diff options
Diffstat (limited to 'src/msec/README')
-rw-r--r-- | src/msec/README | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/src/msec/README b/src/msec/README new file mode 100644 index 0000000..4bb3846 --- /dev/null +++ b/src/msec/README @@ -0,0 +1,87 @@ +****************** +Configurations files in /etc/security/msec/ +Shell scripts in /usr/share/msec. +****************** + +Suggestions & comments: +flepied@mandriva.com + +****************** +Doc of the rewritting in python: + + 0 1 2 3 4 5 +root umask 022 022 022 022 022 077 +shell timeout 0 0 0 0 3600 900 +deny services none none none none local all +su only for wheel grp no no no no no yes +user umask 022 022 022 022 077 077 +shell history size default default default default 10 10 +direct root login yes yes yes yes no no +remote root login yes yes yes yes no no +sulogin for single user no no no no yes yes +user list in [kg]dm yes yes yes yes no no +promisc check no no no no yes yes +ignore icmp echo no no no no yes yes +ignore broadcasted icmp echo no no no no yes yes +ignore bogus error responses no no no no yes yes +enable libsafe no no no no yes yes +allow reboot by user yes yes yes yes no no +allow crontab/at yes yes yes yes no no +password aging no no no no 60 30 +allow autologin yes yes yes no no no +console log no no no yes yes yes +issues yes yes yes local local no +ip spoofing protection no no no yes yes yes +dns spoofing protection no no no yes yes yes +log stange ip packets no no no yes yes yes +periodic security check no yes yes yes yes yes +allow X connections yes local local no no no +allow xauth from root yes yes yes yes no no +X server listen to tcp tcp tcp tcp local local +run msec by cron yes yes yes yes yes yes + +Periodic security checks by level: + + 0 1 2 3 4 5 +CHECK_SECURITY no yes yes yes yes yes +CHECK_PERMS no no no yes yes yes +CHECK_SUID_ROOT no no yes yes yes yes +CHECK_SUID_MD5 no no yes yes yes yes +CHECK_SGID no no yes yes yes yes +CHECK_WRITABLE no no yes yes yes yes +CHECK_UNOWNED no no no no yes yes +CHECK_PROMISC no no no no yes yes +CHECK_OPEN_PORT no no no yes yes yes +CHECK_PASSWD no no no yes yes yes +CHECK_SHADOW no no no yes yes yes +TTY_WARN no no no no yes yes +MAIL_WARN no no no yes yes yes +SYSLOG_WARN no no yes yes yes yes +RPM_CHECK no no no yes yes yes +CHKROOTKIT_CHECK no no no yes yes yes + +These variables are configured by the user: + +MAIL_USER the user to send the dayly reports. If not set, the email is +sent to root. + +PERM_LEVEL is used to determine which file to use to fix +permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If +not set, the SECURE_LEVEL is used instead. If the file +/etc/security/msec/perm.local exists, it's used too. The syntax for +each line if the following: + +<file specification> <owner> <permission> [force] + +<file specification> can be any glob to specify one or multiple +files/diretories. + +<owner> must be in the form <user>.<group> or <user>. (force only +user) or .<group> (force only group) or current (keep current user and +group). + +<permission> is an octal number representing the access rights or +current to keep the current permissions. + +If force is present as a 4th argument, it means that msec will enforce +the permission even if the previous permission was lower. |