msec(0.60.1)                                                      msec(0.60.1)



NAME
       msec - Mandriva Linux security tools

SYNOPSIS
       msec [options]
       msecperms [options]
       msecgui [options]

DESCRIPTION
       msec  is  responsible  to maintain system security in Mandriva. It sup‐
       ports different security configurations, which can  be  organized  into
       several security levels. Currently, three preconfigured security levels
       are provided:


       none   this level aims to provide the most basic security. It should be
              used  when  you want to manage all aspects of system security on
              your own.


       default
              this is the default security level, which configures  a  reason‐
              ably  safe  set of security features. It activates several peri‐
              odic system checks, and sends the results of their execution  by
              email (by default, the local 'root' account is used).


       secure this  level  is  configured  to provide maximum system security,
              even at the cost of limiting the remote access  to  the  system,
              and local user permissions. It also runs a wider set of periodic
              checks, enforces the local password settings,  and  periodically
              checks if the system security settings, configured by msec, were
              modified directly or by some other application.



       The security settings are  stored  in  /etc/security/msec/security.conf
       file,  and  default  settings  for  each predefined level are stored in
       /etc/security/msec/level.LEVEL.  Permissions for files and  directories
       that should be enforced or checked for changes are stored in /etc/secu‐
       rity/msec/perms.conf, and default permissions for each predefined level
       are  stored  in /etc/security/msec/perm.LEVEL.  Note that user-modified
       parameters take precedence over default level  settings.  For  example,
       when  default level configuration forbids direct root logins, this set‐
       ting can be overridden by the user.



       The following options are supported by msec applications:


       msec:


       This is the console version of msec. It is responsible for system secu‐
       rity  configuration  and checking and transitions between security lev‐
       els.

       When executed without parameters, msec will read the system  configura‐
       tion file (/etc/security/msec/security.conf), and enforce the specified
       security settings. The operations are logged to /var/log/msec.log file,
       and also to syslog, using LOG_AUTHPRIV facility.  Please note that msec
       should by run as root.

       -h, --help
           This option  will  display  the  list  of  supported  command  line
       options.

       -l, --level <level>
           List the default configuration for given security level.

       -f, --force <level>
           Apply  the specified security level to the system, overwritting all
       local changes. This is necessary to initialize a security level, either
       on first install, on when a change to a different level is required.

       -d
           Enable debugging messages.

       -p, --pretend
           Verify the actions that will be performed by msec, without actually
       doing anything to the system. In this mode of operation, msec  performs
       all  the required tasks, except effectively writting data back to disk.


       msecperms:


       This application is responsible  for  system  permission  checking  and
       enforcements.

       When  executed  without parameters, msecperms will read the permissions
       configuration file  (/etc/security/msec/perms.conf),  and  enforce  the
       specified   security   settings.   The   operations   are   logged   to
       /var/log/msec.log file, and also to syslog, using  LOG_AUTHPRIV  facil‐
       ity.  Please note that msecperms should by run as root.

       -h, --help
           This  option  will  display  the  list  of  supported  command line
       options.

       -l, --level <level>
           List the default configuration for given security level.

       -f, --force <level>
           Apply the specified security level to the system, overwritting  all
       local changes. This is necessary to initialize a security level, either
       on first install, on when a change to a different level is required.

       -e, --enforce
           Enforce the default permissions on all files.

       -d
           Enable debugging messages.

       -p, --pretend
           Verify the actions that will be performed by msec, without actually
       doing  anything to the system. In this mode of operation, msec performs
       all the required tasks, except effectively writting data back to  disk.


       msecgui:


       This  is the GTK version of msec. It acts as frontend to all msec func‐
       tionalities.

       -h, --help
           This option  will  display  the  list  of  supported  command  line
       options.

       -d
           Enable debugging messages.


SECURITY OPTIONS
       The following security options are supported by msec:




       mail_empty_content
           Enables sending of empty mail reports.

           MSEC parameter: MAIL_EMPTY_CONTENT

           Accepted values: yes, no



       accept_broadcasted_icmp_echo
           Accept/Refuse broadcasted icmp echo.

           MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO

           Accepted values: yes, no



       allow_xserver_to_listen
           The argument specifies if clients are authorized to connect to  the
           X server on the tcp port 6000 or not.

           MSEC parameter: ALLOW_XSERVER_TO_LISTEN

           Accepted values: yes, no



       check_chkrootkit
           Enables checking for known rootkits using chkrootkit.

           MSEC parameter: CHECK_CHKROOTKIT

           Accepted values: yes, no



       check_suid_root
           Enables checking for additions/removals of suid root files.

           MSEC parameter: CHECK_SUID_ROOT

           Accepted values: yes, no



       enable_at_crontab
           Enable/Disable  crontab  and  at  for  users.  Put allowed users in
           /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).

           MSEC parameter: ENABLE_AT_CRONTAB

           Accepted values: yes, no



       accept_bogus_error_responses
           Accept/Refuse bogus IPv4 error messages.

           MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES

           Accepted values: yes, no



       check_suid_md5
           Enables checksum verification for suid files.

           MSEC parameter: CHECK_SUID_MD5

           Accepted values: yes, no



       mail_user
           Defines email to receive security notifications.

           MSEC parameter: MAIL_USER

           Accepted values: *



       allow_autologin
           Allow/Forbid autologin.

           MSEC parameter: ALLOW_AUTOLOGIN

           Accepted values: yes, no



       enable_pam_wheel_for_su
           Enabling su only from members of the wheel group or allow  su  from
           any user.

           MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU

           Accepted values: yes, no



       create_server_link
           Creates   the   symlink   /etc/security/msec/server   to  point  to
           /etc/security/msec/server.<SERVER_LEVEL>.      The       /etc/secu‐
           rity/msec/server is used by chkconfig --add to decide to add a ser‐
           vice if it is present in the file during the installation of  pack‐
           ages.

           MSEC parameter: CREATE_SERVER_LINK

           Accepted values: no, default, secure



       set_shell_timeout
           Set the shell timeout. A value of zero means no timeout.

           MSEC parameter: SHELL_TIMEOUT

           Accepted values: *



       check_shadow
           Enables checking for empty passwords.

           MSEC parameter: CHECK_SHADOW

           Accepted values: yes, no



       enable_password
           Use  password  to authenticate users. Take EXTREMELY care when dis‐
           abling passwords, as it will leave the machine COMPLETELY  vulnera‐
           ble.

           MSEC parameter: ENABLE_PASSWORD

           Accepted values: yes, no



       set_win_parts_umask
           Set  umask option for mounting vfat and ntfs partitions. A value of
           None means default umask.

           MSEC parameter: WIN_PARTS_UMASK

           Accepted values: no, *



       check_open_port
           Enables checking for open network ports.

           MSEC parameter: CHECK_OPEN_PORT

           Accepted values: yes, no



       enable_log_strange_packets
           Enable/Disable the logging of IPv4 strange packets.

           MSEC parameter: ENABLE_LOG_STRANGE_PACKETS

           Accepted values: yes, no



       check_rpm
           Enables verification of installed packages.

           MSEC parameter: CHECK_RPM

           Accepted values: yes, no



       enable_pam_root_from_wheel
           Allow root access without password for the  members  of  the  wheel
           group.

           MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL

           Accepted values: yes, no



       mail_warn
           Enables security results submission by email.

           MSEC parameter: MAIL_WARN

           Accepted values: yes, no



       password_length
           Set  the  password  minimum  length and minimum number of digit and
           minimum number of capitalized letters.

           MSEC parameter: PASSWORD_LENGTH

           Accepted values: *



       set_root_umask
           Set the root umask.

           MSEC parameter: ROOT_UMASK

           Accepted values: *



       check_sgid
           Enables checking for additions/removals of sgid files.

           MSEC parameter: CHECK_SGID

           Accepted values: yes, no



       check_promisc
           Activate/Disable ethernet cards promiscuity check.

           MSEC parameter: CHECK_PROMISC

           Accepted values: yes, no



       allow_x_connections
           Allow/Forbid X connections. Accepted arguments:  yes  (all  connec‐
           tions  are  allowed), local (only local connection), no (no connec‐
           tion).

