blob: 2af1f6cb8887f1be155d4f19d58ad6f09b65bc1a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
# Need root access
if [[ ${UID} != 0 ]]; then
echo "You need to be root in order to change secure level."
exit 1
fi
export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
AddRules() {
string=$1
file=$2
quiet=$3
if [[ -z ${string} ]]; then
return;
fi
if [[ -z ${quiet} ]]; then
echo "Modifying config in ${file}..."
fi
if ! grep -qEx "^${string}" ${file}; then
echo -e "${COMMENT}" >> ${file};
echo -e "${string}" >> ${file};
fi
if [[ -z ${3} ]]; then
echo -e "done.\n"
fi
}
CleanRules() {
echo -en "\t- Cleaning msec appended line in $1 : "
perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
echo "done."
}
CommentUserRules() {
file=$1
if [[ ! -f ${file} ]]; then
return;
fi
echo -en "\t- Cleaning user appended line in ${file} : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp -f ${file} ${tmpfile}
while read line; do
if ! echo "${line}" | grep -qE "^#"; then
echo "# ${line}"
else
echo "${line}"
fi
done < ${tmpfile} > ${file}
rm -f ${tmpfile}
echo "done."
}
RestoreIssues () {
if [ ! -f /etc/issue.net -a -f /etc/issue.net.msec ]; then
mv -f /etc/issue.net.msec /etc/issue.net
fi
if [ ! -f /etc/issue -a -f /etc/issue.msec ]; then
mv -f /etc/issue.msec /etc/issue
fi
}
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX do it and give us a file with some variable.
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
fi
CleanRules /etc/syslog.conf
CleanRules /etc/hosts.deny
CleanRules /etc/hosts.allow
CleanRules /etc/securetty
CleanRules /etc/security/msec/security.conf
CleanRules /etc/ld.so.preload
CleanRules /etc/host.conf
CleanRules /etc/sysctl.conf
CleanRules /etc/logrotate.conf
CleanRules /etc/rc.d/rc.local
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
CleanRules /etc/profile
CleanRules /etc/zprofile
RestoreIssues
if [[ -f /etc/X11/xinit.d/msec ]]; then
CleanRules /etc/X11/xinit.d/msec
else
touch /etc/X11/xinit.d/msec
chmod 755 /etc/X11/xinit.d/msec
fi
if [[ -f /etc/sysconfig/msec ]]; then
CleanRules /etc/sysconfig/msec
fi
if [[ -f /etc/profile.d/msec.sh && -f /etc/profile.d/msec.csh ]]; then
CleanRules /etc/profile.d/msec.sh
CleanRules /etc/profile.d/msec.csh
else
chmod 755 /etc/profile.d/msec.sh
chmod 755 /etc/profile.d/msec.csh
fi
# default groups which must exist on the system
# groupadd already checks for their existance...
groupadd nogroup >& /dev/null
groupadd -g 26 xgrp >& /dev/null
groupadd -g 33 ntools >& /dev/null
groupadd -g 34 ctools >& /dev/null
groupadd -g 81 audio >& /dev/null
usermod -G xgrp xfs
|
