diff options
Diffstat (limited to 'docs/docs/stable/mcc-help/hi/msecgui.xml')
| -rw-r--r-- | docs/docs/stable/mcc-help/hi/msecgui.xml | 358 |
1 files changed, 358 insertions, 0 deletions
diff --git a/docs/docs/stable/mcc-help/hi/msecgui.xml b/docs/docs/stable/mcc-help/hi/msecgui.xml new file mode 100644 index 00000000..07b56343 --- /dev/null +++ b/docs/docs/stable/mcc-help/hi/msecgui.xml @@ -0,0 +1,358 @@ +<?xml version='1.0' encoding='utf-8'?><section xmlns="http://docbook.org/ns/docbook" xmlns:ns5="http://www.w3.org/1998/Math/MathML" xmlns:ns4="http://www.w3.org/2000/svg" xmlns:ns3="http://www.w3.org/1999/xhtml" xmlns:ns2="http://www.w3.org/1999/xlink" xmlns:ns="http://docbook.org/ns/docbook" version="5.0" xml:lang="hi" xml:id="msecgui"> + <info> + <title xml:id="msecgui-ti1">MSEC: System Security and Audit</title> + + <subtitle>msecgui</subtitle> + </info> + + + + + <mediaobject> + <!-- written by Lebarhon 2014/01/03 To be checked--> +<imageobject> + <imagedata xml:id="msecgui-im1" revision="1" fileref="msecgui.png" align="center" format="PNG"/> + </imageobject> + </mediaobject> + + + <section> + <title>Presentation</title> + + <para>msecgui<footnote><para>You can start this tool from the command line, by typing <emphasis +role="bold">msecgui</emphasis> as root.</para> + </footnote> is a graphic user interface for +msec that allows to configure your system security according to two +approaches:</para> + + <itemizedlist> + <listitem> + <para>It sets the system behaviour, msec imposes modifications to the system to +make it more secure.</para> + </listitem> + + <listitem> + <para>It carries on periodic checks automatically on the system in order to warn +you if something seems dangerous.</para> + </listitem> + </itemizedlist> + + <para>msec uses the concept of "security levels" which are intended to configure a +set of system permissions, which can be audited for changes or +enforcement. Several of them are proposed by Mageia, but you can define your +own customised security levels.</para> + </section> + + <section> + <title>Overview tab</title> + + <para>See the screenshot above</para> + + <para>The first tab takes up the list of the different security tools with a +button on the right side to configure them:</para> + + <itemizedlist> + <listitem> + <para>Firewall, also found in the MCC / Security / Set up your personal firewall</para> + </listitem> + + <listitem> + <para>Updates, also found in MCC / Software Management / Update your system</para> + </listitem> + + <listitem> + <para>msec itself with some information:</para> + + <itemizedlist> + <listitem> + <para>enabled or not</para> + </listitem> + + <listitem> + <para>the configured Base security level</para> + </listitem> + + <listitem> + <para>the date of the last Periodic checks and a button to see a detailed report +and another button to execute the checks just now.</para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + </section> + + <section> + <title>Security settings tab</title> + + <para>A click on the second tab or on the Security +<guibutton>Configure</guibutton> button leads to the same screen shown +below.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui2.png"/> + </imageobject> + </mediaobject> + + + <section> + <title>Basic security tab</title> + + <para role="underline"> + <emphasis role="underline">Security levels:</emphasis> + </para> + + <para>After having checked the box <guilabel>Enable MSEC tool</guilabel>, this tab +allows you by a double click to choose the security level that appears then +in bold. If the box is not checked, the level « none » is applied. The +following levels are available:</para> + + <orderedlist numeration="arabic"> + <listitem> + <para>Level <emphasis role="bold">none</emphasis>. This level is intended if you +do not want to use msec to control system security, and prefer tuning it on +your own. It disables all security checks and puts no restrictions or +constraints on system configuration and settings. Please use this level only +if you are knowing what you are doing, as it would leave your system +vulnerable to attack.</para> + </listitem> + + <listitem> + <para>Level <emphasis role="bold">standard</emphasis>. This is the default +configuration when installed and is intended for casual users. It +constrains several system settings and executes daily security checks which +detect changes in system files, system accounts, and vulnerable directory +permissions. (This level is similar to levels 2 and 3 from past msec +versions).