Summary: Security Level & Program for the Mandrake Linux distribution Name: msec Version: 0.18 Release: 5mdk Url: http://www.linux-mandrake.com/ Source0: %{name}-%{version}.tar.bz2 Source1: msec.logrotate Source2: msec.sh Source3: msec.csh License: GPL Group: System/Base BuildRoot: %_tmppath/%name-%version-%release-root Requires: /bin/bash /bin/touch perl-base diffutils textutils /usr/bin/python /usr/bin/chage gawk Requires: setup >= 2.2.0-21mdk Requires: chkconfig >= 1.2.24-3mdk Requires: iproute2 %description The Mandrake-Security package is designed to provide generic secure level to the Mandrake Linux users... It will permit you to choose between level 0 to 5 for a less -> more secured distribution. This packages includes several program that will be run periodically in order to test the security of your system and alert you if needed. %prep %setup -q %build make CFLAGS="$RPM_OPT_FLAGS" cd share; make %install rm -rf $RPM_BUILD_ROOT #make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT install -d $RPM_BUILD_ROOT/etc/security/msec install -d $RPM_BUILD_ROOT/etc/sysconfig install -d $RPM_BUILD_ROOT/usr/share/msec install -d $RPM_BUILD_ROOT/usr/sbin $RPM_BUILD_ROOT/usr/bin install -d $RPM_BUILD_ROOT/var/log/security install -d $RPM_BUILD_ROOT%{_mandir}/man{3,8} cp -p init-sh/cleanold.sh share/*.py share/*.pyo cron-sh/*.sh $RPM_BUILD_ROOT/usr/share/msec install -m 755 share/msec $RPM_BUILD_ROOT/usr/sbin install -m 644 conf/perm.* conf/server.* $RPM_BUILD_ROOT/etc/security/msec install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find $RPM_BUILD_ROOT/usr/bin install -m644 man/C/*8 $RPM_BUILD_ROOT%{_mandir}/man8/ install -m644 share/mseclib.man $RPM_BUILD_ROOT%{_mandir}/man3/mseclib.3 # # for i in man/??* ; do \ # install -d $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8; \ # install -m 644 $i/*.8 $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8; \ # bzip2 -9f $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8/*8 ; \ # done; touch $RPM_BUILD_ROOT/etc/security/msec/security.conf $RPM_BUILD_ROOT/var/log/security.log $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/%{name} mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/{logrotate.d,profile.d} install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/logrotate.d/msec install -m 755 %{SOURCE2} $RPM_BUILD_ROOT/etc/profile.d install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d touch $RPM_BUILD_ROOT/var/log/security.log %post touch /var/log/security.log if [ $1 != 1 -a -f /etc/security/msec/security.conf ]; then if grep -q "# Mandrake-Security : if you remove this comment" /etc/security/msec/security.conf; then SL= [ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || : [ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' < /etc/profile.d/msec.sh` || : /usr/share/msec/cleanold.sh || : [ -n "$SL" ] && msec $SL < /dev/null || : else msec < /dev/null || : fi # remove the old way of doing the daily cron rm -f /etc/cron.d/msec fi %postun if [ $1 = 0 ]; then # cleanup crontabs on package removal rm -f /etc/cron.d/msec /etc/cron.hourly/msec /etc/cron.daily/msec fi %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc AUTHORS COPYING Makefile share/README share/CHANGES %doc doc/*txt ChangeLog doc/*ps %_bindir/promisc_check %_bindir/msec_find %_sbindir/msec %_datadir/msec %_mandir/*/* %dir /var/log/security %dir /etc/security/msec %config(noreplace) /etc/security/msec/* %config(noreplace) /etc/logrotate.d/msec %config(noreplace) /etc/profile.d/msec* %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %ghost /var/log/security.log # MAKE THE CHANGES IN CVS: NO PATCH OR SOURCE ALLOWED %changelog * Wed Feb 13 2002 Frederic Lepied 0.18-5mdk - perm.5: /etc/sendmail.cf 640 for sendmail to work. - set umask and . in path according to the secure level - use the ip command to detect promiscuous mode with 2.4 kernel * Tue Feb 5 2002 Frederic Lepied 0.18-4mdk - password aging also enable delay to change - correct gdm.conf modifications * Mon Feb 4 2002 Frederic Lepied 0.18-3mdk - in level > 2 X server doesn't listen on tcp connection. - in level > 3 /etc/hosts.