From 0833ba10b206271bbbf3cfd397eeb5629693bf83 Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Thu, 5 Feb 2009 21:20:15 +0000 Subject: Renamed level 'default' to level 'standard'. --- conf/level.default | 55 ----------------------------- conf/level.standard | 55 +++++++++++++++++++++++++++++ conf/perm.default | 97 --------------------------------------------------- conf/perm.standard | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++ conf/server.default | 42 ---------------------- conf/server.standard | 42 ++++++++++++++++++++++ src/msec/config.py | 4 +-- src/msec/msecgui.py | 36 +++++++++---------- src/msec/msecperms.py | 6 ++-- 9 files changed, 217 insertions(+), 217 deletions(-) delete mode 100644 conf/level.default create mode 100644 conf/level.standard delete mode 100644 conf/perm.default create mode 100644 conf/perm.standard delete mode 100644 conf/server.default create mode 100644 conf/server.standard diff --git a/conf/level.default b/conf/level.default deleted file mode 100644 index 7f1262d..0000000 --- a/conf/level.default +++ /dev/null @@ -1,55 +0,0 @@ -BASE_LEVEL=default -ENABLE_APPARMOR=no -ALLOW_X_CONNECTIONS=local -CHECK_WRITABLE=yes -ENABLE_IP_SPOOFING_PROTECTION=yes -MAIL_EMPTY_CONTENT=no -ACCEPT_BROADCASTED_ICMP_ECHO=yes -CHECK_PERMS=yes -CHECK_USER_FILES=yes -ENABLE_SUDO=wheel -ALLOW_XSERVER_TO_LISTEN=no -CHECK_CHKROOTKIT=yes -SHELL_HISTORY_SIZE=-1 -ALLOW_REBOOT=yes -CHECK_SUID_ROOT=yes -SYSLOG_WARN=yes -ENABLE_AT_CRONTAB=yes -ACCEPT_BOGUS_ERROR_RESPONSES=no -CHECK_PASSWD=yes -PASSWORD_HISTORY=0 -CHECK_SUID_MD5=yes -CHECK_SHOSTS=yes -MAIL_USER=root -ALLOW_AUTOLOGIN=yes -ENABLE_PAM_WHEEL_FOR_SU=no -CHECK_SHADOW=yes -ALLOW_ROOT_LOGIN=yes -CHECK_UNOWNED=no -ENABLE_CONSOLE_LOG=yes -ALLOW_USER_LIST=yes -ENABLE_DNS_SPOOFING_PROTECTION=yes -CREATE_SERVER_LINK=default -ENABLE_PASSWORD=yes -NOTIFY_WARN=yes -WIN_PARTS_UMASK=002 -CHECK_OPEN_PORT=yes -SHELL_TIMEOUT=0 -ALLOW_REMOTE_ROOT_LOGIN=without-password -ENABLE_LOG_STRANGE_PACKETS=yes -USER_UMASK=022 -CHECK_RPM=no -ENABLE_SULOGIN=no -ENABLE_PAM_ROOT_FROM_WHEEL=no -MAIL_WARN=yes -ALLOW_XAUTH_FROM_ROOT=yes -CHECK_SECURITY=yes -ACCEPT_ICMP_ECHO=yes -PASSWORD_LENGTH=4,0,0 -AUTHORIZE_SERVICES=yes -ROOT_UMASK=022 -ENABLE_MSEC_CRON=yes -TTY_WARN=no -ENABLE_POLICYKIT=yes -CHECK_SGID=yes -CHECK_PROMISC=yes diff --git a/conf/level.standard b/conf/level.standard new file mode 100644 index 0000000..7f1262d --- /dev/null +++ b/conf/level.standard @@ -0,0 +1,55 @@ +BASE_LEVEL=default +ENABLE_APPARMOR=no +ALLOW_X_CONNECTIONS=local +CHECK_WRITABLE=yes +ENABLE_IP_SPOOFING_PROTECTION=yes +MAIL_EMPTY_CONTENT=no +ACCEPT_BROADCASTED_ICMP_ECHO=yes +CHECK_PERMS=yes +CHECK_USER_FILES=yes +ENABLE_SUDO=wheel +ALLOW_XSERVER_TO_LISTEN=no +CHECK_CHKROOTKIT=yes +SHELL_HISTORY_SIZE=-1 +ALLOW_REBOOT=yes +CHECK_SUID_ROOT=yes +SYSLOG_WARN=yes +ENABLE_AT_CRONTAB=yes +ACCEPT_BOGUS_ERROR_RESPONSES=no +CHECK_PASSWD=yes +PASSWORD_HISTORY=0 +CHECK_SUID_MD5=yes +CHECK_SHOSTS=yes +MAIL_USER=root +ALLOW_AUTOLOGIN=yes +ENABLE_PAM_WHEEL_FOR_SU=no +CHECK_SHADOW=yes +ALLOW_ROOT_LOGIN=yes +CHECK_UNOWNED=no +ENABLE_CONSOLE_LOG=yes +ALLOW_USER_LIST=yes +ENABLE_DNS_SPOOFING_PROTECTION=yes +CREATE_SERVER_LINK=default +ENABLE_PASSWORD=yes +NOTIFY_WARN=yes +WIN_PARTS_UMASK=002 +CHECK_OPEN_PORT=yes +SHELL_TIMEOUT=0 +ALLOW_REMOTE_ROOT_LOGIN=without-password +ENABLE_LOG_STRANGE_PACKETS=yes +USER_UMASK=022 +CHECK_RPM=no +ENABLE_SULOGIN=no +ENABLE_PAM_ROOT_FROM_WHEEL=no +MAIL_WARN=yes +ALLOW_XAUTH_FROM_ROOT=yes +CHECK_SECURITY=yes +ACCEPT_ICMP_ECHO=yes +PASSWORD_LENGTH=4,0,0 +AUTHORIZE_SERVICES=yes +ROOT_UMASK=022 +ENABLE_MSEC_CRON=yes +TTY_WARN=no +ENABLE_POLICYKIT=yes +CHECK_SGID=yes +CHECK_PROMISC=yes diff --git a/conf/perm.default b/conf/perm.default deleted file mode 100644 index a52e090..0000000 --- a/conf/perm.default +++ /dev/null @@ -1,97 +0,0 @@ -# default permissions level -### -/ root.adm 755 -/bin/ root.root 755 -/bin/ping root.root 4755 -/bin/rpm rpm.rpm 755 -/boot/ root.root 755 -/dev/ root.root 755 -/etc/ root.root 755 -/etc/conf.modules root.root 644 -/etc/cron.daily/ root.root 755 -/etc/cron.hourly/ root.root 755 -/etc/cron.monthly/ root.root 755 -/etc/cron.weekly/ root.root 755 -/etc/crontab root.root 644 -/etc/dhcpcd/ root.root 755 -/etc/dhcpcd/* root.root 644 -/etc/ftpaccess root.root 644 -/etc/ftpconversions root.root 644 -/etc/ftpgroups root.root 644 -/etc/ftphosts root.root 644 -/etc/ftpusers root.root 644 -/etc/gettydefs root.root 644 -/etc/hosts.allow root.root 644 -/etc/hosts.deny root.root 644 -/etc/hosts.equiv root.root 644 -/etc/httpd/modules.d/*.conf root.root 644 -/etc/httpd/conf/*.conf root.root 644 -/etc/httpd/conf/addon-modules/* root.root 644 -/etc/httpd/conf/vhosts.d/* root.root 644 -/etc/httpd/conf/webapps.d/* root.root 644 -/etc/inetd.conf root.root 644 -/etc/inittab root.root 644 -/etc/ld.so.conf root.root 644 -/etc/mandrake-release root.root 644 -/etc/modules.conf root.root 644 -/etc/motd root.root 644 -/etc/printcap root.root 644 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 755 -/etc/rc.d/init.d/ root.root 755 -/etc/rc.d/init.d/* root.root 744 -/etc/rc.d/init.d/functions root.root 644 -/etc/rc.d/init.d/mandrake_consmap root.root 644 -/etc/rc.d/init.d/xprint root.root 755 -/etc/securetty root.root 644 -/etc/sendmail.cf root.mail 644 -/etc/shutdown.allow root.root 644 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 644 -/etc/sysconfig root.root 755 -/etc/syslog.conf root.root 644 -/etc/updatedb.conf root.root 644 -/home/ root.root 755 -/home/* current.current 755 -/lib/ root.root 755 -/mnt/ root.root 755 -/proc root.root 555 -/root/ root.root 700 -/sbin/ root.root 755 -/tmp/ root.root 1777 -/usr/ root.root 755 -/usr/* root.root 755 -/usr/bin/ root.root 755 -/usr/bin/cc root.root 755 -/usr/bin/finger root.root 755 -/usr/bin/g++* root.root 755 -/usr/bin/gcc* root.root 755 -/usr/bin/ssh root.root 755 -/usr/bin/telnet root.root 755 -/usr/bin/w root.root 755 -/usr/bin/who root.root 755 -/usr/lib/rpm/rpm? rpm.rpm 755 -/usr/sbin/ root.root 755 -/usr/sbin/sendmail.postfix root.root 755 -/usr/sbin/sendmail.sendmail root.mail 2755 -/usr/sbin/traceroute root.bin 4755 -/usr/share/doc root.root 755 -/usr/share/man root.root 755 -/usr/tmp root.root 1777 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 644 -/var/lock/subsys root.root 755 -/var/log/ root.root 755 -/var/log/* root.adm 640 -/var/log/Xorg.0.log current.current current -/var/log/lp-errs lp.lp 600 -/var/log/*/* current.current 640 -/var/log/*/*/* current.current 640 -/var/log/*/. current.current 755 -/var/log/*/*/. current.current 755 -/var/log/mailman/ root.mail 2775 -/var/log/mailman/* root.mail 660 -/var/spool/mail/ root.mail 2775 -/var/tmp root.root 1777 diff --git a/conf/perm.standard b/conf/perm.standard new file mode 100644 index 0000000..a52e090 --- /dev/null +++ b/conf/perm.standard @@ -0,0 +1,97 @@ +# default permissions level +### +/ root.adm 755 +/bin/ root.root 755 +/bin/ping root.root 4755 +/bin/rpm rpm.rpm 755 +/boot/ root.root 755 +/dev/ root.root 755 +/etc/ root.root 755 +/etc/conf.modules root.root 644 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 +/etc/dhcpcd/* root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/httpd/modules.d/*.conf root.root 644 +/etc/httpd/conf/*.conf root.root 644 +/etc/httpd/conf/addon-modules/* root.root 644 +/etc/httpd/conf/vhosts.d/* root.root 644 +/etc/httpd/conf/webapps.d/* root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/mandrake-release root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/profile.d/* root.root 755 +/etc/rc.d/ root.root 755 +/etc/rc.d/init.d/ root.root 755 +/etc/rc.d/init.d/* root.root 744 +/etc/rc.d/init.d/functions root.root 644 +/etc/rc.d/init.d/mandrake_consmap root.root 644 +/etc/rc.d/init.d/xprint root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.mail 644 +/etc/shutdown.allow root.root 644 +/etc/ssh/ssh_config root.root 644 +/etc/ssh/ssh_host_*key root.root 600 +/etc/ssh/ssh_host_*key.pub root.root 644 +/etc/ssh/sshd_config root.root 644 +/etc/sysconfig root.root 755 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 +/home/ root.root 755 +/home/* current.current 755 +/lib/ root.root 755 +/mnt/ root.root 755 +/proc root.root 555 +/root/ root.root 700 +/sbin/ root.root 755 +/tmp/ root.root 1777 +/usr/ root.root 755 +/usr/* root.root 755 +/usr/bin/ root.root 755 +/usr/bin/cc root.root 755 +/usr/bin/finger root.root 755 +/usr/bin/g++* root.root 755 +/usr/bin/gcc* root.root 755 +/usr/bin/ssh root.root 755 +/usr/bin/telnet root.root 755 +/usr/bin/w root.root 755 +/usr/bin/who root.root 755 +/usr/lib/rpm/rpm? rpm.rpm 755 +/usr/sbin/ root.root 755 +/usr/sbin/sendmail.postfix root.root 755 +/usr/sbin/sendmail.sendmail root.mail 2755 +/usr/sbin/traceroute root.bin 4755 +/usr/share/doc root.root 755 +/usr/share/man root.root 755 +/usr/tmp root.root 1777 +/var/ root.root 755 +/var/lib/rpm/Packages rpm.rpm 644 +/var/lock/subsys root.root 755 +/var/log/ root.root 755 +/var/log/* root.adm 640 +/var/log/Xorg.0.log current.current current +/var/log/lp-errs lp.lp 600 +/var/log/*/* current.current 640 +/var/log/*/*/* current.current 640 +/var/log/*/. current.current 755 +/var/log/*/*/. current.current 755 +/var/log/mailman/ root.mail 2775 +/var/log/mailman/* root.mail 660 +/var/spool/mail/ root.mail 2775 +/var/tmp root.root 1777 diff --git a/conf/server.default b/conf/server.default deleted file mode 100644 index b070ab0..0000000 --- a/conf/server.default +++ /dev/null @@ -1,42 +0,0 @@ -adsl -bgpd -bridge -crond -dansguardian -dhcpd -diald -dm -ez-ipupdate -ftwall -fwlogwatch -gpm -haldaemon -httpd -httpd-naat -httpd2-naat -ipsec -iptables -iptoip -isdn4linux -keytable -named -network -ntpd -openvpn -ospfd -ospf6d -pcmcia -pptp -pptpd -prelude-manager -ripd -ripngd -shorewall -snortd -squid -sshd -syslog -usb -xfs -xinetd -zebra diff --git a/conf/server.standard b/conf/server.standard new file mode 100644 index 0000000..b070ab0 --- /dev/null +++ b/conf/server.standard @@ -0,0 +1,42 @@ +adsl +bgpd +bridge +crond +dansguardian +dhcpd +diald +dm +ez-ipupdate +ftwall +fwlogwatch +gpm +haldaemon +httpd +httpd-naat +httpd2-naat +ipsec +iptables +iptoip +isdn4linux +keytable +named +network +ntpd +openvpn +ospfd +ospf6d +pcmcia +pptp +pptpd +prelude-manager +ripd +ripngd +shorewall +snortd +squid +sshd +syslog +usb +xfs +xinetd +zebra diff --git a/src/msec/config.py b/src/msec/config.py index 843e21b..9d055f9 100644 --- a/src/msec/config.py +++ b/src/msec/config.py @@ -20,7 +20,7 @@ import os # security levels NONE_LEVEL="none" -DEFAULT_LEVEL="default" +STANDARD_LEVEL="standard" SECURE_LEVEL="secure" SECURITY_LEVEL="/etc/security/msec/level.