1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
.ds q \N'34'
.TH mseclib 3 V0 msec "Mandriva Linux"
.SH NAME
mseclib
.SH SYNOPSIS
.nf
.B from mseclib import *
.B function1(yes)
.B function2(ignore)
.fi
.SH DESCRIPTION
.B mseclib
is a python library to access the function used by the msec program. This functions can be used
in /etc/security/msec/level.local to override the behaviour of the msec program or in standalone
scripts. The first argument of the functions takes a value of 1 or 0 or -1 (or yes/no/ignore)
except when specified otherwise.
.TP 4
.B \fIaccept_bogus_error_responses(arg)\fP
Accept/Refuse bogus IPv4 error messages.
.TP 4
.B \fIaccept_broadcasted_icmp_echo(arg)\fP
Accept/Refuse broadcasted icmp echo.
.TP 4
.B \fIaccept_icmp_echo(arg)\fP
Accept/Refuse icmp echo.
.TP 4
.B \fIallow_autologin(arg)\fP
Allow/Forbid autologin.
.TP 4
.B \fIallow_issues(arg)\fP
If \fIarg\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \fIarg\fP = NONE no issues are
allowed else only /etc/issue is allowed.
.TP 4
.B \fIallow_reboot(arg)\fP
Allow/Forbid reboot by the console user.
.TP 4
.B \fIallow_remote_root_login(arg)\fP
Allow/Forbid remote root login via sshd. You can specify
yes, no and without-password. See sshd_config(5) man page for more
information.
.TP 4
.B \fIallow_root_login(arg)\fP
Allow/Forbid direct root login.
.TP 4
.B \fIallow_user_list(arg)\fP
Allow/Forbid the list of users on the system on display managers (kdm and gdm).
.TP 4
.B \fIallow_x_connections(arg, listen_tcp=None)\fP
Allow/Forbid X connections. First arg specifies what is done
on the client side: ALL (all connections are allowed), LOCAL (only
local connection) and NONE (no connection).
.TP 4
.B \fIallow_xauth_from_root(arg)\fP
llow/forbid to export display when passing from the root account
to the other users. See pam_xauth(8) for more details.
.TP 4
.B \fIallow_xserver_to_listen(arg)\fP
The argument specifies if clients are authorized to connect
to the X server on the tcp port 6000 or not.
.TP 4
.B \fIauthorize_services(arg)\fP
Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \fIarg\fP = ALL. Only local ones
if \fIarg\fP = LOCAL and none if \fIarg\fP = NONE. To authorize the services you need, use /etc/hosts.allow
(see hosts.allow(5)).
.TP 4
.B \fIcreate_server_link()\fP
If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3
in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server
to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server
is used by chkconfig --add to decide to add a service if it is present in the file
during the installation of packages.
.TP 4
.B \fIenable_at_crontab(arg)\fP
Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow
(see man at(1) and crontab(1)).
.TP 4
.B \fIenable_console_log(arg, expr='*.*', dev='tty12')\fP
Enable/Disable syslog reports to console 12. \fIexpr\fP is the
expression describing what to log (see syslog.conf(5) for more details) and
dev the device to report the log.
.TP 4
.B \fIenable_dns_spoofing_protection(arg, alert=1)\fP
Enable/Disable name resolution spoofing protection. If
\fIalert\fP is true, also reports to syslog.
.TP 4
.B \fIenable_ip_spoofing_protection(arg, alert=1)\fP
Enable/Disable IP spoofing protection.
.TP 4
.B \fIenable_libsafe(arg)\fP
Enable/Disable libsafe if libsafe is found on the system.
.TP 4
.B \fIenable_log_strange_packets(arg)\fP
Enable/Disable the logging of IPv4 strange packets.
.TP 4
.B \fIenable_msec_cron(arg)\fP
Enable/Disable msec hourly security check.
.TP 4
.B \fIenable_pam_root_from_wheel(arg)\fP
Allow root access without password for the members of the wheel group.
.TP 4
.B \fIenable_pam_wheel_for_su(arg)\fP
Enabling su only from members of the wheel group or allow su from any user.
.TP 4
.B \fIenable_password(arg)\fP
Use password to authenticate users.
.TP 4
.B \fIenable_promisc_check(arg)\fP
Activate/Disable ethernet cards promiscuity check.
.TP 4
.B \fIenable_security_check(arg)\fP
Activate/Disable daily security check.
.TP 4
.B \fIenable_sulogin(arg)\fP
Enable/Disable sulogin(8) in single user level.
.TP 4
.B \fIno_password_aging_for(name)\fP
Add the name as an exception to the handling of password aging by msec.
Name must be put between '. Msec will then no more manage password aging for
name so you have to use chage(1) to manage it by hand.
.TP 4
.B \fIpassword_aging(max, inactive=-1)\fP
Set password aging to \fImax\fP days and delay to change to \fIinactive\fP.
.TP 4
.B \fIpassword_history(arg)\fP
Set the password history length to prevent password reuse.
.TP 4
.B \fIpassword_length(length, ndigits=0, nupper=0)\fP
Set the password minimum length and minimum number of digit and minimum number of capitalized letters.
.TP 4
.B \fIset_root_umask(umask)\fP
Set the root umask.
.TP 4
.B \fIset_security_conf(var, value)\fP
Set the variable \fIvar\fP to the value \fIvalue\fP in /var/lib/msec/security.conf.
The best way to override the default setting is to create /etc/security/msec/security.conf
with the value you want. These settings are used to configure the daily check run each night.
The following variables are currentrly recognized by msec:
CHECK_UNOWNED if set to yes, report unowned files.
CHECK_SHADOW if set to yes, check empty password in /etc/shadow.
CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files.
CHECK_SECURITY if set to yes, run the daily security checks.
CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root.
SYSLOG_WARN if set to yes, report check result to syslog.
CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files.
CHECK_PERMS if set to yes, check permissions of files in the users' home.
CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.
CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode.
RPM_CHECK if set to yes, run some checks against the rpm database.
TTY_WARN if set to yes, reports check result to tty.
CHECK_WRITABLE if set to yes, check files/directories writable by everybody.
MAIL_WARN if set to yes, report check result by mail.
MAIL_USER if set, send the mail report to this email address else send it to root.
CHECK_OPEN_PORT if set to yes, check open ports.
CHECK_SGID if set to yes, check additions/removals of sgid files.
.TP 4
.B \fIset_shell_history_size(size)\fP
Set shell commands history size. A value of -1 means unlimited.
.TP 4
.B \fIset_shell_timeout(val)\fP
Set the shell timeout. A value of zero means no timeout.
.TP 4
.B \fIset_user_umask(umask)\fP
Set the user umask.
.TP 4
.B \fIset_win_parts_umask(umask)\fP
Set umask option for mounting vfat and ntfs partitions. A value of None means default umask.
.RE
.SH "SEE ALSO"
msec(8)
.SH AUTHORS
Frederic Lepied <flepied@mandriva.com>
|
