diff options
| author | Frederic Lepied <flepied@mandriva.com> | 2001-08-09 08:10:59 +0000 |
|---|---|---|
| committer | Frederic Lepied <flepied@mandriva.com> | 2001-08-09 08:10:59 +0000 |
| commit | 7c4523ed3de1cb0e5ea25d8e452c946232449ed4 (patch) | |
| tree | a6c690d0e4382b47f92173d3f5821bf560951e6b | |
| parent | 2672f03b09c111a536856390cb5430b0fb4a6579 (diff) | |
| download | msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.gz msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.bz2 msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.xz msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.zip | |
merge back 0.15-17mdk in CVS
| -rw-r--r-- | ChangeLog | 32 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | TODO | 561 | ||||
| -rw-r--r-- | conf/perm.0 | 3 | ||||
| -rw-r--r-- | conf/perm.1 | 1 | ||||
| -rw-r--r-- | conf/perm.2 | 1 | ||||
| -rw-r--r-- | conf/perm.3 | 1 | ||||
| -rw-r--r-- | conf/perm.4 | 1 | ||||
| -rw-r--r-- | conf/perm.5 | 3 | ||||
| -rw-r--r-- | conf/server.4 | 1 | ||||
| -rw-r--r-- | conf/server.5 | 1 | ||||
| -rwxr-xr-x | cron-sh/security.sh | 13 | ||||
| -rwxr-xr-x | cron-sh/security_check.sh | 10 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 1 | ||||
| -rwxr-xr-x | init-sh/level0.sh | 14 | ||||
| -rwxr-xr-x | init-sh/level1.sh | 15 | ||||
| -rwxr-xr-x | init-sh/level2.sh | 17 | ||||
| -rwxr-xr-x | init-sh/level3.sh | 12 | ||||
| -rwxr-xr-x | init-sh/level4.sh | 13 | ||||
| -rwxr-xr-x | init-sh/level5.sh | 13 | ||||
| -rw-r--r-- | init-sh/lib.sh | 88 | ||||
| -rw-r--r-- | init-sh/lib.sh.usermode | 385 | ||||
| -rw-r--r-- | msec.spec | 131 |
23 files changed, 1221 insertions, 98 deletions
@@ -1,3 +1,35 @@ +2000-10-10 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * Applied Warly patch to fix user list problem under kdm. + * User list option for gdm to. + * Restart init after inittab change + +2000-10-09 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * conf/perm.0 : fix a typo + * fix for #760 (kdm should not display the list of users for high security + levels) + * conf/server.[45]: add pcmcia + +2000-10-03 Yoann Vandoorselaere <yoann@mandrakesoft.com> + * init-sh/*.sh : instead of modifying Xsession, + create the /etc/X11/xinit.d/msec file which can contain eventual + rules appended by msec. + +2000-10-02 Yoann Vandoorselaere <yoann@mandrakesoft.com> + + * init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession + nor /etc/X11/xinit/xinitrc anymore, as they all load + /etc/X11/Xsession. + +2000-07-18 Yoann Vandoorselaere <yoann@mandrakesoft.com> + + * cron-sh/security_check.sh : use -L in ls, + to dereference symbolic link Chris Green <cmg@dok.org> + * conf/perm.*: /var/log/squid must be owned by squid.squid. + * cron-sh/security.sh: + * init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>, + if no user to mail security report to is availlable, send to root. + + 2000-05-03 Yoann Vandoorselaere <yoann@mandrakesoft.com> LoaderUpdate() make a difference between an empty variable, and a non existing one. @@ -1,4 +1,4 @@ -VERSION = 0.14 +VERSION = 0.15 NAME = msec all: promisc_check msec_find @@ -0,0 +1,561 @@ + Some new stuff I thought should be implemented as well... And yes they keep +on a coming!!!!!!!!! : ) + + ######## Begin new stuff ############## +#!/bin/bash + +#Logging + +echo "Would you like set to up addtional logging ?" +echo "Logging will still go to its respected places in /var/log as well." +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +echo "Would you like for auth and warnings to be logged to tty11 ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "authpriv.* /dev/tty11" /etc/syslog.conf +echo "Would you like kernel logging to go tty10 ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "kern.* /dev/tty10" /etc/syslog.conf +echo "Would you like mail logging to go tty9 ?" +echo "This is only useful if you're running a mail server(sendmail)." +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "mail.