diff options
| author | Yoann Vandoorselaere <yoann@mandriva.com> | 2000-03-22 17:39:12 +0000 |
|---|---|---|
| committer | Yoann Vandoorselaere <yoann@mandriva.com> | 2000-03-22 17:39:12 +0000 |
| commit | 80a65450bd92bd7d24c8e5087856053bbacfe9d9 (patch) | |
| tree | 5e8858584f8e33a80645e9284b7616741d142fbf | |
| parent | ee50375647abff0b29c25673938835cbac434eb7 (diff) | |
| download | msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.gz msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.bz2 msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.xz msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.zip | |
*** empty log message ***
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | README | 22 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 156 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 18 | ||||
| -rw-r--r-- | init-sh/lib.sh | 6 |
5 files changed, 178 insertions, 27 deletions
@@ -1,3 +1,6 @@ +2000-03-22 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * Added many of the proposed feature from Bryan Paxton. + 2000-03-19 Yoann Vandoorselaere <yoann@mandrakesoft.com> * security.sh : added patch from Thomas Poindessous. * find.c : many modification :) @@ -1,23 +1,9 @@ -This is really basic stuff at the moment... - -init-sh : - this is where all script / library to switch security level are, - use init.sh only. - -cron-sh : - Here are all security script that will be used in crontab. - -src: - C program for security check. - -Note : i know my Makefile are dirty, - so if someone wish to clean them :-) - - +****************** +Configurations files in /etc/security/msec/ +Shell scripts in /usr/share/msec. ****************** -All stuff are installed in /etc/security/msec/ -use init.sh to change security level +Many thanks to Bryan Paxton for a good bunch of idea & contribution. Suggest & Comment : yoann@mandrakesoft.com diff --git a/init-sh/custom.sh b/init-sh/custom.sh index 253d9d9..3018f75 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -1,10 +1,23 @@ #!/bin/bash + # # Security level implementation... # Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> # +### +clear +echo "This script allows you to customize the security on your system." +echo "If you feel at all you don't know what you're doing abort now!!!" +# can't use ctrl-c, we trap all signal. +echo -n "continue [yes/no] : " +read answer; + +if [[ ${answer} != yes ]]; then + exit 1 +fi + if [[ -f /usr/share/msec/lib.sh ]]; then . /usr/share/msec/lib.sh else @@ -17,13 +30,7 @@ clear WRITE_CRON="false" ### -echo "Do you want all system events to be logged on tty12 ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "*.* /dev/tty12" /etc/syslog.conf -fi -### echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" echo "( or if an user present in /etc/shutdown.allow is logged locally )" WaitAnswer; clear @@ -186,7 +193,8 @@ LiloUpdate; /sbin/lilo >& /dev/null ### -echo "Do you want to disable your running server ( except important one )" +clear +echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )" echo "This is only valuable for server installed with rpm." WaitAnswer; clear if [[ ${answer} == yes ]]; then @@ -229,7 +237,7 @@ echo "paranoid ( 077 ) = user = rwx, group = , other =" answer="nothing" while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do echo -n "easy/normal/restricted/paranoid : " - read answer + read answer done case "${answer}" in "easy") @@ -247,6 +255,129 @@ case "${answer}" in esac ### + +echo "Do you want easy, normal, restricted, or paranoid permission ?" +answer="nothing" +while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do + echo -n "easy/normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "easy") + /usr/share/msec/file_perm.sh /etc/security/msec/perm.2 + ;; + "normal") + /usr/share/msec/file_perm.sh /etc/security/msec/perm.3 + ;; + "restricted") + /usr/share/msec/file_perm.sh /etc/security/msec/perm.4 + ;; + "paranoid") + /usr/share/msec/file_perm.sh /etc/security/msec/perm.5 + ;; +esac + +#Logging +clear +echo "Would you like set to up additional logging ?" +echo "Logging will still go to its respected places in /var/log as well." +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + echo "Would you like all system events to be logged on a specific tty ?" + echo "please answer by \"no\" or the tty number." + echo -n "no/ttynumber :" + read answer + if [[ ${answer} != no && ${anwer} != yes ]]; then + AddRules "*.