</para> + </listitem> + + <listitem> + <para>Level <emphasis role="bold">secure</emphasis>. This level is intended when +you want to ensure your system is secure, yet usable. It further restricts +system permissions and executes more periodic checks. Moreover, access to +the system is more restricted. (This level is similar to levels 4 (High) and +5 (Paranoid) from old msec versions).</para> + </listitem> + + <listitem> + <para>Besides those levels, different task-oriented security are also provided, +such as the <emphasis role="bold">fileserver </emphasis>, <emphasis +role="bold">webserver</emphasis> and <emphasis +role="bold">netbook</emphasis> levels. Such levels attempt to pre-configure +system security according to the most common use cases.</para> + </listitem> + + <listitem> + <para>The last two levels called <emphasis role="bold">audit_daily </emphasis> and +<emphasis role="bold">audit_weekly</emphasis> are not really security levels +but rather tools for periodic checks only.</para> + </listitem> + </orderedlist> + + <para>These levels are saved in +<filename>/etc/security/msec/level.<levelname></filename>. You can define +your own customised security levels, saving them into specific files called +<filename>level.<levelname></filename>, placed into the folder +<filename>/etc/security/msec/.</filename> This function is intended for +power users which require a customised or more secure system configuration.</para> + + <caution> + <para>Keep in mind that user-modified parameters take precedence over default +level settings.</para> + </caution> + + <para> + <emphasis role="underline">Security alerts:</emphasis> + </para> + + <para>If you check the box <guibutton>Send security alerts by email +to:</guibutton>, the security alerts generated by msec are going to be sent +by local e-mail to the security administrator named in the nearby field. You +can fill either a local user or a complete e-mail address (the local e-mail +and the e-mail manager must be set accordingly). At last, you can receive +the security alerts directly on your desktop. Check the relevant box to +enable it.</para> + + <important> + <para>It is strongly advisable to enable the security alerts option in order to +immediately inform the security administrator of possible security +problems. If not, the administrator will have to regularly check the logs +files available in <filename>/var/log/security.</filename></para></important> + + <para><emphasis role="underline">Security options:</emphasis></para> + + <para>Creating a customised level is not the only way to customise the computer +security, it is also possible to use the tabs presented here after to change +any option you want. Current configuration for msec is stored in +<filename>/etc/security/msec/security.conf</filename>. This file contains +the current security level name and the list of all the modifications done +to the options.</para> + </section> + + <section> + <title>System security tab</title> + + <para>This tab displays all the security options on the left side column, a +description in the centre column, and their current values on the right side +column.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui3.png"/> + </imageobject> + </mediaobject> + + <para>To modify an option, double click on it and a new window appears (see +screenshot below). It displays the option name, a short description, the +actual and default values, and a drop down list where the new value can be +selected. Click on the <guibutton>OK</guibutton> button to validate the +choice.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui11.png"/> + </imageobject> + </mediaobject> + + <caution> + <para>Do not forget when leaving msecgui to save definitively your configuration +using the menu <guimenu>File -> Save the configuration</guimenu>. If you +have changed the settings, msecgui allows you to preview the changes before +saving them.</para> + </caution> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui10.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Network security</title> + + <para>This tab displays all the network options and works like the previous tab</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui4.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Periodic checks tab</title> + + <para>Periodic checks aim to inform the security administrator by means of +security alerts of all situations msec thinks potentially dangerous.</para> + + <para>This tab displays all the periodic checks done by msec and their frequency +if the box <guibutton>Enable periodic security checks</guibutton> is +checked. Changes are done like in the previous tabs.