aboutsummaryrefslogtreecommitdiffstats
path: root/msec.spec
blob: e563cf548c108e71c36dd5f192a3961721e77c84 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
Summary:	Security Level & Program for the Linux Mandrake distribution
Name:		msec
Version:	0.15
Release:	24mdk

Source:		%{name}-%{version}.tar.bz2
Source2:    	msec

License:	GPL
Group:		System/Base
BuildRoot:	%_tmppath/%name-%version-%release-root
Requires:	/bin/bash setup chkconfig >= 0.9-6

%description
The Mandrake-Security package is designed to provide generic 
secure level to the Mandrake-Linux users...
It will permit you to choose between level 1 to 5 & custom
for a less -> more secured distribution.
This packages includes several program that will be run periodically
in order to test the security of your system and alert you if needed.

%prep

%setup -q

%build
make CFLAGS="$RPM_OPT_FLAGS"

%install
#make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT

install -d $RPM_BUILD_ROOT/etc/security/msec
install -d $RPM_BUILD_ROOT/usr/share/msec
install -d $RPM_BUILD_ROOT/usr/sbin $RPM_BUILD_ROOT/usr/bin
install -d $RPM_BUILD_ROOT/var/log/security
install -d $RPM_BUILD_ROOT%{_mandir}/man8

install -m 755 init-sh/*.sh cron-sh/*.sh $RPM_BUILD_ROOT/usr/share/msec
install -m 755 init-sh/msec $RPM_BUILD_ROOT/usr/sbin
install -m 644 conf/perm.* conf/server.* $RPM_BUILD_ROOT/etc/security/msec
install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find $RPM_BUILD_ROOT/usr/bin

install -m644 man/C/*8 $RPM_BUILD_ROOT%{_mandir}/man8/
bzip2 -9f $RPM_BUILD_ROOT%{_mandir}/man8/*8

for i in man/??* ; do \
	install -d $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8; \
    install -m 644 $i/*.8 $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8; \
    bzip2 -9f $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8/*8 ; \
done;


touch $RPM_BUILD_ROOT/etc/security/msec/security.conf $RPM_BUILD_ROOT/var/log/security.log

mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/etc/logrotate.d/msec
touch $RPM_BUILD_ROOT/var/log/security.log

%post 
touch /var/log/security.log

%clean
rm -rf $RPM_BUILD_ROOT

%files
%defattr(-,root,root)
%doc AUTHORS COPYING Makefile README 
%doc doc/*txt ChangeLog doc/*ps
%_bindir/promisc_check
%_bindir/msec_find
%_sbindir/msec
%_datadir/msec
%_mandir/*/*

%config(noreplace) /var/log/security
%config(noreplace) /etc/security/msec
%config(noreplace) /etc/logrotate.d/msec

%ghost /var/log/security.log


# MAKE THE CHANGES IN CVS: NO PATCH OR SOURCE ALLOWED
%changelog
* Wed Sep 19 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-24mdk
- Fix manpages installation.
- Fix logrotate config installation.
- Fix issue with SECURE_LEVEL not updated if not exiting the console
  (this is a workaround for problems in several terminal programs).

* Mon Sep 17 2001 Daouda LO <daouda@mandrakesoft.com> 0.15-23mdk
- Resync with cvs (yoann sucks)
- real fix for kdm is in lib.sh (msec sux)

* Fri Sep 14 2001 Florin <florin@mandrakesoft.com> 0.15-21mdk
- conf/perm.*: /var/log/squid must be owned by nobody.nobody.
- add the %post section for the ghost file

* Mon Sep 03 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-20mdk
- logrotate entry in %install, not %post

* Mon Sep 03 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-19mdk
- add logrotate entry

* Thu Aug  9 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.15-18mdk
- added vc/[1-6] to securetty (devfs)
- merged back in cvs

* Mon Jul  9 2001 Frederic Crozat <fcrozat@mandrakesoft.com> 0.15-17mdk
- Patch 0: add suppport for usermode halt/reboot

* Thu May 10 2001 Stew Benedict <sbendict@mandrakesoft.com> 0.15-16mdk
- Check for drakx install environment before running "telinit u" - PPC hang

* Tue May 01 2001 David BAUDENS <baudens@mandrakesoft.com> 0.15-15mdk
- Use %%_tmppath for BuildRoot

* Tue Oct 10 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-14mdk
- call telinit after modifying inittab

* Tue Oct 10 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-13mdk
- Applied Warly patch to fix user list problem under kdm.
- User list option for gdm too.