{allow,deny,equiv} readable by daemon group. - don't report /tmp and /var/tmp as bogus world writable directories. - security_check.sh: added .ssh/id_dsa .ssh/id_rsa to the list of files to check. - corrected /etc/issue* moving. - permissions settings part processes options like the rules part. - add a man page for the mseclib python library. * Mon Jan 28 2002 Frederic Lepied 0.18-2mdk - do the daily cron through /etc/cron.daily to avoid heavy loads - clean crontabs when removing the package (Dadou) - 644 for /etc/rc.d/init.d/mandrake_consmap (Andrej) - fix sendmail perms (Florin) - symlink /etc/security/msec/server. to /etc/security/msec/server for secure levels > 3 (used by chkconfig). - password aging for the root account too. * Sat Jan 26 2002 Frederic Lepied 0.18-1mdk - corrected upgrade from 0.16 and older versions - allow customization of level through /etc/security/msec/level.local * Tue Jan 22 2002 Frederic Lepied 0.17-15mdk - change Requires: from perl to perl-base. - perm.*: corrected errors reported by Pierre Fortin's script. * Mon Jan 21 2002 Frederic Lepied 0.17-14mdk - perm.*: make mandrake_consmap 755 because it needs to be readable by everyone * Sun Jan 20 2002 Frederic Lepied 0.17-13mdk - diff_check.sh: mail even if the report is empty to show that the check was fine. - the string "current" signifies to not change the permissions. - perm.*: corrected mandrake_consmap permissions and ping path/permissions. - /home is 711 in level 3. * Thu Jan 17 2002 Frederic Lepied 0.17-12mdk - report cron log to tty only on root ttys. - better layout of rpm modified files report. * Wed Jan 9 2002 Frederic Lepied 0.17-11mdk - added hostname to the subject of the mail report for better information when you receive multiple reports - really added rpm-va check to the mail report - fix handling of the owner/group of subdirectories of /var/log in a generic manner. - oops put back periodic filesystems check * Mon Jan 7 2002 Frederic Lepied 0.17-10mdk - corrected first invocation. * Sun Jan 6 2002 Frederic Lepied 0.17-9mdk - oops: corrected broken security.sh script * Fri Jan 4 2002 Frederic Lepied 0.17-8mdk - TMOUT is now a read only variable - allow/forbid reboot/shutdown by [kg]dm * Thu Jan 3 2002 Frederic Lepied 0.17-7mdk - rpm -qa check now logs install time too - corrected the way we install the byte compiled python files to avoid false rpm -V warnings. - added a CHANGES file to document what has changed between 0.16 and 0.17 - send complete rpm -va check to the main mail - perm.*: added handling of /etc/rc.d/init.d/* - changed the way /etc/security/msec/perm.local is used to avoid flip/flap changes - reworked output in diff rpm check to be more coherent * Sat Dec 29 2001 Frederic Lepied 0.17-6mdk - added doc of the features of the msec utility - corrected enable_at_crontab - password_aging only takes care of /etc/shadow users and avoid the users with a deactivated password. * Fri Dec 28 2001 Frederic Lepied 0.17-5mdk - added rpm database checks - added check of accounts with the 0 id that aren't root. * Thu Dec 27 2001 Frederic Lepied 0.17-4mdk - disable root login in xdm,kdm,gdm the same way as in Bastille (via pam). - manage password aging. - manage crontab and at authorization. * Thu Dec 27 2001 Frederic Lepied 0.17-3mdk - avoid changing permissions twice in the same run (to avoid unneeded logging). - when run in non-interactive mode, the output goes to the auth facility. * Fri Dec 14 2001 Frederic Lepied 0.17-2mdk - fixed sysctl.conf handling * Thu Dec 13 2001 Frederic Lepied 0.17-1mdk - rewritten file modifications part in python * Wed Dec 05 2001 Florin 0.16-4mdk - oups, use %{_sysconfdir}/sysconfig/%{name} instead of %{_sysconfdir}/%{name} - fix the msec.csh file (thks again to Konrad Bernlohr) * Thu Nov 29 2001 Florin 0.16-3mdk - remove the redundance related to umask and /etc/bashrc - add the %{_sysconfdir}/%{name} file - allow the ssh connexions in the snf security level - sort of update the ChangeLog - updated msec.csh to read %{_sysconfdir}/%{name} with sed black magic (Fred) - added console timeout