* /dev/tty${answer}" /etc/syslog.conf + fi + + echo + echo "Would you like for auth and warnings to a specific tty ?" + echo "please answer by \"no\" or the tty number." + echo -n "no/ttynumber :" + read answer + if [[ ${answer} != no && ${anwer} != yes ]]; then + AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf + fi + + echo + echo "Would you like kernel logging to go on a specific tty ?" + echo "please answer by \"no\" or the tty number." + echo -n "no/ttynumber :" + read answer + if [[ ${answer} != no && ${anwer} != yes ]]; then + AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf + fi + + echo + echo "Would you like mail logging to a specific tty ?" + echo "This is only useful if you're running a mail server." + echo "please answer by \"no\" or the tty number." + echo -n "no/ttynumber :" + read answer + if [[ ${answer} != no && ${anwer} != yes ]]; then + AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf + fi + + /etc/rc.d/init.d/syslog restart >& /dev/null +fi + +clear + +### +clear +echo "We can setup your system to log who does what commands and when..." +echo "May we set up proccess accounting ?" +echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..." +echo "You need the psacct package." +WaitAnswer; + +if [[ ${answer} == yes ]]; then + AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local + AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local + AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf + AddRules " postrotate" /etc/logrotate.conf + AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf + AddRules " }" /etc/logrotate.conf + touch /var/log/security/pacct.log + chown root.root /var/log/security/pacct.log + chmod 600 /var/log/security/pacct.log + /sbin/accton /var/log/security/pacct.log +fi + +### Pam +clear + +dfsize=40000 +echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)" +echo "By setting a limit on how big user files may get and how many processes a user may run." + +echo "Would you like to set up some PAM configuration ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "# Limit user processes" /etc/security/limits.conf + AddRules "* soft nproc 100" /etc/security/limits.conf + AddRules "* hard nproc 150" /etc/security/limits.conf + + echo "Would you like to set a maximum file size a user is allowed ?" + WaitAnswer; clear + if [[ ${answer} == yes ]]; then + echo "What shall be the maximum file size(default is $(dfsize))" + echo -n "Size : " + read fsize + if [[ -z ${fsize} ]]; then + AddRules "# limits size of any one of users' files" /etc/security/limits.conf + AddRules "* hard $dfsize" /etc/security/limits.conf + else + AddRules "# limits size of any one of users' files" /etc/security/limits.conf + AddRules "* hard $fsize" /etc/security/limits.conf + fi + fi +fi + + + +### echo "Do you want a "." in your PATH variable ?" echo "This permit you to not use ./progname & to just type progname" echo "However this is a *high* security risk." @@ -273,3 +404,12 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile + + + + + + + + + diff --git a/init-sh/level5.sh b/init-sh/level5.sh index 0e458b7..0d9b58c 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -70,7 +70,23 @@ AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab ################################################### -# Wanna a password ? +# setup BSD accounting. + +echo "Setting up BSD process accounting..." +if [[ -f /sbin/accton ]]; then + AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local + AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local + AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf + AddRules " postrotate" /etc/logrotate.conf + AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf + AddRules " }" /etc/logrotate.conf + touch /var/log/security/pacct.log + chown root.root /var/log/security/pacct.log + chmod 600 /var/log/security/pacct.log + /sbin/accton /var/log/security/pacct.log +fi + +# Wanna password ? LiloUpdate; echo -n "Running lilo to record new config : " diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 7f55c7c..7b395a7 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -181,6 +181,8 @@ CleanRules /etc/security/msec/security.conf CommentUserRules /etc/security/msec/security.conf CleanRules /etc/profile CleanRules /etc/lilo.conf +CleanRules /etc/logrotate.conf +CleanRules /etc/rc.d/rc.local CleanRules /etc/rc.d/rc.firewall CleanRules /etc/crontab CleanRules /etc/X11/xdm/Xsession @@ -192,9 +194,13 @@ echo "Setting spoofing protection : " AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall # default group which must exist on the system +# groupadd already check for their existance... groupadd nogroup >& /dev/null groupadd audio >& /dev/null groupadd xgrp >& /dev/null +groupadd ntools >& /dev/null +groupadd ctools >& /dev/null + usermod -G xgrp xfs /usr/share/msec/grpuser.sh --clean |