* /dev/tty9" /etc/syslog.conf +/etc/rc.d/init.d/syslog restart > /dev/null +fi + fi + fi +#End of logging + +Is BSD style process accounting on by default in Mandrake ? +echo "We can setup your system to log who does what commands and when..." +echo "May we set up proccess accounting ?" +echo "The log file will get filled up VERY quickly +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs +it's own script though +echo "/var/log/pacct { " >> /etc/logrotate.conf +echo " postrotate" >> /etc/logrotate.conf +echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf +echo >> /etc/logrotate.conf +echo >> "}" /etc/logrotate.conf +#Got a be a cleaner way to do this : ) +fi +#End BSD style process accounting + +#PAM stuff +#default file size limit +dfsize=40000 +echo "We help prevent certain types of DoS attacks through the use of +PAM(Pluggable Authentication Modules.)" +echo "By setting a limit on how big user files may get and how many processes a +user may run." +echo "Would you like to set up some PAM configuration ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "# Limit user processes" /etc/security/limits.conf +AddRules "* soft nproc 100" /etc/security/limits.conf +AddRules "* hard nproc 150" /etc/security/limits.conf +echo "Would you like to set a maximum file size a user is allowed ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +echo "What shall be the maximum file size(default it 40000 = 40MB)" +echo -n "Size[40000]: " +read fsize +if [[ -z ${fsize} ]]; then +AddRules "# limits size of any one of users' files" /etc/security/limits.conf +AddRules "* hard $dfsize" /etc/security/limits.conf +else +AddRules "# limits size of any one of users' files" /etc/security/limits.conf +AddRules "* hard $fsize" /etc/security/limits.conf +fi + fi + fi +#End PAM stuff + + + +********************************** + + ###########Begin modified custom.sh###################### +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [[ -f /usr/share/lsec/lib.sh ]]; then + . /usr/share/lsec/lib.sh +else + echo "Can't find /usr/share/lsec/lib.sh, exiting." + exit 1 +fi + +clear + +WRITE_CRON="false" + +### +echo "This script allows you to customize the security on your system. " +echo "If you feel at all you don't know what you're doing abort now!!! " +echo "'ctrl-c' to abort" +echo -n "Otherwise, please press [enter] to continue " +read FOO +clear + +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi + +### +echo "Do you want to be notified by mail of _all_ root logins ?" +echo "(This is strongle recommended)" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then +if [[ -s /root/.bashrc ]]; then +cp /root/.bashrc /tmp/bashrc +sed '/root login/d' /tmp/bashrc > /root/.bashrc +AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s +"Root Login" root' /root/.bashrc +rm -f /tmp/bashrc +echo "Done" +fi +fi + + +### +echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" +echo "( or if a user present in /etc/shutdown.allow is logged locally )" +WaitAnswer; clear +tmpfile=`mktemp /tmp/secure.XXXXXX` +cp /etc/inittab ${tmpfile} +if [[ ${answer} == yes ]]; then + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r +now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab +else + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r +now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab +fi +rm -f ${tmpfile} + +#Compile tools +#More needs to be added and this is very sloppy but you get the idea : ) +mgtools() +{ +mgcon=mgcon1 +echo "Do you want only root to have access to the system compiler(gcc/g++) ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then +chmod 0700 /usr/bin/gcc +chmod 0700 /usr/bin/g++ +fi +} +gtools() +{ +gcon=gcon0 +dgrp=devel +echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may" +echo "be used by a certain group ?" +echo -n "yes/no: " +read answer +if [[ ${answer} == yes ]]; then +gcon=gcon1 +echo +echo -n "What shall the name of this group be [devel]: " +read grp +if [[ -z ${grp} ]]; then +groupadd ${dgrp} +.. /etc/security/lsec/perm.ctoolsd +else +groupadd ${grp} +.. /etc/security/lsec/perm.ctools +fi +fi +} +gtools +#if [[ ${gcon} = gcon1 ]]; then +#ntools +#else +#mgtools +#fi + +#network tools +mntools() +{ +echo "Do you want to disable 'ping' to all users except root ?" +WaitAnswer; clear +if [[ $answer} == yes ]]; then +chmod 0700 /bin/ping +fi + +echo "Do you want to disable 'traceroute' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/sbin/traceroute +fi + +echo "Do you want to disable 'who' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/who +fi + +echo "Do you want to disable 'w' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/w +fi + +echo "Do you want to disable 'finger' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/finger +fi + +echo "Do you want to disable telnet client to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/telnet +fi + +echo "Do you want to disable ssh client to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/ssh +fi +} +ntools() +{ +ncon=ncon0 +ngrpd=netsys +echo "Do you want to set up network tools so that they may be used only" +echo "by users of a certain group ?" +echo -n "yes/no: " +read answer +if [[ ${answer} == yes ]]; then +ncon=ncon1 +echo +echo -n "What shall the name of this group be [netsys]: " +read ngrp +if [[ -z ${ngrp} ]]; then +groupadd ${ngrpd} +.. /etc/security/lsec/perm.netsysd +else +groupadd ${ngrp} +.. /etc/security/lsec/perm.netsysd +fi +fi +} +if [[ ${gcon} = gcon1 ]]; then +ntools +else +mgtools +fi + +if [[ ${mgcon} = mgcon1 ]]; then +ntools +else +mntools +fi + +if [[ $ncon = ncon1 ]]; then +echo "Done" +else +mntools +fi + +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [[ ${answer} == yes ]]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [[ ${answer} == yes ]]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi + +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### + +if [[ -f /usr/lib/libsafe.so.1.2 ]]; then +echo "Do you want to enable the libsafe stack overflow protection ?" +echo "This stack overflow protection work by catching dangerous function call" +echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" +echo "and verify the address & the size of the destination buffer in the stack" +echo "this is done by searching in the stack frame the one which contain the" +echo "destination address, and by substracting the frame address to the +destination buffer one" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile +fi +fi + +### +echo "Do you want your system to daily check important security problem ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check new open port listening ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to check for grave permission problem on +sensibles files ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check suid files md5 checksum changes ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check Writeable file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer +on your machine ) ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 +/usr/share/lsec/promisc_check.sh" /etc/crontab +fi +### + +### +echo "Do you want security report to be done in syslog ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf +else + AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf +fi +### + +echo "Do you want security report to be done by mail ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf +else + AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf +fi +### + +if [[ ${WRITE_CRON} == "true" ]]; then + AddRules "0 0-23 * * * root nice --adjustment=+19 +/usr/share/lsec/security.sh" /etc/crontab +fi + +LiloUpdate; +/sbin/lilo >& /dev/null + +### +echo "Do you want to disable all services except(gpm,xfs,keytable," +echo "network,crond, and syslogd ?" +echo "This is _highly_ recommended if you have not configured other" +echo "said services." +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + echo -n "Disabling all service, except : {" + chkconfig --list | awk '{print $1}' | while read service; do + if grep -qx ${service} /etc/security/lsec/server.4; then + echo -n " ${service}" + fi + done + echo " } : " + + chkconfig --list | awk '{print $1}' | while read service; do + chkconfig --del "${service}" + if ! chkconfig --add "${service}"; then + echo -e "\t- Services ${service} is now disabled." + fi + done + chkconfig --add gpm + chkconfig --add xfs + chkconfig --add network + chkconfig --add keytable + chkconfig --add syslog + chkconfig --add crond + echo -e "done.