1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
****************************
Security level 0 :
- no password
- umask is 002 ( user = read,write | greoup = read,write | other = read )
- easy file permission.
- everybody authorized to connect to X display.
- . in $PATH
****************************
Security level 1 :
- Global security check.
- umask is 002 ( user = read,write | greoup = read,write | other = read )
- easy file permission.
- localhost authorized to connect to X display.
- . in $PATH
- Warning in /var/log/security.log
****************************
Security level 2 ( Aka normal system ) :
- Global security check
- Suid root file check
- Suid root file md5sum check
- Writeable file check
- Warning in syslog
- Warning in /var/log/security.log
- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
- localhost authorized to connect to X display.
****************************
Security level 3 ( Aka more secure system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- rpm database checks
- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
- localhost authorized to connect to X display.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
- no autologin
****************************
Security level 4 ( Aka Secured system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- umask 022 ( user = read,write | group = read | other = read ) for root
- umask 077 ( user = read,write | group = | other = ) for normal users
- restricted file permissions.
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- localhost authorized to connect to X display.
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no list of users in kdm and gdm
- password aging at 60 days
- shell history limited to 10
- shell timeout 3600 seconds
- at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow
* - Services not contained in /etc/security/msec/server.4 are disabled during
package installation ( considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all except localhost (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
*******************************
Security level 5 ( Aka Paranoid system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- umask 077 ( user = read,write | group = | other = )
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no list of users in kdm and gdm
- password aging at 30 days
- shell history limited to 10
- shell timeout 900 seconds
- su to root only allowed to members of the wheel group (activated only if the wheel group
isn't empty)
* - Services not contained in /etc/security/msec/server.5 are disabled during
package installation ( considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .
******************
* level4/level5 : "services disabled" explanations :
- Some server aren't really considered as secure,
these one, should for example be compiled from sources.
server considered as secure are specified in /etc/security/msec/server.4/5
When enabling level4/5, all servers which aren't considered as secure are
disabled ( NOT uninstalled, just disabled ) user can reenable them using the
chkconfig utility ( server will be launched at next boot ).
In these level, we are also denying rpm to enable any server considered as insecure
( off course rpm can install the server ).
The user have the choise : chkconfig --add servername will enable the server.
Or add the server in the secured server list
*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
***
|