From 80a65450bd92bd7d24c8e5087856053bbacfe9d9 Mon Sep 17 00:00:00 2001
From: Yoann Vandoorselaere <yoann@mandriva.com>
Date: Wed, 22 Mar 2000 17:39:12 +0000
Subject: *** empty log message ***

---
 ChangeLog         |   3 ++
 README            |  22 ++------
 init-sh/custom.sh | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 init-sh/level5.sh |  18 ++++++-
 init-sh/lib.sh    |   6 +++
 5 files changed, 178 insertions(+), 27 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index cab6bba..5c31b53 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2000-03-22 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+	* Added many of the proposed feature from Bryan Paxton.
+
 2000-03-19 Yoann Vandoorselaere <yoann@mandrakesoft.com>
 	* security.sh : added patch from Thomas Poindessous.
 	* find.c : many modification :)
diff --git a/README b/README
index 3852e7d..acd2946 100644
--- a/README
+++ b/README
@@ -1,23 +1,9 @@
-This is really basic stuff at the moment...
-
-init-sh : 
-	this is where all script / library to switch security level are,
-	use init.sh only.
-
-cron-sh : 
-	Here are all security script that will be used in crontab.
-
-src:
-	C program for security check.
-
-Note : i know my Makefile are dirty, 
-		so if someone wish to clean them :-)
-
-
+******************
+Configurations files in /etc/security/msec/
+Shell scripts in /usr/share/msec.
 ******************
 
-All stuff are installed in /etc/security/msec/
-use init.sh to change security level
+Many thanks to Bryan Paxton for a good bunch of idea & contribution.
 
 Suggest & Comment :
 yoann@mandrakesoft.com
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index 253d9d9..3018f75 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -1,10 +1,23 @@
 #!/bin/bash
 
+
 #
 # Security level implementation...
 # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
 #
 
+###
+clear
+echo  "This script allows you to customize the security on your system."
+echo  "If you feel at all you don't know what you're doing abort now!!!"
+# can't use ctrl-c, we trap all signal.
+echo -n "continue [yes/no] : "
+read answer;
+
+if [[ ${answer} != yes ]]; then
+    exit 1
+fi
+
 if [[ -f /usr/share/msec/lib.sh ]]; then
     . /usr/share/msec/lib.sh
 else
@@ -17,13 +30,7 @@ clear
 WRITE_CRON="false"
 
 ###
-echo "Do you want all system events to be logged on tty12 ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
-    AddRules "*.* /dev/tty12" /etc/syslog.conf
-fi
 
-###
 echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
 echo "( or if an user present in /etc/shutdown.allow is logged locally )"
 WaitAnswer; clear
@@ -186,7 +193,8 @@ LiloUpdate;
 /sbin/lilo >& /dev/null
 
 ###
-echo "Do you want to disable your running server ( except important one )"
+clear
+echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )"
 echo "This is only valuable for server installed with rpm."
 WaitAnswer; clear
 if [[ ${answer} == yes ]]; then
@@ -229,7 +237,7 @@ echo "paranoid ( 077 ) = user = rwx, group = , other ="
 answer="nothing"
 while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid"  ]]; do
 	echo -n "easy/normal/restricted/paranoid : "
-    read answer
+	read answer
 done
 case "${answer}" in
 	"easy")
@@ -246,6 +254,129 @@ case "${answer}" in
 	;;
 esac
 