\n"; +fi + +### +echo "Do you want an easy, normal, restricted, or paranoid umask ?" +echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" +echo "normal ( 022 ) = user = rwx, group = rx, other = rx" +echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" +echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" +echo "paranoid ( 077 ) = user = rwx, group = , other =" +answer="nothing" +while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != +"restricted" && "${answer}" != "paranoid" ]]; do + echo -n "easy/normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "easy") + AddRules "umask 002" /etc/profile + ;; + "normal") + AddRules "umask 022" /etc/profile + ;; + "restricted") + AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" +/etc/profile + ;; + "paranoid") + AddRules "umask 077" /etc/profile + ;; +esac + +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet +else + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet +fi + +AddRules "export PATH SECURE_LEVEL" /etc/profile + +echo "Do you want normal, restricted, or paranoid file permissions ?" +while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" != +"paranoid" ]]; do +echo -n "normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "normal") + /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3 + ;; + "strict") + /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4 + ;; + "paranoid")#!/bin/bash +/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5 + ;; +esac +#EOF +# /etc/security/msec/perm.ctools +chown root.$grp /usr/bin/gcc +chmod 750 /usr/bin/gcc +chown root.$grp /usr/bin/cc +chmod 750 /usr/bin/cc +chown root.$grp /usr/bin/g++ +chmod 750 /usr/bin/g++ + +# /etc/security/msec/perm.ctoolsd +chown root.$dgrp /usr/bin/gcc +chmod 750 /usr/bin/gcc +chown root.$dgrp /usr/bin/cc +chmod 750 /usr/bin/cc +chown root.$dgrp /usr/bin/g++ +chmod 750 /usr/bin/g++ + + +# /etc/security/msec/perm.netsys +chown root.$ngrp /usr/bin/ping +chmod 750 /usr/bin/gcc +chown root.$ngrp /usr/bin/w +chmod 750 /usr/bin/w +chown root.$ngrp /usr/bin/w +chmod 750 /usr/bin/who +chown root.$ngrp /usr/bin/telnet +chmod 750 /usr/bin/telnet +chown root.$ngrp /usr/bin/ssh +chmod 750 /usr/bin/ssh +chown root.$ngrp /usr/sbin/traceroute +chmod 750 /usr/sbin/traceoute +chown root.$ngrp /usr/bin/finger +chmod 750 /usr/bin/finger + +# /etc/security/msec/perm.netsys.d +chown root.$ngrpd /bin/ping +chmod 750 /usr/bin/gcc +chown root.$ngrpd /usr/bin/w +chmod 750 /usr/bin/w +chown root.$ngrpd /usr/bin/w +chmod 750 /usr/bin/who +chown root.$ngrpd /usr/bin/telnet +chmod 750 /usr/bin/telnet +chown root.$ngrpd /usr/bin/ssh +chmod 750 /usr/bin/ssh +chown root.$ngrpd /usr/sbin/traceroute +chmod 750 /usr/sbin/traceroute +chown root.$ngrpd /usr/bin/finger +chmod 750 /usr/bin/finger + +######## END + + diff --git a/conf/perm.0 b/conf/perm.0 index 1be6dce..88deeda 100644 --- a/conf/perm.0 +++ b/conf/perm.0 @@ -57,9 +57,10 @@ /usr/bin/ root.root 755 /usr/sbin/ root.root 755 /var/ root.root 755 -/var/tmp root.roo 1777 +/var/tmp root.root 1777 /var/log/ root.root 755 /var/log/* root.adm 644 +/var/log/squid squid.squid 755 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 771 diff --git a/conf/perm.1 b/conf/perm.1 index f0f4acb..b397e99 100644 --- a/conf/perm.1 +++ b/conf/perm.1 @@ -58,6 +58,7 @@ /var/ root.root 755 /var/log/ root.root 755 /var/log/* root.adm 644 +/var/log/squid squid.squid 755 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 2775 diff --git a/conf/perm.2 b/conf/perm.2 index 634a096..4f6f355 100644 --- a/conf/perm.2 +++ b/conf/perm.2 @@ -59,6 +59,7 @@ /var/ root.root 755 /var/log/ root.root 755 /var/log/* root.adm 640 +/var/log/squid squid.squid 755 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 2775 diff --git a/conf/perm.3 b/conf/perm.3 index a4a6e12..8fb5e41 100644 --- a/conf/perm.3 +++ b/conf/perm.3 @@ -59,6 +59,7 @@ /var/ root.root 755 /var/log/ root.root 755 /var/log/* root.root 600 +/var/log/squid squid.squid 755 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 2775 diff --git a/conf/perm.4 b/conf/perm.4 index 1ae8811..d34b49f 100644 --- a/conf/perm.4 +++ b/conf/perm.4 @@ -59,6 +59,7 @@ /var/ root.root 755 /var/log/ root.root 711 /var/log/* root.root 600 +/var/log/squid squid.squid 711 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 771 diff --git a/conf/perm.5 b/conf/perm.5 index b3b2b24..3cc42b5 100644 --- a/conf/perm.5 +++ b/conf/perm.5 @@ -55,7 +55,6 @@ /usr/* root.root 711 /usr/X11R6/ root.xgrp 710 /usr/bin/ root.root 711 -/usr/bin/* root.root 755 /usr/bin/cc root.ctools 750 /usr/bin/finger root.ntools 750 /usr/bin/gcc root.ctools 750 @@ -66,12 +65,12 @@ /usr/bin/who root.ntools 750 /usr/bin/ssh root.ntools 750 /usr/sbin/ root.root 711 -/usr/sbin/* root.root 700 /usr/sbin/sendmail root.root 755 /usr/sbin/traceroute root.ntools 750 /var/ root.root 755 /var/log/ root.root 711 /var/log/* root.root 600 +/var/log/squid squid.squid 711 /var/log/security/ root.root 700 /var/log/security/* root.root 600 /var/spool/mail/ root.mail 771 diff --git a/conf/server.4 b/conf/server.4 index 044f0bf..b275405 100644 --- a/conf/server.4 +++ b/conf/server.4 @@ -4,3 +4,4 @@ keytable network gpm xfs +pcmcia diff --git a/conf/server.5 b/conf/server.5 index 044f0bf..b275405 100644 --- a/conf/server.5 +++ b/conf/server.5 @@ -4,3 +4,4 @@ keytable network gpm xfs +pcmcia diff --git a/cron-sh/security.sh b/cron-sh/security.sh index b6636b5..01d3e4c 100755 --- a/cron-sh/security.sh +++ b/cron-sh/security.sh @@ -7,6 +7,8 @@ fi . /etc/security/msec/security.conf +[[ ${MAIL_WARN} == yes ]] && [ -z ${MAIL_USER} ] && MAIL_USER="root" + export SUID_ROOT_TODAY="/var/log/security/suid_root.today" SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" SUID_ROOT_DIFF="/var/log/security/suid_root.diff" @@ -130,12 +132,13 @@ Maillog() { text=${2} if [[ ${MAIL_WARN} == yes ]]; then - if [[ ! -z ${MAIL_USER} ]]; then - if [[ -x /bin/mail ]]; then - cat ${text} | /bin/mail -s "${subject}" "${MAIL_USER}" - fi - fi + if [[ -z ${MAIL_USER} ]]; then + MAIL_USER="root" + fi + if [[ -x /bin/mail ]]; then + cat ${text} | /bin/mail -s "${subject}" "${MAIL_USER}" fi + fi } ################## diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh index a5ad71c..5055b52 100755 --- a/cron-sh/security_check.sh +++ b/cron-sh/security_check.sh @@ -62,7 +62,7 @@ while read username uid homedir; do for f in ${list} ; do file="${homedir}/${f}" if [[ -f ${file} ]] ; then - printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" + printf "${uid} ${username} ${file} `ls -Lldcgn ${file}`\n" fi done done | awk '$1 != $6 && $6 != "0" \ @@ -91,7 +91,7 @@ while read username uid homedir; do for f in ${list} ; do file=${homedir}/${f} if [[ -f ${file} ]] ; then - printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n" + printf "${uid} ${username} ${file} `ls -Lldcgn ${file}`\n" fi done done | awk '$1 != $6 && $6 != "0" \ @@ -110,9 +110,9 @@ fi awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \ while read username uid homedir; do if [[ -d ${homedir} ]] ; then - realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'` - realuser=`ls -ldg ${homedir}| awk '{ print $3 }'` - permissions=`ls -ldg ${homedir}| awk '{ print $1 }'` + realuid=`ls -Lldgn ${homedir}| awk '{ print $3 }'` + realuser=`ls -Lldg ${homedir}| awk '{ print $3 }'` + permissions=`ls -Lldg ${homedir}| awk '{ print $1 }'` printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n" fi done | awk '$3 != $5 && $5 != "(0)" \ diff --git a/init-sh/custom.sh b/init-sh/custom.sh index d597255..aed9d57 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -184,6 +184,7 @@ echo "Do you want security report to be done by mail ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf + AddRules "MAIL_USER=root" /etc/security/msec/security.conf else AddRules "MAIL_WARN=no" /etc/security/msec/security.conf fi diff --git a/init-sh/level0.sh b/init-sh/level0.sh index 9f4f4ee..4329773 100755 --- a/init-sh/level0.sh +++ b/init-sh/level0.sh @@ -72,19 +72,15 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from everywhere :" -AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet -AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet # Group echo "Adding system users to specific groups :" /usr/share/msec/grpuser.sh --refresh echo -e "done.