%s" @@ -89,7 +89,7 @@ SETTINGS = {'BASE_LEVEL': ("libmsec.base_level", 'ALLOW_XAUTH_FROM_ROOT': ("libmsec.allow_xauth_from_root", ['yes', 'no']), 'ALLOW_XSERVER_TO_LISTEN': ("libmsec.allow_xserver_to_listen", ['yes', 'no']), 'AUTHORIZE_SERVICES': ("libmsec.authorize_services", ['yes', 'no', 'local']), - 'CREATE_SERVER_LINK': ("libmsec.create_server_link", ['no', 'default', 'secure']), + 'CREATE_SERVER_LINK': ("libmsec.create_server_link", ['no', 'standard', 'secure']), 'ENABLE_AT_CRONTAB': ("libmsec.enable_at_crontab", ['yes', 'no']), 'ENABLE_CONSOLE_LOG': ("libmsec.enable_console_log", ['yes', 'no']), 'ENABLE_DNS_SPOOFING_PROTECTION':("libmsec.enable_ip_spoofing_protection", ['yes', 'no']), diff --git a/src/msec/msecgui.py b/src/msec/msecgui.py index 105943a..a93ffb4 100755 --- a/src/msec/msecgui.py +++ b/src/msec/msecgui.py @@ -52,7 +52,7 @@ This application allows you to configure your system security. If you wish to activate it, choose the appropriate security level: """) -DEFAULT_LEVEL_DESCRIPTION=_("""This profile configures a reasonably safe set of security features. It activates several non-intrusive periodic system checks. This is the suggested level for Desktop.""") +STANDARD_LEVEL_DESCRIPTION=_("""This profile configures a reasonably safe set of security features. It activates several non-intrusive periodic system checks. This is the suggested level for Desktop.""") SECURE_LEVEL_DESCRIPTION=_("""This profile is configured to provide maximum security, even at the cost of limiting the remote access to the system. It also runs a wider set of periodic checks, enforces the local password settings, and periodically checks if the system security settings, configured here, were modified. """) @@ -105,17 +105,17 @@ class MsecGui: self.msecconfig = msecconfig self.permconfig = permconfig - # pre-defined default configurations + # pre-defined standard configurations self.msec_defaults = { config.NONE_LEVEL: config.load_defaults(log, config.NONE_LEVEL), - config.DEFAULT_LEVEL: config.load_defaults(log, config.DEFAULT_LEVEL), + config.STANDARD_LEVEL: config.load_defaults(log, config.STANDARD_LEVEL), config.SECURE_LEVEL: config.load_defaults(log, config.SECURE_LEVEL), } # pre-defined permissions self.perm_defaults = { config.NONE_LEVEL: config.load_default_perms(log, config.NONE_LEVEL), - config.DEFAULT_LEVEL: config.load_default_perms(log, config.DEFAULT_LEVEL), + config.STANDARD_LEVEL: config.load_default_perms(log, config.STANDARD_LEVEL), config.SECURE_LEVEL: config.load_default_perms(log, config.SECURE_LEVEL), } @@ -378,16 +378,16 @@ class MsecGui: # what level are we? level = self.msecconfig.get("BASE_LEVEL") if not level: - self.log.info(_("No base msec level specified, using '%s'") % config.DEFAULT_LEVEL) - self.base_level = config.DEFAULT_LEVEL - elif level == config.NONE_LEVEL or level == config.DEFAULT_LEVEL or level == config.SECURE_LEVEL: + self.log.info(_("No base msec level specified, using '%s'") % config.STANDARD_LEVEL) + self.base_level = config.STANDARD_LEVEL + elif level == config.NONE_LEVEL or level == config.STANDARD_LEVEL or level == config.SECURE_LEVEL: self.log.info(_("Detected base msec level '%s'") % level) self.base_level = level else: # custom level? # TODO: notify user about this - self.log.info(_("Custom base config level found. Will default to '%s'") % (level, config.DEFAULT_LEVEL)) - self.base_level = config.DEFAULT_LEVEL + self.log.info(_("Custom base config level '%s' found. Will default to '%s'") % (level, config.STANDARD_LEVEL)) + self.base_level = config.STANDARD_LEVEL def create_treeview(self, options): """Creates a treeview from given list of options""" @@ -500,13 +500,13 @@ class MsecGui: levels_vbox = gtk.VBox() self.levels_frame.add(levels_vbox) # default - self.button_default = gtk.RadioButton(group=None, label=_("Default")) - self.button_default.connect('clicked', self.force_level, config.DEFAULT_LEVEL) - if self.base_level == config.DEFAULT_LEVEL: + self.button_default = gtk.RadioButton(group=None, label=_("Standard")) + self.button_default.connect('clicked', self.force_level, config.STANDARD_LEVEL) + if self.base_level == config.STANDARD_LEVEL: self.button_default.set_active(True) levels_vbox.pack_start(self.button_default, False, False) # default level description - label = gtk.Label(DEFAULT_LEVEL_DESCRIPTION) + label = gtk.Label(STANDARD_LEVEL_DESCRIPTION) label.set_use_markup(True) label.set_property("xalign", 0.1) label.set_property("yalign", 0.0) @@ -515,7 +515,7 @@ class MsecGui: label.set_justify(gtk.JUSTIFY_FILL) levels_vbox.pack_start(label, False, False) # secure - self.button_secure = gtk.RadioButton(group=self.button_default, label=_("SECURE")) + self.button_secure = gtk.RadioButton(group=self.button_default, label=_("Secure")) self.button_secure.connect('clicked', self.force_level, config.SECURE_LEVEL) if self.base_level == config.SECURE_LEVEL: self.button_secure.set_active(True) @@ -604,7 +604,7 @@ class MsecGui: else: # what level are we toggling? if self.button_default.get_active(): - level = config.DEFAULT_LEVEL + level = config.STANDARD_LEVEL else: level = config.SECURE_LEVEL self.toggle_level(level, force=True) @@ -1061,7 +1061,7 @@ class MsecGui: value = config.OPTION_DISABLED callback, params = config.SETTINGS[param] - conf_def = self.msec_defaults[config.DEFAULT_LEVEL] + conf_def = self.msec_defaults[config.STANDARD_LEVEL] conf_sec = self.msec_defaults[config.SECURE_LEVEL] # Highlighting default options @@ -1069,7 +1069,7 @@ class MsecGui: def_end="" sec_start="" sec_end="" - if self.base_level == config.DEFAULT_LEVEL: + if self.base_level == config.STANDARD_LEVEL: def_start="" def_end="" elif self.base_level == config.SECURE_LEVEL: @@ -1089,7 +1089,7 @@ class MsecGui: label.set_use_markup(True) # description dialog.vbox.pack_start(label) - label = gtk.Label(_("%s\n\n\tCurrent value:\t\t\t%s\n\t%sDefault level value:\t%s%s\n\t%sSecure level value:\t\t%s%s\n") % + label = gtk.Label(_("%s\n\n\tCurrent value:\t\t\t%s\n\t%sStandard level value:\t%s%s\n\t%sSecure level value:\t\t%s%s\n") % (descr, value, def_start, val_def, def_end, sec_start, val_sec, sec_end)) diff --git a/src/msec/msecperms.py b/src/msec/msecperms.py index 9ce1c70..f073b94 100755 --- a/src/msec/msecperms.py +++ b/src/msec/msecperms.py @@ -136,14 +136,14 @@ if __name__ == "__main__": # forcing new level if force_level: # first load the default configuration for level - default_permconf = config.load_default_perms(log, level) - params = default_permconf.list_options() + standard_permconf = config.load_default_perms(log, level) + params = standard_permconf.list_options() if not params: log.error(_("Level '%s' not found, aborting.") % level) sys.exit(1) log.info(_("Switching to '%s' level.") % level) for opt in params: - permconf.set(opt, default_permconf.get(opt)) + permconf.set(opt, standard_permconf.get(opt)) else: permconf.load() -- cgit v1.2.1