is the +expression describing what to log (see syslog.conf(5) for more details) and +dev the device to report the log. + +.TP 4 +.B \fIenable_dns_spoofing_protection(arg, alert=1)\fP +Enable/Disable name resolution spoofing protection. If +\fIalert\fP is true, also reports to syslog. + +.TP 4 +.B \fIenable_ip_spoofing_protection(arg, alert=1)\fP +Enable/Disable IP spoofing protection. + +.TP 4 +.B \fIenable_libsafe(arg)\fP +Enable/Disable libsafe if libsafe is found on the system. + +.TP 4 +.B \fIenable_log_strange_packets(arg)\fP +Enable/Disable the logging of IPv4 strange packets. + +.TP 4 +.B \fIenable_msec_cron(arg)\fP +Enable/Disable msec hourly security check. + +.TP 4 +.B \fIenable_pam_wheel_for_su(arg)\fP + Enabling su only from members of the wheel group or allow su from any user. + +.TP 4 +.B \fIenable_password(arg)\fP +Use password to authenticate users. + +.TP 4 +.B \fIenable_promisc_check(arg)\fP +Activate/Disable ethernet cards promiscuity check. + +.TP 4 +.B \fIenable_security_check(arg)\fP + Activate/Disable daily security check. + +.TP 4 +.B \fIenable_sulogin(arg)\fP + Enable/Disable sulogin(8) in single user level. + +.TP 4 +.B \fIno_password_aging_for(name)\fP +Add the name as an exception to the handling of password aging by msec. +Name must be put between '. Msec will then no more manage password aging for +name so you have to use chage(1) to manage it by hand. + +.TP 4 +.B \fIpassword_aging(max, inactive=-1)\fP +Set password aging to \fImax\fP days and delay to change to \fIinactive\fP. + +.TP 4 +.B \fIpassword_history(arg)\fP +Set the password history length to prevent password reuse. + +.TP 4 +.B \fIpassword_length(length, ndigits=0, nupper=0)\fP +Set the password minimum length and minimum number of digit and minimum number of capitalized letters. + +.TP 4 +.B \fIset_root_umask(umask)\fP +Set the root umask. + +.TP 4 +.B \fIset_security_conf(var, value)\fP +Set the variable \fIvar\fP to the value \fIvalue\fP in /var/lib/msec/security.conf. +The best way to override the default setting is to use create /etc/security/msec/security.conf +with the value you want. These settings are used to configure the daily check run each night. + +The following variables are currentrly recognized by msec: + +CHECK_UNOWNED if set to yes, report unowned files. + +CHECK_SHADOW if set to yes, check empty password in /etc/shadow. + +CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files. + +CHECK_SECURITY if set to yes, run the daily security checks. + +CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root. + +SYSLOG_WARN if set to yes, report check result to syslog. + +CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files. + +CHECK_PERMS if set to yes, check permissions of files in the users' home. + +CHKROOTKIT_CHECK if set to yes, run chkrootkit checks. + +CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode. + +RPM_CHECK if set to yes, run some checks against the rpm database. + +TTY_WARN if set to yes, reports check result to tty. + +CHECK_WRITABLE if set to yes, check files/directories writable by everybody. + +MAIL_WARN if set to yes, report check result by mail. + +MAIL_USER if set, send the mail report to this email address else send it to root. + +CHECK_OPEN_PORT if set to yes, check open ports. + +CHECK_SGID if set to yes, check additions/removals of sgid files. + + +.TP 4 +.B \fIset_shell_history_size(size)\fP +Set shell commands history size. A value of -1 means unlimited. + +.TP 4 +.B \fIset_shell_timeout(val)\fP +Set the shell timeout. A value of zero means no timeout. + +.TP 4 +.B \fIset_user_umask(umask)\fP +Set the user umask. +.RE +.SH "SEE ALSO" +msec(8) +.SH AUTHORS +Frederic Lepied <flepied@mandrakesoft.com> |