Some new stuff I thought should be implemented as well... And yes they keep on a coming!!!!!!!!! : ) ######## Begin new stuff ############## #!/bin/bash #Logging echo "Would you like set to up addtional logging ?" echo "Logging will still go to its respected places in /var/log as well." WaitAnswer;clear if [[ ${answer} == yes ]]; then echo "Would you like for auth and warnings to be logged to tty11 ?" WaitAnswer;clear if [[ ${answer} == yes ]]; then AddRules "authpriv.* /dev/tty11" /etc/syslog.conf echo "Would you like kernel logging to go tty10 ?" WaitAnswer;clear if [[ ${answer} == yes ]]; then AddRules "kern.* /dev/tty10" /etc/syslog.conf echo "Would you like mail logging to go tty9 ?" echo "This is only useful if you're running a mail server(sendmail)." WaitAnswer;clear if [[ ${answer} == yes ]]; then AddRules "mail.* /dev/tty9" /etc/syslog.conf /etc/rc.d/init.d/syslog restart > /dev/null fi fi fi #End of logging Is BSD style process accounting on by default in Mandrake ? echo "We can setup your system to log who does what commands and when..." echo "May we set up proccess accounting ?" echo "The log file will get filled up VERY quickly WaitAnswer;clear if [[ ${answer} == yes ]]; then AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs it's own script though echo "/var/log/pacct { " >> /etc/logrotate.conf echo " postrotate" >> /etc/logrotate.conf echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf echo >> /etc/logrotate.conf echo >> "}" /etc/logrotate.conf #Got a be a cleaner way to do this : ) fi #End BSD style process accounting #PAM stuff #default file size limit dfsize=40000 echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)" echo "By setting a limit on how big user files may get and how many processes a user may run." echo "Would you like to set up some PAM configuration ?" WaitAnswer;clear if [[ ${answer} == yes ]]; then AddRules "# Limit user processes" /etc/security/limits.conf AddRules "* soft nproc 100" /etc/security/limits.conf AddRules "* hard nproc 150" /etc/security/limits.conf echo "Would you like to set a maximum file size a user is allowed ?" WaitAnswer;clear if [[ ${answer} == yes ]]; then echo "What shall be the maximum file size(default it 40000 = 40MB)" echo -n "Size[40000]: " read fsize if [[ -z ${fsize} ]]; then AddRules "# limits size of any one of users' files" /etc/security/limits.conf AddRules "* hard $dfsize" /etc/security/limits.conf else AddRules "# limits size of any one of users' files" /etc/security/limits.conf AddRules "* hard $fsize" /etc/security/limits.conf fi fi fi #End PAM stuff ********************************** ###########Begin modified custom.sh###################### #!/bin/bash # # Security level implementation... # Writen by Vandoorselaere Yoann # if [[ -f /usr/share/lsec/lib.sh ]]; then . /usr/share/lsec/lib.sh else echo "Can't find /usr/share/lsec/lib.sh, exiting." exit 1 fi clear WRITE_CRON="false" ### echo "This script allows you to customize the security on your system. " echo "If you feel at all you don't know what you're doing abort now!!! " echo "'ctrl-c' to abort" echo -n "Otherwise, please press [enter] to continue " read FOO clear ### echo "Do you want all system events to be logged on tty12 ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi ### echo "Do you want to be notified by mail of _all_ root logins ?" echo "(This is strongle recommended)" WaitAnswer; clear if [[ ${answer} == yes ]]; then if [[ -s /root/.bashrc ]]; then cp /root/.bashrc /tmp/bashrc sed '/root login/d' /tmp/bashrc > /root/.bashrc AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s "Root Login" root' /root/.bashrc rm -f /tmp/bashrc echo "Done" fi fi ### echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" echo "( or if a user present in /etc/shutdown.allow is logged locally )" WaitAnswer; clear tmpfile=`mktemp /tmp/secure.XXXXXX` cp /etc/inittab ${tmpfile} if [[ ${answer} == yes ]]; then cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab else cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab fi rm -f ${tmpfile} #Compile tools #More needs to be added and this is very sloppy but you get the idea : ) mgtools() { mgcon=mgcon1 echo "Do you want only root to have access to the system compiler(gcc/g++) ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then chmod 0700 /usr/bin/gcc chmod 0700 /usr/bin/g++ fi } gtools() { gcon=gcon0 dgrp=devel echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may" echo "be used by a certain group ?" echo -n "yes/no: " read answer if [[ ${answer} == yes ]]; then gcon=gcon1 echo echo -n "What shall the name of this group be [devel]: " read grp if [[ -z ${grp} ]]; then groupadd ${dgrp} .. /etc/security/lsec/perm.ctoolsd else groupadd ${grp} .. /etc/security/lsec/perm.ctools fi fi } gtools #if [[ ${gcon} = gcon1 ]]; then #ntools #else #mgtools #fi #network tools mntools() { echo "Do you want to disable 'ping' to all users except root ?" WaitAnswer; clear if [[ $answer} == yes ]]; then chmod 0700 /bin/ping fi echo "Do you want to disable 'traceroute' to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/sbin/traceroute fi echo "Do you want to disable 'who' to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/bin/who fi echo "Do you want to disable 'w' to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/bin/w fi echo "Do you want to disable 'finger' to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/bin/finger fi echo "Do you want to disable telnet client to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/bin/telnet fi echo "Do you want to disable ssh client to all users except root ?" WaitAnswer; clear if [[ $answer == yes ]]; then chmod 0700 /usr/bin/ssh fi } ntools() { ncon=ncon0 ngrpd=netsys echo "Do you want to set up network tools so that they may be used only" echo "by users of a certain group ?" echo -n "yes/no: " read answer if [[ ${answer} == yes ]]; then ncon=ncon1 echo echo -n "What shall the name of this group be [netsys]: " read ngrp if [[ -z ${ngrp} ]]; then groupadd ${ngrpd} .. /etc/security/lsec/perm.netsysd else groupadd ${ngrp} .. /etc/security/lsec/perm.netsysd fi fi } if [[ ${gcon} = gcon1 ]]; then ntools else mgtools fi if [[ ${mgcon} = mgcon1 ]]; then ntools else mntools fi if [[ $ncon = ncon1 ]]; then echo "Done" else mntools fi ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer if [[ ${answer} == yes ]]; then echo "Do you want only localhost to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny else AddRules "ALL:ALL:DENY" /etc/hosts.deny fi fi ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet AddRules "tty5" /etc/securetty quiet AddRules "tty6" /etc/securetty fi ### if [[ -f /usr/lib/libsafe.so.1.2 ]]; then echo "Do you want to enable the libsafe stack overflow protection ?" echo "This stack overflow protection work by catching dangerous function call" echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" echo "and verify the address & the size of the destination buffer in the stack" echo "this is done by searching in the stack frame the one which contain the" echo "destination address, and by substracting the frame address to the destination buffer one" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile fi fi ### echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check new open port listening ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to check for grave permission problem on sensibles files ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check suid files md5 checksum changes ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf WRITE_CRON="true" fi ### echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/lsec/promisc_check.sh" /etc/crontab fi ### ### echo "Do you want security report to be done in syslog ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf else AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf fi ### echo "Do you want security report to be done by mail ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf else AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf fi ### if [[ ${WRITE_CRON} == "true" ]]; then AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/lsec/security.sh" /etc/crontab fi LiloUpdate; /sbin/lilo >& /dev/null ### echo "Do you want to disable all services except(gpm,xfs,keytable," echo "network,crond, and syslogd ?" echo "This is _highly_ recommended if you have not configured other" echo "said services." WaitAnswer; clear if [[ ${answer} == yes ]]; then echo -n "Disabling all service, except : {" chkconfig --list | awk '{print $1}' | while read service; do if grep -qx ${service} /etc/security/lsec/server.4; then echo -n " ${service}" fi done echo " } : " chkconfig --list | awk '{print $1}' | while read service; do chkconfig --del "${service}" if ! chkconfig --add "${service}"; then echo -e "\t- Services ${service} is now disabled." fi done chkconfig --add gpm chkconfig --add xfs chkconfig --add network chkconfig --add keytable chkconfig --add syslog chkconfig --add crond echo -e "done.\n"; fi ### echo "Do you want an easy, normal, restricted, or paranoid umask ?" echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" echo "normal ( 022 ) = user = rwx, group = rx, other = rx" echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" echo "paranoid ( 077 ) = user = rwx, group = , other =" answer="nothing" while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do echo -n "easy/normal/restricted/paranoid : " read answer done case "${answer}" in "easy") AddRules "umask 002" /etc/profile ;; "normal") AddRules "umask 022" /etc/profile ;; "restricted") AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile ;; "paranoid") AddRules "umask 077" /etc/profile ;; esac ### echo "Do you want a "." in your PATH variable ?" echo "This permit you to not use ./progname & to just type progname" echo "However this is a *high* security risk." WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet else AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet fi AddRules "export PATH SECURE_LEVEL" /etc/profile echo "Do you want normal, restricted, or paranoid file permissions ?" while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" != "paranoid" ]]; do echo -n "normal/restricted/paranoid : " read answer done case "${answer}" in "normal") /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3 ;; "strict") /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4 ;; "paranoid")#!/bin/bash /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5 ;; esac #EOF # /etc/security/msec/perm.ctools chown root.$grp /usr/bin/gcc chmod 750 /usr/bin/gcc chown root.$grp /usr/bin/cc chmod 750 /usr/bin/cc chown root.$grp /usr/bin/g++ chmod 750 /usr/bin/g++ # /etc/security/msec/perm.ctoolsd chown root.$dgrp /usr/bin/gcc chmod 750 /usr/bin/gcc chown root.$dgrp /usr/bin/cc chmod 750 /usr/bin/cc chown root.$dgrp /usr/bin/g++ chmod 750 /usr/bin/g++ # /etc/security/msec/perm.netsys chown root.$ngrp /usr/bin/ping chmod 750 /usr/bin/gcc chown root.$ngrp /usr/bin/w chmod 750 /usr/bin/w chown root.$ngrp /usr/bin/w chmod 750 /usr/bin/who chown root.$ngrp /usr/bin/telnet chmod 750 /usr/bin/telnet chown root.$ngrp /usr/bin/ssh chmod 750 /usr/bin/ssh chown root.$ngrp /usr/sbin/traceroute chmod 750 /usr/sbin/traceoute chown root.$ngrp /usr/bin/finger chmod 750 /usr/bin/finger # /etc/security/msec/perm.netsys.d chown root.$ngrpd /bin/ping chmod 750 /usr/bin/gcc chown root.$ngrpd /usr/bin/w chmod 750 /usr/bin/w chown root.$ngrpd /usr/bin/w chmod 750 /usr/bin/who chown root.$ngrpd /usr/bin/telnet chmod 750 /usr/bin/telnet chown root.$ngrpd /usr/bin/ssh chmod 750 /usr/bin/ssh chown root.$ngrpd /usr/sbin/traceroute chmod 750 /usr/sbin/traceroute chown root.$ngrpd /usr/bin/finger chmod 750 /usr/bin/finger ######## END