\n" +AllowAutologin + # Boot on a shell / authorize ctrl-alt-del -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +AllowUserList diff --git a/init-sh/level1.sh b/init-sh/level1.sh index 172c29b..ac72a91 100755 --- a/init-sh/level1.sh +++ b/init-sh/level1.sh @@ -72,8 +72,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec # Group echo "Adding system users to specific groups :" @@ -81,12 +80,8 @@ echo "Adding system users to specific groups :" grpconv echo -e "done.\n" +AllowAutologin + # Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +AllowUserList diff --git a/init-sh/level2.sh b/init-sh/level2.sh index eb2641a..3ffe407 100755 --- a/init-sh/level2.sh +++ b/init-sh/level2.sh @@ -73,8 +73,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Xserver echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc +AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec # group echo "Adding system users to specifics groups :" @@ -82,14 +81,8 @@ echo "Adding system users to specifics groups :" grpconv echo -e "done.\n" -# Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." - +AllowAutologin +# Do not boot on a shell +AllowReboot +AllowUserList diff --git a/init-sh/level3.sh b/init-sh/level3.sh index 74f72a6..e2808f9 100755 --- a/init-sh/level3.sh +++ b/init-sh/level3.sh @@ -79,15 +79,11 @@ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/zprofile quiet AddRules "export PATH SECURE_LEVEL" /etc/zprofile # Do not boot on a shell -echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +AllowReboot +ForbidAutologin # Group were modified in lib.sh... grpconv + +AllowUserList diff --git a/init-sh/level4.sh b/init-sh/level4.sh index c23d576..b0dded8 100755 --- a/init-sh/level4.sh +++ b/init-sh/level4.sh @@ -115,14 +115,9 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then fi # Do not boot on a shell -echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." +ForbidReboot + +ForbidAutologin # Group were modified in lib.sh... grpconv @@ -132,3 +127,5 @@ grpconv + +ForbidUserList diff --git a/init-sh/level5.sh b/init-sh/level5.sh index a58f2df..13b02bb 100755 --- a/init-sh/level5.sh +++ b/init-sh/level5.sh @@ -132,15 +132,8 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then fi # Do not boot on a shell -echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab -rm -f ${tmpfile} -echo "done." - +ForbidReboot +ForbidAutologin echo echo "You are now running your system in security level 5," @@ -171,3 +164,5 @@ grpconv + +ForbidUserList diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 2c7009c..1be738a 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -222,6 +222,81 @@ CleanLoaderRules() { fi } +AllowAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + grep -v AUTOLOGIN < ${file} > ${file}.new + echo "AUTOLOGIN=yes" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + cat ${file} | grep -v AUTOLOGIN > ${file}.new + echo "AUTOLOGIN=no" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} + fi +} + +AllowUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} + fi +} + +ForbidReboot() { + echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." + echo -n "Forbid console users to reboot/shutdown : " + for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do + rm -f ${pamfile} 2>&1 > /dev/null + done + echo "done." +} + +AllowReboot() { + echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." + echo -n "Allow console users to reboot/shutdown : " + for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do + touch -f ${pamfile} + done + echo "done." +} + # If we are currently installing our # system with DrakX, we don't ask anything to the user... # Instead, DrakX do it and give us a file with some variable. @@ -250,8 +325,13 @@ CleanRules /etc/logrotate.conf CleanRules /etc/rc.d/rc.local CleanRules /etc/rc.d/rc.firewall CleanRules /etc/crontab -CleanRules /etc/X11/xdm/Xsession -CleanRules /etc/X11/xinit/xinitrc + +if [[ -f /etc/X11/xinit.d/msec ]]; then + CleanRules /etc/X11/xinit.d/msec +else + touch /etc/X11/xinit.d/msec + chmod 755 /etc/X11/xinit.d/msec +fi echo -e "\nStarting to reconfigure the system : " # For all secure level @@ -266,10 +346,6 @@ groupadd xgrp >& /dev/null groupadd ntools >& /dev/null groupadd ctools >& /dev/null -#Fix the big security hole introduced in cooker -userdel mandrake >& /dev/null -groupdel mandrake >& /dev/null - usermod -G xgrp xfs /usr/share/msec/grpuser.sh --clean diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode new file mode 100644 index 0000000..6f1f65e --- /dev/null +++ b/init-sh/lib.sh.usermode @@ -0,0 +1,385 @@ +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +# Need root access +if [[ ${UID} != 0 ]]; then + echo "You need to be root in order to change secure level." + exit 1 +fi + +export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." + +WaitAnswer() { + answer="nothing" + + while [[ ${answer} != yes && ${answer} != no ]]; do + echo -n "yes/no : " + read answer + done +} + +AddRules() { + string=$1 + file=$2 + quiet=$3 + + if [[ -z ${string} ]]; then + return; + fi + + if [[ -z ${quiet} ]]; then + echo "Modifying config in ${file}..." + fi + + if ! grep -Eqx "^${string}" ${file}; then + echo -e "${COMMENT}" >> ${file}; + echo -e "${string}" >> ${file}; + fi + + if [[ -z ${3} ]]; then + echo -e "done.\n" + fi +} + +AddBegRules() { + echo "Modifying config in ${2}..." + + if [[ ! -f ${file} ]]; then + return; + fi + + export VAL=$1 + perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 + + echo -e "done.\n" +} + + +OLD_CleanRules() { + file=$1 + ctrl=0 + + if [[ ! -f ${file} ]]; then + echo "${file} do not exist... can not clean." + return; + fi + + echo -en "\t- Cleaning msec appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp ${file} ${tmpfile} + + while read line; do + if [[ ${ctrl} == 1 ]]; then + ctrl=0 + continue; + fi + + if echo "${line}" | grep -qx "${COMMENT}"; then + ctrl=1 + fi + + if [[ ${ctrl} == 0 ]]; then + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +CleanRules() { + echo -en "\t- Cleaning msec appended line in $1 : " + + perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 + + echo "done." +} + +CommentUserRules() { + file=$1 + + if [[ ! -f ${file} ]]; then + return; + fi + + echo -en "\t- Cleaning user appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp -f ${file} ${tmpfile} + + while read line; do + if ! echo "${line}" | grep -qE "^#"; then + echo "# ${line}" + else + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + /sbin/initlog --string=${1} + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do + echo -e ${1} > /dev/$i + done + fi +} + + +LoaderUpdate() { + + # Ask only if we're not inside DrakX. + if [[ ! ${DRAKX_PASSWORD+set} ]]; then + echo "Do you want a password authentication at boot time ?" + echo "Be very carefull," + echo "this will prevent your server to reboot without an operator to enter password". + WaitAnswer; + if [[ ${answer} == yes ]]; then + echo -n "Please enter the password which will be used at boot time : " + read password + else + password="" + fi + + if [[ ! -z ${password} ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$password" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $password" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi + fi +} + +# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) +LoaderDrakX() { + if [[ -n "${DRAKX_PASSWORD}" ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + + +CleanLoaderRules() { + if [[ -f /etc/lilo.conf ]]; then + CleanRules /etc/lilo.conf + chmod 644 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + CleanRules /boot/grub/menu.lst + chmod 644 /boot/grub/menu.lst + fi + + if [[ -z ${DRAKX_PASSWORD} ]]; then + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + +AllowAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + grep -v AUTOLOGIN < ${file} > ${file}.new + echo "AUTOLOGIN=yes" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + cat ${file} | grep -v AUTOLOGIN > ${file}.new + echo "AUTOLOGIN=no" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} + fi +} + +AllowUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} + fi +} + +ForbidReboot() { + echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +AllowReboot() { + echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +# If