From 7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Mon, 29 Nov 1999 15:06:21 +0000 Subject: *** empty log message *** --- init-sh/custom.sh | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) (limited to 'init-sh/custom.sh') diff --git a/init-sh/custom.sh b/init-sh/custom.sh index e69de29..eac0cc8 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + + +clear + +### +echo "Do you want your log file to be in append mode only ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + find /var/log/ -type f -exec chattr +a {} \; +fi +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [ ${answer} == "yes" ]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [ "${answer}" == "yes" ]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Writable file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +fi +### +LiloUpdate; +/sbin/lilo >& /dev/null +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile +fi +### +AddRules "SECURE_LEVEL=\"custom\"" /etc/profile +export SECURE_LEVEL="custom" +### +AddRules "umask 077" /etc/profile + + + + + + + + + -- cgit v1.2.1