* Tue Oct 10 2000 Warly <warly@mandrakesoft.com> 0.15-12mdk
- change the UserList method to not append at the end of kdmrc (in the wrong section)

* Mon Oct  9 2000 Pixel <pixel@mandrakesoft.com> 0.15-11mdk
- remove the fix for #760 (it needs real fixing!)

* Mon Oct 09 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-10mdk
- conf/server.[45]: add pcmcia

* Mon Oct 09 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-9mdk
- fix for #760 (kdm should not display the list of users for high security
  levels)

* Mon Oct 09 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-8mdk
- fix a typo in conf/perm.0

* Fri Oct 04 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-7mdk
- Autologin allowed in level 0, 1, 2.... I'm against this... but...

* Fri Oct 04 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-6mdk
- fix some entry in perm.*
- Autologin will only work in level 0

* Tue Oct 03 2000 Yoann Vandoorselaere  <yoann@mandrakesoft.com> 0.15-5mdk
    * init-sh/*.sh : instead of modifying Xsession,
    create the /etc/X11/xinit.d/msec file which can contain eventual
    rules appended by msec.

* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-4mdk
- some fix.

* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-3mdk
- init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession
                 nor /etc/X11/xinit/xinitrc anymore, as they all load
                 /etc/X11/Xsession.

* Fri Sep 01 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-2mdk
- install manually
- use %{_mandir} macros
- use %config(noreplace) for /etc/msec and for logfile

* Tue Jul 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-1mdk
- cron-sh/security_check.sh : use -L in ls, 
  to dereference symbolic link  Chris Green <cmg@dok.org>
- conf/perm.*: /var/log/squid must be owned by squid.squid.
- cron-sh/security.sh: 
- init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>,
  if no user to mail security report to is availlable, send to root.
	
* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-6mdk
- Handle new libsafe path.

* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-5mdk
- corrected a wrong path.

* Wed May 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-4mdk
- LoaderUpdate() make a difference between an empty
  variable, and a non existing one.

* Fri Apr 25 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-3mdk
- Fix a bug with comment removed pointed out by Konrad Bernloehr.

* Mon Apr 24 2000 Pixel <pixel@mandrakesoft.com> 0.14-2mdk
- conf/perm.[0-4]: fix ugly disgusting fucking bloody buggy bug!
(remove bloody /usr/{bin,sbin}/* entries)

* Wed Apr 19 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-1mdk
- Bug fix.
- Support Grub as well as Lilo.

* Tue Apr 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-5mdk
- cron job at 4:00am, msec_find fix.

* Mon Apr 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-4mdk
- perm.5 : -e s'/ntool/ntools/' -e s'/ctool/ctools/'
- updated documentation.
- file_perm.sh : bug fix + output to /dev/null.
- include /var/tmp in perm.[0-5].
- Patch to msec_find from Thomas Poindessous.

* Fri Apr 14 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-1mdk
- Modify zprofile.
- use libsafe-1.3

* Thu Mar 16 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security.sh : export *_TODAY variable to be used by msec_find.
- find.c      : removed a debuging printf.

* Tue Mar 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.10-1mdk
- custom.sh : added a patch from Havard Bell.
- custom.sh : check if libsafe is installed before asking if the user want to use it.
- Heavily modified msec_find.
- Added msec_find utility, written by Thierry Vignaud which will avoid us to
  find / 5 times :)
- Added support for libsafe stack overflow protection in level 4 / 5 /
  custom
- trap the sigint signal.
- use %config for config file ( thanks to Frederic Lepied ).
- use /etc/security/msec for config file only.
- Renamed init.sh to msec, and install it in /usr/sbin.
- The other shell scripts are located in /usr/share/msec
- Included patch from Stefan Siegel.

* Tue Jan 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- custom.sh : fix a nasty typo.

* Tue Jan 06 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security.sh : find are niced to (+19)
- Camille updated the documentation.
- Removed the "spawn a shell on boot" feature of level0 cause of a tty problem.
- shutdown.allow is 600 in level 4/5; 644 else.
- updated doc/security.txt
- updated init-sh/custom.sh
- level 0-3 -> ctrl-alt-del allowed for any local user.
- level 4-5 -> ctrl-alt-del allowed for root.

* Wed Dec 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Removing grpuser manpage, because : 
  1 - grpuser is not to be used by any user, ( and should not have a manpage so ).
  2 - manpage is obsolete

* Tue Dec 28 1999 Chmouel Boudjnah <chmouel@mandrakesoft.com>
- add man-pages from camille.