+###
+
+echo "Do you want easy, normal, restricted, or paranoid permission ?"
+answer="nothing"
+while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid"  ]]; do
+	echo -n "easy/normal/restricted/paranoid : "
+	read answer
+done
+case "${answer}" in
+	"easy")
+	/usr/share/msec/file_perm.sh /etc/security/msec/perm.2
+	;;
+	"normal")
+	/usr/share/msec/file_perm.sh /etc/security/msec/perm.3
+	;;
+	"restricted")
+	/usr/share/msec/file_perm.sh /etc/security/msec/perm.4
+	;;
+	"paranoid")
+	/usr/share/msec/file_perm.sh /etc/security/msec/perm.5
+	;;
+esac
+
+#Logging
+clear
+echo "Would you like set to up additional logging ?"
+echo "Logging will still go to its respected places in /var/log as well."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+    echo "Would you like all system events to be logged on a specific tty ?"
+    echo "please answer by \"no\" or the tty number."
+    echo -n "no/ttynumber :"
+    read answer
+    if [[ ${answer} != no && ${anwer} != yes ]]; then
+	AddRules "*.* /dev/tty${answer}" /etc/syslog.conf
+    fi
+
+    echo
+    echo "Would you like for auth and warnings to a specific tty ?"
+    echo "please answer by \"no\" or the tty number."
+    echo -n "no/ttynumber :"
+    read answer
+    if [[ ${answer} != no && ${anwer} != yes ]]; then
+	AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf
+    fi
+
+    echo
+    echo "Would you like kernel logging to go on a specific tty ?"
+    echo "please answer by \"no\" or the tty number."
+    echo -n "no/ttynumber :"
+    read answer
+    if [[ ${answer} != no && ${anwer} != yes ]]; then
+	AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf
+    fi
+
+    echo
+    echo "Would you like mail logging to a specific tty ?"
+    echo "This is only useful if you're running a mail server."
+    echo "please answer by \"no\" or the tty number."
+    echo -n "no/ttynumber :"
+    read answer
+    if [[ ${answer} != no && ${anwer} != yes ]]; then
+	AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf
+    fi
+    
+    /etc/rc.d/init.d/syslog restart >& /dev/null
+fi
+
+clear
+
+###
+clear
+echo "We can setup your system to log who does what commands and when..."
+echo "May we set up proccess accounting ?"
+echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..."
+echo "You need the psacct package."
+WaitAnswer;
+
+if [[ ${answer} == yes ]]; then
+    AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
+    AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
+    AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
+    AddRules "    postrotate" /etc/logrotate.conf
+    AddRules "    /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
+    AddRules "   }" /etc/logrotate.conf
+    touch /var/log/security/pacct.log
+    chown root.root /var/log/security/pacct.log
+    chmod 600 /var/log/security/pacct.log
+    /sbin/accton /var/log/security/pacct.log
+fi
+
+### Pam
+clear
+
+dfsize=40000
+echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)"
+echo "By setting a limit on how big user files may get and how many processes a user may run."
+
+echo "Would you like to set up some PAM configuration ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+    AddRules "# Limit user processes" /etc/security/limits.conf
+    AddRules "*   soft    nproc   100" /etc/security/limits.conf
+    AddRules "*   hard    nproc   150" /etc/security/limits.conf
+    
+    echo "Would you like to set a maximum file size a user is allowed ?"
+    WaitAnswer; clear
+    if [[ ${answer} == yes ]]; then
+	echo "What shall be the maximum file size(default is $(dfsize))"
+	echo -n "Size : "
+	read fsize
+	if [[ -z ${fsize} ]]; then
+	    AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+	    AddRules "*     hard    $dfsize" /etc/security/limits.conf
+	else
+	    AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+	    AddRules "*     hard    $fsize" /etc/security/limits.conf
+	fi
+    fi
+fi
+
+
+
 ###
 echo "Do you want a "." in your PATH variable ?"
 echo "This permit you to not use ./progname & to just type progname"
@@ -269,6 +400,15 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
 
 
 
+
+
+
+
+
+
+
+
+
 
 
 
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index 0e458b7..0d9b58c 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -70,7 +70,23 @@ AddRules "0 0 * * *    root    /usr/share/msec/security.sh" /etc/crontab
 
 ###################################################
 
-# Wanna a password ?
+# setup BSD accounting.
+
+echo "Setting up BSD process accounting..." 
+if [[ -f /sbin/accton ]]; then
+    AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
+    AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
+    AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
+    AddRules "    postrotate" /etc/logrotate.conf
+    AddRules "    /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
+    AddRules "   }" /etc/logrotate.conf
+    touch /var/log/security/pacct.log
+    chown root.root /var/log/security/pacct.log
+    chmod 600 /var/log/security/pacct.log
+    /sbin/accton /var/log/security/pacct.log
+fi
+
+# Wanna password ?
 LiloUpdate;
 
 echo -n "Running lilo to record new config : "
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 7f55c7c..7b395a7 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -181,6 +181,8 @@ CleanRules /etc/security/msec/security.conf
 CommentUserRules /etc/security/msec/security.conf
 CleanRules /etc/profile
 CleanRules /etc/lilo.conf
+CleanRules /etc/logrotate.conf
+CleanRules /etc/rc.d/rc.local
 CleanRules /etc/rc.d/rc.firewall
 CleanRules /etc/crontab
 CleanRules /etc/X11/xdm/Xsession
@@ -192,9 +194,13 @@ echo "Setting spoofing protection : "
 AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
 
 # default group which must exist on the system
+# groupadd already check for their existance...
 groupadd nogroup >& /dev/null
 groupadd audio >& /dev/null
 groupadd xgrp >& /dev/null
+groupadd ntools >& /dev/null
+groupadd ctools >& /dev/null
+
 usermod -G xgrp xfs
 
 /usr/share/msec/grpuser.sh --clean
-- 
cgit v1.2.1