**************************** Security level 1 : - Global security check. - umask is 002 ( user = read,write | greoup = read,write | other = read ) - easy file permission. - localhost authorized to connect to X display. - User in audio group. - . in $PATH - Warning in /var/log/security.log **************************** Security level 2 : - Global security check - Suid root file check - Suid root file md5sum check - Writeable file check - Warning in syslog - Warning in /var/log/security.log - umask is 022 ( user = read,write | group = read | other = read ) - easy file permission. - localhost authorized to connect to X display. - User in audio group. **************************** Security level 3 ( Aka normal system ) : - Global security check - Permissions check - Suid root file check - Suid root file md5sum check - Suid group file check - Writeable file check - Unowned file check - Promiscuous check - Listening port check - Passwd file integrity check - Shadow file integrity check - Warning in syslog - Warning in /var/log/security.log - umask is 022 ( user = read,write | group = read | other = read ) - Normal file permission. - All system events additionally logged to /dev/tty12 - Some system security check launched every midnight from the ( crontab ). **************************** Security level 4 ( Aka Secured system ) : - Global security check - Permissions check - Suid root file check - Suid root file md5sum check - Suid group file check - Writeable file check - Unowned file check - Promiscuous check - Listening port check - Passwd file integrity check - Shadow file integrity check - Warning in syslog - Warning in /var/log/security.log - Warning directly on tty - umask 022 ( user = read,write | group = read | other = read ) for root - umask 077 ( user = read,write | group = | other = ) for normal users - restricted file permissions. - All system events additionally logged to /dev/tty12 - System security check every midnight ( crontab ). * - Services not contained in /etc/security/msec/server.4 are disabled ( considered as not really secure ) ( but the user can reenable it with chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all except localhost. - ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ). ******************************* Security level 5 ( Aka Paranoid system ) : - Global security check - Permissions check - Suid root file check - Suid root file md5sum check - Suid group file check - Writeable file check - Unowned file check - Promiscuous check - Listening port check - Passwd file integrity check - Shadow file integrity check - Warning in syslog - Warning in /var/log/security.log - Warning directly on tty - umask 077 ( user = read,write | group = | other = ) - Highly restricted file permission - All system events additionally logged to /dev/tty12 - System security check every midnight ( crontab ). - Services not contained in /etc/security/msec/server.5 are disabled ( considered as not really secure ) ( but the user can reenable it with chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all. - ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) . ****************** * level4/level5 : "services disabled" explanations : - Some server aren't really considered as secure, these one, should for exemple be compiled from sources. server considered as secure are specified in /etc/security/msec/server.4/5 When enabling level4/5, all server which aren't considered as secure are disabled ( NOT uninstalled, just disabled ) user can reenable them using the chkconfig utility ( server will be launched at next boot ). In these level, we are also denying rpm to enable any server considered as insecure ( off course rpm can install the server ). The user have the choise : chkconfig --add servername will enable the server. Or add the server in the secured server list *** Future Release : *** - Automatic tty locking ( unlock by passwd ) after X time of inactivity. - In high security level, only user having access to group "sugrp" can use the su command. ***