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui5.png"/> + </imageobject> + </mediaobject> + </section> + + <section> + <title>Exceptions tab</title> + + <para>Sometimes alert messages are due to well known and wanted situations. In +these cases they are useless and wasted time for the administrator. This tab +allows you to create as many exceptions as you want to avoid unwanted alert +messages. It is obviously empty at the first msec start. The screenshot +below shows four exceptions.</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui6.png"/> + </imageobject> + </mediaobject> + + <para>To create an exception, click on the <guibutton>Add a rule</guibutton> +button</para> + + <mediaobject> + <imageobject> + <imagedata fileref="msecgui7.png"/> + </imageobject> + </mediaobject> + + <para>Select the wanted periodic check in the drop down list called +<guilabel>Check</guilabel> and then, enter the +<guilabel>Exception</guilabel> in the text area. Adding an exception is +obviously not definitive, you can either delete it using the +<guibutton>Delete</guibutton> button of the <guilabel>Exceptions</guilabel> +tab or modify it with a double clicK.</para> + </section> + + <section> + <title>अनुमतियां</title> + <para>This tab is intended for file and directory permissions checking and +enforcement.</para> + <para>Like for the security, msec owns different permissions levels (standard, +secure, ..), they are enabled accordingly with the chosen security +level. You can create your own customised permissions levels, saving them +into specific files called <filename>perm.<levelname> </filename> placed +into the folder <filename>/etc/security/msec/</filename> . This function is +intended for power users which require a customised configuration. It is +also possible to use the tab presented here after to change any permission +you want. Current configuration is stored in +<filename>/etc/security/msec/perms.conf.</filename> This file contains the +list of all the modifications done to the permissions.</para> + <mediaobject> + <imageobject> + <imagedata fileref="msecgui8.png"/> + </imageobject> + </mediaobject> + <para>Default permissions are visible as a list of rules (a rule per line). You +can see on the left side, the file or folder concerned by the rule, then the +owner, then the group and then the permissions given by the rule. If, for a +given rule:</para> + <itemizedlist> + <listitem> + <para>the box <guilabel>Enforce</guilabel> is not checked, msec only checks if the +defined permissions for this rule are respected and sends an alert message +if not, but does not change anything.</para> + </listitem> + + <listitem> + <para>the box <guilabel>Enforce</guilabel> is checked, then msec will rule the +permissions respect at the first periodic check and overwrite the +permissions.</para></listitem> + </itemizedlist> + <important><para>For this to work, the option CHECK_PERMS in the <emphasis +role="bold">Periodic check tab</emphasis> must be configured accordingly.</para></important><para>To create a new rule, click on the <guibutton> Add a rule</guibutton> button +and fill the fields as shown in the example below. The joker * is allowed in +the <guilabel>File</guilabel> field. “current” means no modification.</para> + <mediaobject> + <imageobject> + <imagedata fileref="msecgui9.png"/> + </imageobject> + </mediaobject> + <para>Click on the <guibutton>OK</guibutton> button to validate the choice and do +not forget when leaving to save definitively your configuration using the +menu <guimenu>File -> Save the configuration</guimenu>. If you have changed +the settings, msecgui allows you to preview the changes before saving them. </para> + <note><para>It is also possible to create or modify the rules by editing the +configuration file <filename>/etc/security/msec/perms.conf</filename>. + </para></note> + <caution><para>Changes in the <emphasis role="bold">Permission tab</emphasis> (or directly +in the configuration file) are taken into account at the first periodic +check (see the option CHECK_PERMS in the <emphasis role="bold">Periodic +checks tab</emphasis>). If you want them to be taken immediately into +account, use the msecperms command in a console with root rights. You can +use before, the msecperms -p command to know the permissions that will be +changed by msecperms.</para></caution> + <caution><para>Do not forget that if you modify the permissions in a console or in a file +manager, for a file where the box <guilabel>Enforce </guilabel> is checked +in the <emphasis role="bold">Permissions tab </emphasis>, msecgui will write +the old permissions back after a while, accordingly to the configuration of +the options CHECK_PERMS and CHECK_PERMS_ENFORCE in the <emphasis +role="bold">Periodic Checks tab </emphasis>.</para></caution> + </section> + </section> +</section> |