support (Fred) - added command history disabling (Fred) - added sysctl settings (Fred) - changed perms of rpm progs in high security levels to prevent exposing what is installed (and access to /usr/share/doc too). (Fred) - spoof protection for name resoluton (Fred) - remove /etc/issue and /etc/issue.net according to level (Fred) * Thu Nov 08 2001 Florin 0.16-2mdk - oups forgot to create the needed links in post: - create the /etc/security/msec/server - the /usr/share/msec/current-level.sh and - /etc/security/msec/current.perm files * Thu Nov 08 2001 Florin 0.16-1mdk - 0.16 - add requires on chkconfig >= 1.2.24-3mdk - add the new link /etc/security/msec/server - fix permissions for monitoring in snf level - deny root ssh access in snf level * Wed Nov 07 2001 Florin 0.15-31mdk - bring back the squid.squid permissions - add some permissions for the naat servers - add some authorized servers for naat-snf, cooker version - add the snf security level - make rpmlint happy with the distribution name - add Url tag * Wed Oct 03 2001 Florin 0.15-30mdk - more things from /etc/profile to /etc/profile.d/msec.{sh|csh} - update the doc path in the man pages - add the msec*sh sources - libsafe.so.2 in levels 4/5 * Thu Sep 20 2001 Florin 0.15-29mdk - fix the /etc/profile.d/msec.{sh|csh} entries - get rid of /etc/profile entries * Thu Sep 20 2001 Florin 0.15-28mdk - authorize the usb service in the 4/5 levels of security * Wed Sep 19 2001 Yoann Vandoorselaere 0.15-27mdk - Require /bin/touch. * Wed Sep 19 2001 Yoann Vandoorselaere 0.15-26mdk - Output in /etc/profile.d/msec.sh as only .sh extenssion files are read. - Keep the output of the SECURE_LEVEL in /etc/profile and /etc/zprofile. * Wed Sep 19 2001 florin 0.15-25mdk - RootSshLogin in levels 4/5 - squidGuard entries * Wed Sep 19 2001 Yoann Vandoorselaere 0.15-24mdk - Fix manpages installation. - Fix logrotate config installation. - Fix issue with SECURE_LEVEL not updated if not exiting the console (this is a workaround for problems in several terminal programs). * Mon Sep 17 2001 Daouda LO 0.15-23mdk - Resync with cvs (yoann sucks) - real fix for kdm is in lib.sh (msec sux) * Fri Sep 14 2001 Florin 0.15-21mdk - conf/perm.*: /var/log/squid must be owned by nobody.nobody. - add the %post section for the ghost file * Mon Sep 03 2001 Yoann Vandoorselaere 0.15-20mdk - logrotate entry in %install, not %post * Mon Sep 03 2001 Yoann Vandoorselaere 0.15-19mdk - add logrotate entry * Thu Aug 9 2001 Frederic Lepied 0.15-18mdk - added vc/[1-6] to securetty (devfs) - merged back in cvs * Mon Jul 9 2001 Frederic Crozat 0.15-17mdk - Patch 0: add suppport for usermode halt/reboot * Thu May 10 2001 Stew Benedict 0.15-16mdk - Check for drakx install environment before running "telinit u" - PPC hang * Tue May 01 2001 David BAUDENS 0.15-15mdk - Use %%_tmppath for BuildRoot * Tue Oct 10 2000 Yoann Vandoorselaere 0.15-14mdk - call telinit after modifying inittab * Tue Oct 10 2000 Yoann Vandoorselaere 0.15-13mdk - Applied Warly patch to fix user list problem under kdm. - User list option for gdm too. * Tue Oct 10 2000 Warly 0.15-12mdk - change the UserList method to not append at the end of kdmrc (in the wrong section) * Mon Oct 9 2000 Pixel 0.15-11mdk - remove the fix for #760 (it needs real fixing!) * Mon Oct 09 2000 Yoann Vandoorselaere 0.15-10mdk - conf/server.[45]: add pcmcia * Mon Oct 09 2000 Yoann Vandoorselaere 0.15-9mdk - fix for #760 (kdm should not display the list of users for high security levels) * Mon Oct 09 2000 Yoann Vandoorselaere 0.15-8mdk - fix a typo in conf/perm.0 * Fri Oct 04 2000 Yoann Vandoorselaere 0.15-7mdk - Autologin allowed in level 0, 1, 2.... I'm against this... but... * Fri Oct 04 2000 Yoann Vandoorselaere 0.15-6mdk - fix some entry in perm.