aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh/custom.sh
blob: eac0cc80bcf7b4d8f0153af352d8393dbe7aa774 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/bash

#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#

if [ -f /etc/security/msec/init-sh/lib.sh ]; then
    . /etc/security/msec/init-sh/lib.sh
fi


clear

###
echo "Do you want your log file to be in append mode only ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    find /var/log/ -type f -exec chattr +a {} \;
fi
###
echo "Do you want all system events to be logged on tty12 ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "*.* /dev/tty12" /etc/syslog.conf
fi
###
echo "Do you want to deny any machine to connect to yours ?"
WaitAnswer
if [ ${answer} == "yes" ]; then
    echo "Do you want only localhost to be allowed ?"
    WaitAnswer; clear
    if [ "${answer}" == "yes" ]; then
	AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
    else
	AddRules "ALL:ALL:DENY" /etc/hosts.deny
    fi
fi
###
echo "Do you want root console login to be allowed ?" 
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "tty1" /etc/securetty quiet
    AddRules "tty2" /etc/securetty quiet
    AddRules "tty3" /etc/securetty quiet
    AddRules "tty4" /etc/securetty quiet
    AddRules "tty5" /etc/securetty quiet
    AddRules "tty6" /etc/securetty 
fi
###
echo "Do you want your system to daily check SUID Root file change ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
fi
###
echo "Do you want your system to daily check SUID Group file change ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
fi
###
echo "Do you want your system to daily check Writable file change ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
fi
###
echo "Do you want your system to daily check Unowned file change ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
fi
###
echo "Do you want your system to verify every minutes if a network interface"
echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
    AddRules "*/1 * * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
fi
###
LiloUpdate;
/sbin/lilo >& /dev/null
###
echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
WaitAnswer; clear
if [ ${answer} == "yes" ]; then
    AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile
fi
###
AddRules "SECURE_LEVEL=\"custom\"" /etc/profile
export SECURE_LEVEL="custom"
###
AddRules "umask 077" /etc/profile