aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>1999-11-29 15:06:21 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>1999-11-29 15:06:21 +0000
commit7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c (patch)
tree21c7cbbd63b9d06fe2b6b93efefd4f80a00e8c0e
parentd78302ebe04bdbb0bb4f9479708bf85d96cbefef (diff)
downloadmsec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar
msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.gz
msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.bz2
msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.tar.xz
msec-7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c.zip
*** empty log message ***
-rw-r--r--Makefile1
-rw-r--r--doc/msec.spec18
-rwxr-xr-xinit-sh/custom.sh110
-rwxr-xr-xinit-sh/init.sh1
-rw-r--r--init-sh/lib.sh19
5 files changed, 140 insertions, 9 deletions
diff --git a/Makefile b/Makefile
index a7e1e15..e3755ce 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ install:
(cp init-sh/grpuser /etc/security/msec/init-sh);
(cp init-sh/file_perm.sh /etc/security/msec/init-sh);
(cp init-sh/*.[1-5] /etc/security/msec/init-sh/)
+ (cp init-sh/custom.sh /etc/security/msec/init-sh);
(cp init-sh/server.* /etc/security/msec/init-sh)
(touch /etc/security/msec/security.conf)
(cd src/promisc_check; make install)
diff --git a/doc/msec.spec b/doc/msec.spec
index 45ef518..22f56ee 100644
--- a/doc/msec.spec
+++ b/doc/msec.spec
@@ -1,7 +1,7 @@
Summary: Security Level & Program for the Linux Mandrake distribution
Name: msec
-Version: 0.3
-Release: 8mdk
+Version: 0.4
+Release: 1mdk
Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz
Copyright: GPL
Group: System Environment/Base
@@ -11,8 +11,8 @@ Requires: /bin/bash setup chkconfig
%description
The Mandrake-Security package is designed to provide generic
secure level to the Mandrake-Linux users...
-It will permit you to choose between level 1 to 5 for a
-less -> more secured distribution.
+It will permit you to choose between level 1 to 5 & custom
+for a less -> more secured distribution.
This packages includes several program that will be run periodically
in order to test the security of your system and alert you if needed.
@@ -34,6 +34,7 @@ cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh
cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh
cp init-sh/grpuser $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/custom.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh
touch $RPM_BUILD_ROOT/etc/security/msec/security.conf
cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin
@@ -47,6 +48,15 @@ rm -rf $RPM_BUILD_ROOT
/usr/bin/promisc_check
%changelog
+* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Released 0.4 :
+- Now have a custom mode, just answer the question.
+- Msec print what it does.
+- Bug fix in LiloUpdate().
+
+* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Fixed a few bugs in msec.
+
* Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- grpuser was not installed.
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index e69de29..eac0cc8 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+fi
+
+
+clear
+
+###
+echo "Do you want your log file to be in append mode only ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ find /var/log/ -type f -exec chattr +a {} \;
+fi
+###
+echo "Do you want all system events to be logged on tty12 ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "*.* /dev/tty12" /etc/syslog.conf
+fi
+###
+echo "Do you want to deny any machine to connect to yours ?"
+WaitAnswer
+if [ ${answer} == "yes" ]; then
+ echo "Do you want only localhost to be allowed ?"
+ WaitAnswer; clear
+ if [ "${answer}" == "yes" ]; then
+ AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+ else
+ AddRules "ALL:ALL:DENY" /etc/hosts.deny
+ fi
+fi
+###
+echo "Do you want root console login to be allowed ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "tty1" /etc/securetty quiet
+ AddRules "tty2" /etc/securetty quiet
+ AddRules "tty3" /etc/securetty quiet
+ AddRules "tty4" /etc/securetty quiet
+ AddRules "tty5" /etc/securetty quiet
+ AddRules "tty6" /etc/securetty
+fi
+###
+echo "Do you want your system to daily check SUID Root file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check SUID Group file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check Writable file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check Unowned file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+ AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to verify every minutes if a network interface"
+echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+ AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+fi
+###
+LiloUpdate;
+/sbin/lilo >& /dev/null
+###
+echo "Do you want a "." in your PATH variable ?"
+echo "This permit you to not use ./progname & to just type progname"
+echo "However this is a *high* security risk."
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+ AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile
+fi
+###
+AddRules "SECURE_LEVEL=\"custom\"" /etc/profile
+export SECURE_LEVEL="custom"
+###
+AddRules "umask 077" /etc/profile
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/init.sh b/init-sh/init.sh
index fa8e9b3..361eb1e 100755
--- a/init-sh/init.sh
+++ b/init-sh/init.sh
@@ -9,6 +9,7 @@ fi
if [ "${1}" == "custom" ]; then
/etc/security/msec/init-sh/custom.sh
+ exit 0;
fi
if [ -f /etc/security/msec/init-sh/level$1.sh ]; then
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 578c4e4..81c62c0 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -26,6 +26,15 @@ fi
USERNAME="blah"
COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+WaitAnswer() {
+ answer="nothing"
+
+ while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do
+ echo -n "yes/no : "
+ read answer
+ done
+}
+
AddRules () {
string=$1
file=$2
@@ -113,9 +122,8 @@ LiloUpdate() {
echo "Do you want a password authentication at boot time ?"
echo "Be very carefull,"
echo "this will prevent your server to reboot without an operator to enter password".
- echo -n "[yes]/no : "
- read answer
- if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then
+ WaitAnswer
+ if [ "${answer}" == "yes" ]; then
echo -n "Please enter the password which will be used at boot time : "
read password
else
@@ -131,9 +139,10 @@ LiloUpdate() {
if ! echo "${line}" | grep -q "password"; then
echo "${line}" >> /etc/lilo.conf
fi
- done < /etc/secure.tmp
+ done < /tmp/secure.tmp
- rm -f /etc/secure.tmp
+ rm -f /tmp/secure.tmp
+ clear
AddRules "password=$PASSWORD" /etc/lilo.conf
fi
}