* - Autologin will only work in level 0 * Tue Oct 03 2000 Yoann Vandoorselaere 0.15-5mdk * init-sh/*.sh : instead of modifying Xsession, create the /etc/X11/xinit.d/msec file which can contain eventual rules appended by msec. * Mon Oct 02 2000 Yoann Vandoorselaere 0.15-4mdk - some fix. * Mon Oct 02 2000 Yoann Vandoorselaere 0.15-3mdk - init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession nor /etc/X11/xinit/xinitrc anymore, as they all load /etc/X11/Xsession. * Fri Sep 01 2000 Yoann Vandoorselaere 0.15-2mdk - install manually - use %{_mandir} macros - use %config(noreplace) for /etc/msec and for logfile * Tue Jul 18 2000 Yoann Vandoorselaere 0.15-1mdk - cron-sh/security_check.sh : use -L in ls, to dereference symbolic link Chris Green - conf/perm.*: /var/log/squid must be owned by squid.squid. - cron-sh/security.sh: - init-sh/custom.sh: added patch from AG , if no user to mail security report to is availlable, send to root. * Wed May 17 2000 Yoann Vandoorselaere 0.14-6mdk - Handle new libsafe path. * Wed May 17 2000 Yoann Vandoorselaere 0.14-5mdk - corrected a wrong path. * Wed May 03 2000 Yoann Vandoorselaere 0.14-4mdk - LoaderUpdate() make a difference between an empty variable, and a non existing one. * Fri Apr 25 2000 Yoann Vandoorselaere 0.14-3mdk - Fix a bug with comment removed pointed out by Konrad Bernloehr. * Mon Apr 24 2000 Pixel 0.14-2mdk - conf/perm.[0-4]: fix ugly disgusting fucking bloody buggy bug! (remove bloody /usr/{bin,sbin}/* entries) * Wed Apr 19 2000 Yoann Vandoorselaere 0.14-1mdk - Bug fix. - Support Grub as well as Lilo. * Tue Apr 18 2000 Yoann Vandoorselaere 0.12-5mdk - cron job at 4:00am, msec_find fix. * Mon Apr 17 2000 Yoann Vandoorselaere 0.12-4mdk - perm.5 : -e s'/ntool/ntools/' -e s'/ctool/ctools/' - updated documentation. - file_perm.sh : bug fix + output to /dev/null. - include /var/tmp in perm.[0-5]. - Patch to msec_find from Thomas Poindessous. * Fri Apr 14 2000 Yoann Vandoorselaere 0.12-1mdk - Modify zprofile. - use libsafe-1.3 * Thu Mar 16 2000 Yoann Vandoorselaere - security.sh : export *_TODAY variable to be used by msec_find. - find.c : removed a debuging printf. * Tue Mar 09 2000 Yoann Vandoorselaere 0.10-1mdk - custom.sh : added a patch from Havard Bell. - custom.sh : check if libsafe is installed before asking if the user want to use it. - Heavily modified msec_find. - Added msec_find utility, written by Thierry Vignaud which will avoid us to find / 5 times :) - Added support for libsafe stack overflow protection in level 4 / 5 / custom - trap the sigint signal. - use %config for config file ( thanks to Frederic Lepied ). - use /etc/security/msec for config file only. - Renamed init.sh to msec, and install it in /usr/sbin. - The other shell scripts are located in /usr/share/msec - Included patch from Stefan Siegel. * Tue Jan 18 2000 Yoann Vandoorselaere - custom.sh : fix a nasty typo. * Tue Jan 06 2000 Yoann Vandoorselaere - security.sh : find are niced to (+19) - Camille updated the documentation. - Removed the "spawn a shell on boot" feature of level0 cause of a tty problem. - shutdown.allow is 600 in level 4/5; 644 else. - updated doc/security.txt - updated init-sh/custom.sh - level 0-3 -> ctrl-alt-del allowed for any local user. - level 4-5 -> ctrl-alt-del allowed for root. * Wed Dec 29 1999 Yoann Vandoorselaere - Removing grpuser manpage, because : 1 - grpuser is not to be used by any user, ( and should not have a manpage so ). 2 - manpage is obsolete * Tue Dec 28 1999 Chmouel Boudjnah - add man-pages from camille. * Fri Dec 24 1999 Yoann Vandoorselaere - Use the mail user variable. - level[35]: also do a mail report. - moved Syslog(), Ttylog(), Maillog() to security.sh - security_check.sh & diff_check.sh now sourced from security.sh - Typo / bug fix - init-sh/perm[15]: files should be constant in their content. all entry should be in each perm file * Tue Dec 21 1999 Pixel - init-sh/lib.sh (LiloUpdate): replace the -z ${LILO_PASSWORD} by ${LILO_PASSWORD+set} != set - init-sh/lib.sh (LiloUpdate): replace the call to AddRules to AddBegRules (password= must in the beginning of lilo.conf) - init-sh/lib.sh (AddBegRules): 1 \n instead of 2 * Mon Dec 20 1999 Yoann Vandoorselaere - Use grpconv after modifying /etc/group. - Add a message for level 5 saying that user who want X access should be in the xgrp group. * Mon Dec 20 1999 Yoann Vandoorselaere - fixed a typo / variable pb. * Mon Dec 20 1999 Yoann Vandoorselaere - init-sh/perm.