From 78b13ca5f0677f9e6e5a07a18473a2d7724b51d0 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Thu, 25 Nov 1999 19:44:10 +0000 Subject: Initial revision --- init-sh/level5.sh | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100755 init-sh/level5.sh (limited to 'init-sh/level5.sh') diff --git a/init-sh/level5.sh b/init-sh/level5.sh new file mode 100755 index 0000000..f2b7a55 --- /dev/null +++ b/init-sh/level5.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection +AddRules "ALL:ALL:DENY" /etc/hosts.deny + +# No login as root +AddRules "" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Wanna a password ? +LiloUpdate; +/sbin/lilo + +# Disable all server : +IFS=" +" + +for service in `chkconfig --list | awk '{print $1}'`; do + if [ "${service}" == "xfs" ]; then + if [ ${HAVE_X}==1 ]; then + continue; + fi + fi + + if [ "${service}" == "network" ]; then continue; fi + if [ "${service}" == "keytable" ]; then continue; fi + if [ "${service}" == "crond" ]; then continue; fi + if [ "${service}" == "gpm" ]; then continue; fi + if [ "${service}" == "syslog" ]; then continue; fi + + + chkconfig --del "${service}" +done + +# Permissions +AddRules "umask 077" /etc/profile + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + +echo +echo "You are now running your system in security level 5," +echo "All services are disabled : try the chkconfig to enable one..." +echo "If you're on a senssible machine, ( which is probably the case )" +echo "you should compile the server from the sources". +echo +echo "Good luck. :-)" +echo + + + + + + + + + + + + + + + + + + + -- cgit v1.2.1