#!/bin/bash # # Security level implementation... # Writen by Vandoorselaere Yoann # if [[ -f /usr/share/msec/lib.sh ]]; then . /usr/share/msec/lib.sh else echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi clear ### echo "Do you want all system events to be logged on tty12 ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi ### echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" echo "( or if an user present in /etc/shutdown.allow is logged locally )" WaitAnswer; clear tmpfile=`mktemp /tmp/secure.XXXXXX` cp /etc/inittab ${tmpfile} if [[ ${answer} == yes ]]; then cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab else cat ${tmpfile} | \ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab fi rm -f ${tmpfile} ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer if [[ ${answer} == yes ]]; then echo "Do you want only localhost to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny else AddRules "ALL:ALL:DENY" /etc/hosts.deny fi fi ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet AddRules "tty5" /etc/securetty quiet AddRules "tty6" /etc/securetty fi ### echo "Do you want to enable the libsafe stack overflow protection ?" echo "This stack overflow protection work by catching dangerous function call" echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" echo "and verify the address & the size of the destination buffer in the stack" echo "this is done by searching in the stack frame the one which contain the" echo "destination address, and by substracting the frame address to the destination buffer one" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile fi ### echo "Do you want your system to daily check important security problem ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check new open port listening ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to check for grave permission problem on sensibles files ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check suid files md5 checksum changes ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf AddRules "0 0-23 * * * root nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab fi ### echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab fi ### echo "Do you want security report to be done directly on the console ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "TTY_WARN=yes" /etc/security/msec/security.conf else AddRules "TTY_WARN=no" /etc/security/msec/security.conf fi ### echo "Do you want security report to be done in syslog ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf else AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf fi ### echo "Do you want security report to be done by mail ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf else AddRules "MAIL_WARN=no" /etc/security/msec/security.conf fi ### LiloUpdate; /sbin/lilo >& /dev/null ### echo "Do you want to disable your running server ( except important one )" echo "This is only valuable for server installed with rpm." WaitAnswer; clear if [[ ${answer} == yes ]]; then echo -n "Disabling all service, except : {" chkconfig --list | awk '{print $1}' | while read service; do if grep -qx ${service} /etc/security/msec/server.4; then echo -n " ${service}" fi done echo " } : " chkconfig --list | awk '{print $1}' | while read service; do chkconfig --del "${service}" if ! chkconfig --msec --add "${service}"; then echo -e "\t- Services ${service} is now disabled." fi done echo -e "done.\n"; fi ### echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?" echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." echo "no = rpm will do it for you, but you have less control of what is running on your machine." WaitAnswer; clear if [[ ${answer} == yes ]]; then export SECURE_LEVEL="4" AddRules "SECURE_LEVEL=\"4\"" /etc/profile else AddRules "SECURE_LEVEL=\"3\"" /etc/profile fi ### echo "Do you want an easy, normal, restricted, or paranoid umask ?" echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" echo "normal ( 022 ) = user = rwx, group = rx, other = rx" echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" echo "paranoid ( 077 ) = user = rwx, group = , other =" answer="nothing" while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do echo -n "easy/normal/restricted/paranoid : " read answer done case "${answer}" in "easy") AddRules "umask 002" /etc/profile ;; "normal") AddRules "umask 022" /etc/profile ;; "restricted") AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile ;; "paranoid") AddRules "umask 077" /etc/profile ;; esac ### echo "Do you want a "." in your PATH variable ?" echo "This permit you to not use ./progname & to just type progname" echo "However this is a *high* security risk." WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet else AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet fi AddRules "export PATH SECURE_LEVEL" /etc/profile