[05]: Oops, /var/spool/mail is 771 not 755. - init-sh/lib.sh: removed the failsafe for not a tty stdin (not efficient) - init-sh/lib.sh: rewrote the perl script (now a one-liner :) - Big cleanup. - All work properly now. - msec.spec: modify to take into account the Makefile modifying the .spec - Makefile (VERSION): make it the same as the .spec * Sat Dec 18 1999 Pixel - init-sh/lib.sh: added failsafe for not a tty stdin * Sat Dec 18 1999 Pixel - no interactive questions if not a tty * Thu Dec 16 1999 Yoann Vandoorselaere - Don't use msec parsing routine to hack inittab * Thu Dec 16 1999 Yoann Vandoorselaere - Fixed the last AddBegRules() problem. - Indentation problem should be fixed. - All debug finished, changing secure.tmp to a mktemp allocated tmpfile for symlink security. - DRAKX_USER variable no longer needed. - grpuser.sh take only one opt ( --refresh ), take group name from /etc/security/msec/group.conf and add user from /etc/security/msec/user.conf if secure level > 2 - level0.sh fixed inittab entry - fix a typo - As requested, direct shell access for level 0 - Fixed a little problem with the DRAKX_USERS variable - removed chattr +a because of the problem it can cause to other system automated system task. * Mon Dec 13 1999 Yoann Vandoorselaere - diff_check.sh : fix a typo. * Thu Dec 10 1999 Yoann Vandoorselaere - custom.sh : Fix a typo & forgot to export path & secure level * Thu Dec 9 1999 Yoann Vandoorselaere - More bugfix. - Many bugfix, always trying to get a bugfree release :). - Renamed some variable, added consistencie. - security_cjheck.sh: print header at begining of the log. - diff_check.sh: typo. * Wed Dec 8 1999 Yoann Vandoorselaere - security_check.sh: remove /tmp stuff. - security_check.sh: typo - level[1-3].sh: Changed crontab call to file_check.sh from every hour to every midnight ( bug reported by axalon ). - diff_check.sh: clean up. - moved file_check.sh to diff_check.sh and changed what is related to cron call in level[15].sh - Added missing configurations question in level custom. - bug fix. * Wed Dec 8 1999 Chmouel Boudjnah - Various (Makefile|specfiles) clean-up. - insert doc. * Mon Dec 6 1999 Yoann Vandoorselaere - Released 0.5 - Divided security check into 2 files : security_check.sh & file_check.sh, the first do normal security check, the other watch at anormal change on the system... - Bug fix again & again - Updated perm files & fix a security problem ( thanks Axalon ). * Wed Dec 1 1999 Yoann Vandoorselaere - DrakX compatibility. * Wed Dec 1 1999 Yoann Vandoorselaere - Add & delete of userlist from audio group ( level 1 & 2 ). - Minor fix * Wed Dec 1 1999 Yoann Vandoorselaere - We now preserve config file implementation. - Minor fix to lib.sh - export profile variable... * Mon Nov 30 1999 Yoann Vandoorselaere - Many cron security check added. - Print more infos. * Mon Nov 29 1999 Yoann Vandoorselaere - Released 0.4 : - Now have a custom mode, just answer the question. - Msec print what it does. - Bug fix in LiloUpdate(). * Mon Nov 29 1999 Yoann Vandoorselaere - Fixed a few bugs in msec. * Fri Nov 26 1999 Yoann Vandoorselaere - grpuser was not installed. * Fri Nov 26 1999 Yoann Vandoorselaere - Fix a bug in level3.sh - level[12].sh Removed some unused code * Thu Nov 25 1999 Yoann Vandoorselaere - Call chkconfig with the new --msec option. * Thu Nov 25 1999 Yoann Vandoorselaere - Cleaned up tree. * Thu Nov 25 1999 Yoann Vandoorselaere - Removed touched file /-i * Thu Nov 25 1999 Yoann Vandoorselaere - Create rc.firewall to avoid error, - Call grpuser with the good path, - Call groupadd before usermod. * Tue Nov 23 1999 Yoann Vandoorselaere - New release (0.3) : Now each security level has it's own set of permissions. Add "." at the end of $PATH for level 1. Corrected some grave bug, it should work properly now. * Thu Nov 18 1999 Yoann Vandoorselaere - New release (0.2) : Fixed the path for promisc_check.sh : now /etc/security/msec/cron-sh/promisc_check.sh In level 1 & 2, user is now automagically added to the audio group. * Tue Nov 16 1999 Yoann Vandoorselaere - First packaging attempt :-).