           MSEC parameter: ALLOW_X_CONNECTIONS

           Accepted values: yes, no, local



       check_writable
           Enables checking for files/directories writable by everybody.

           MSEC parameter: CHECK_WRITABLE

           Accepted values: yes, no



       enable_console_log
           Enable/Disable syslog reports to console 12. expr is the expression
           describing  what  to  log (see syslog.conf(5) for more details) and
           dev the device to report the log.

           MSEC parameter: ENABLE_CONSOLE_LOG

           Accepted values: yes, no



       enable_ip_spoofing_protection
           Enable/Disable IP spoofing protection.

           MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION

           Accepted values: yes, no



       check_perms
           Enables permission checking in users' home.

           MSEC parameter: CHECK_PERMS

           Accepted values: yes, no



       set_shell_history_size
           Set shell commands history size. A value of -1 means unlimited.

           MSEC parameter: SHELL_HISTORY_SIZE

           Accepted values: *



       allow_reboot
           Allow/Forbid system reboot and shutdown to local users.

           MSEC parameter: ALLOW_REBOOT

           Accepted values: yes, no



       syslog_warn
           Enables logging to system log.

           MSEC parameter: SYSLOG_WARN

           Accepted values: yes, no



       check_shosts
           Enables checking for dangerous options  in  users'  .rhosts/.shosts
           files.

           MSEC parameter: CHECK_SHOSTS

           Accepted values: yes, no



       check_passwd
           Enables  password-related  checks,  such  as  empty  passwords  and
           strange super-user accounts.

           MSEC parameter: CHECK_PASSWD

           Accepted values: yes, no



       password_history
           Set the password history length to prevent password reuse. This  is
           not supported by pam_tcb.

           MSEC parameter: PASSWORD_HISTORY

           Accepted values: *



       check_security
           Enables daily security checks.

           MSEC parameter: CHECK_SECURITY

           Accepted values: yes, no



       allow_root_login
           Allow/Forbid direct root login.

           MSEC parameter: ALLOW_ROOT_LOGIN

           Accepted values: yes, no



       check_unowned
           Enables checking for unowned files.

           MSEC parameter: CHECK_UNOWNED

           Accepted values: yes, no



       allow_user_list
           Allow/Forbid  the  list  of users on the system on display managers
           (sddm and gdm).

           MSEC parameter: ALLOW_USER_LIST

           Accepted values: yes, no



       allow_remote_root_login
           Allow/Forbid remote root login via sshd. You can  specify  yes,  no
           and without-password. See sshd_config(5) man page for more informa‐
           tion.

           MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN

           Accepted values: yes, no, without_password



       enable_msec_cron
           Enable/Disable msec hourly security check.

           MSEC parameter: ENABLE_MSEC_CRON

           Accepted values: yes, no



       enable_sulogin
           Enable/Disable sulogin(8) in single user level.

           MSEC parameter: ENABLE_SULOGIN

           Accepted values: yes, no



       allow_xauth_from_root
           Allow/forbid to export display when passing from the  root  account
           to the other users. See pam_xauth(8) for more details.

           MSEC parameter: ALLOW_XAUTH_FROM_ROOT

           Accepted values: yes, no



       set_user_umask
           Set the user umask.

           MSEC parameter: USER_UMASK

           Accepted values: *



       accept_icmp_echo
           Accept/Refuse icmp echo.

           MSEC parameter: ACCEPT_ICMP_ECHO

           Accepted values: yes, no



       authorize_services
           Configure  access to tcp_wrappers services (see hosts.deny(5)).  If
           arg = yes, all services are authorized. If arg = local, only  local
           ones  are,  and  if  arg  = no, no services are authorized. In this
           case, To authorize the services you need, use /etc/hosts.allow (see
           hosts.allow(5)).

           MSEC parameter: AUTHORIZE_SERVICES

           Accepted values: yes, no, local



       tty_warn
           Enables periodic security check results to terminal.

           MSEC parameter: TTY_WARN

           Accepted values: yes, no


NOTES
       Msec applications must be run by root.

AUTHORS
       Frederic Lepied 

       Eugeni Dodonov <eugeni@mandriva.com>




Mandriva Linux                       msec                         msec(0.60.1)