* Fri Dec 24 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Use the mail user variable.
- level[35]: also do a mail report.
- moved Syslog(), Ttylog(), Maillog() to security.sh
- security_check.sh & diff_check.sh now sourced from security.sh
- Typo / bug fix
- init-sh/perm[15]: files should be constant in their content.
  all entry should be in each perm file

* Tue Dec 21 1999 Pixel <pixel@mandrakesoft.com>
- init-sh/lib.sh (LiloUpdate): replace the -z ${LILO_PASSWORD} by
${LILO_PASSWORD+set} != set 
- init-sh/lib.sh (LiloUpdate): replace the call to AddRules to
AddBegRules (password= must in the beginning of lilo.conf)
- init-sh/lib.sh (AddBegRules): 1 \n instead of 2

* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Use grpconv after modifying /etc/group.
- Add a message for level 5 saying that user who want X access
  should be in the xgrp group.

* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- fixed a typo / variable pb.

* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- init-sh/perm.[05]: Oops, /var/spool/mail is 771 not 755.
- init-sh/lib.sh: removed the failsafe for not a tty stdin (not efficient)
- init-sh/lib.sh: rewrote the perl script (now a one-liner :)
- Big cleanup.
- All work properly now.
- msec.spec: modify to take into account the Makefile modifying the .spec
- Makefile (VERSION): make it the same as the .spec

* Sat Dec 18 1999 Pixel  <pixel@mandrakesoft.com>
- init-sh/lib.sh: added failsafe for not a tty stdin

* Sat Dec 18 1999 Pixel <pixel@mandrakesoft.com>
- no interactive questions if not a tty

* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Don't use msec parsing routine to hack inittab

* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fixed the last AddBegRules() problem.
- Indentation problem should be fixed.
- All debug finished, changing secure.tmp to a mktemp
  allocated tmpfile for symlink security.
- DRAKX_USER variable no longer needed.
- grpuser.sh take only one opt ( --refresh ),
  take group name from /etc/security/msec/group.conf
  and add user from /etc/security/msec/user.conf if secure level > 2
- level0.sh fixed inittab entry
- fix a typo
- As requested, direct shell access for level 0
- Fixed a little problem with the DRAKX_USERS variable
- removed chattr +a because of the problem it can cause to
  other system automated system task.

* Mon Dec 13 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- diff_check.sh : fix a typo.

* Thu Dec 10 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- custom.sh : Fix a typo & forgot to export path & secure level

* Thu Dec  9 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- More bugfix.
- Many bugfix, always trying to get a bugfree release :).
- Renamed some variable, added consistencie.
- security_cjheck.sh: print header at begining of the log.
- diff_check.sh: typo.

* Wed Dec  8 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security_check.sh: remove /tmp stuff.
- security_check.sh: typo
- level[1-3].sh: Changed crontab call to file_check.sh
  from every hour to every midnight ( bug reported by axalon ).
- diff_check.sh: clean up.
- moved file_check.sh to diff_check.sh and changed
  what is related to cron call in level[15].sh
- Added missing configurations question in level custom.
- bug fix.

* Wed Dec  8 1999 Chmouel Boudjnah <chmouel@mandrakesoft.com>
- Various (Makefile|specfiles) clean-up.
- insert doc.

* Mon Dec  6 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Released 0.5
- Divided security check into 2 files :
  security_check.sh & file_check.sh, 
  the first do normal security check, the other watch at anormal change
  on the system...
- Bug fix again & again
- Updated perm files & fix a security problem ( thanks Axalon ).

* Wed Dec  1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- DrakX compatibility.

* Wed Dec  1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Add & delete of userlist from audio group ( level 1 & 2 ).
- Minor fix

* Wed Dec  1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- We now preserve config file implementation.
- Minor fix to lib.sh
- export profile variable...

* Mon Nov 30 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Many cron security check added.
- Print more infos.

* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Released 0.4 :
- Now have a custom mode, just answer the question.
- Msec print what it does.
- Bug fix in LiloUpdate().

* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fixed a few bugs in msec.

* Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- grpuser was not installed.

* Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fix a bug in level3.sh
- level[12].sh Removed some unused code

* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Call chkconfig with the new --msec option.

* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Cleaned up tree.

* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Removed touched file /-i

* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Create rc.firewall to avoid error,
- Call grpuser with the good path,
- Call groupadd before usermod.

* Tue Nov 23 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- New release (0.3) :
  Now each security level has it's own set of permissions.
  Add "." at the end of $PATH for level 1.
  Corrected some grave bug, it should work properly now.

* Thu Nov 18 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- New release (0.2) :
  Fixed the path for promisc_check.sh :
  now /etc/security/msec/cron-sh/promisc_check.sh
  In level 1 & 2, user is now automagically added to the audio group. 

* Tue Nov 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- First packaging attempt :-).