we are currently installing our +# system with DrakX, we don't ask anything to the user... +# Instead, DrakX do it and give us a file with some variable. +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +fi + +clear +echo "Preparing to run security script : " +CleanRules /etc/syslog.conf +CleanRules /etc/hosts.deny +CommentUserRules /etc/hosts.deny +CleanRules /etc/hosts.allow +CommentUserRules /etc/hosts.allow +CleanRules /etc/securetty +CommentUserRules /etc/securetty +CleanRules /etc/security/msec/security.conf +CommentUserRules /etc/security/msec/security.conf +CleanRules /etc/profile +CleanRules /etc/ld.so.preload + +CleanLoaderRules +LoaderDrakX + +CleanRules /etc/logrotate.conf +CleanRules /etc/rc.d/rc.local +CleanRules /etc/rc.d/rc.firewall +CleanRules /etc/crontab + +if [[ -f /etc/X11/xinit.d/msec ]]; then + CleanRules /etc/X11/xinit.d/msec +else + touch /etc/X11/xinit.d/msec + chmod 755 /etc/X11/xinit.d/msec +fi + +echo -e "\nStarting to reconfigure the system : " +# For all secure level +echo "Setting spoofing protection : " +AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall + +# default group which must exist on the system +# groupadd already check for their existance... +groupadd nogroup >& /dev/null +groupadd audio >& /dev/null +groupadd xgrp >& /dev/null +groupadd ntools >& /dev/null +groupadd ctools >& /dev/null + +usermod -G xgrp xfs + +/usr/share/msec/grpuser.sh --clean +echo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1,15 +1,15 @@ -%define version 0.14 -%define release 4mdk - -Summary: Security Level & Program for the Linux Mandrake distribution -Name: msec -Version: %{version} -Release: %{release} -Source: %{name}-%{version}.tar.bz2 -Copyright: GPL -Group: System/Base -BuildRoot: /var/tmp/msec -Requires: /bin/bash setup chkconfig >= 0.9-6 +Summary: Security Level & Program for the Linux Mandrake distribution +Name: msec +Version: 0.15 +Release: 17mdk + +Source: %{name}-%{version}.tar.bz2 +Patch0: msec-0.15-usermode.patch.bz2 + +License: GPL +Group: System/Base +BuildRoot: %_tmppath/%name-%version-%release-root +Requires: /bin/bash setup chkconfig >= 0.9-6 %description The Mandrake-Security package is designed to provide generic @@ -20,13 +20,29 @@ This packages includes several program that will be run periodically in order to test the security of your system and alert you if needed. %prep -%setup + +%setup -q +%patch0 -p1 -b .usermode %build make CFLAGS="$RPM_OPT_FLAGS" %install -make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT +#make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT/etc/security/msec +install -d $RPM_BUILD_ROOT/usr/share/msec +install -d $RPM_BUILD_ROOT/usr/sbin $RPM_BUILD_ROOT/usr/bin +install -d $RPM_BUILD_ROOT/var/log/security +install -d $RPM_BUILD_ROOT%{_mandir}/man8 + +install -m 755 init-sh/*.sh cron-sh/*.sh $RPM_BUILD_ROOT/usr/share/msec +install -m 755 init-sh/msec $RPM_BUILD_ROOT/usr/sbin +install -m 644 conf/perm.* conf/server.* $RPM_BUILD_ROOT/etc/security/msec +install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find $RPM_BUILD_ROOT/usr/bin +install -m 644 doc/*8 $RPM_BUILD_ROOT%{_mandir}/man8/ + +touch $RPM_BUILD_ROOT/etc/security/msec/security.conf $RPM_BUILD_ROOT/var/log/security.log %clean rm -rf $RPM_BUILD_ROOT @@ -35,17 +51,88 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) %doc AUTHORS COPYING Makefile README %doc doc/*txt ChangeLog doc/*ps -/usr/bin/promisc_check -/usr/bin/msec_find -/usr/sbin/msec -/usr/share/msec -/var/log/security.log -/var/log/security -/usr/man/*/* +%_bindir/promisc_check +%_bindir/msec_find +%_sbindir/msec +%_datadir/msec +%_mandir/*/* -%config /etc/security/msec +%config(noreplace) /var/log/security.log +%config(noreplace) /var/log/security +%config(noreplace) /etc/security/msec %changelog +* Mon Jul 9 2001 Frederic Crozat <fcrozat@mandrakesoft.com> 0.15-17mdk +- Patch 0: add suppport for usermode halt/reboot + +* Thu May 10 2001 Stew Benedict <sbendict@mandrakesoft.com> 0.15-16mdk +- Check for drakx install environment before running "telinit u" - PPC hang + +* Tue May 01 2001 David BAUDENS <baudens@mandrakesoft.com> 0.15-15mdk +- Use %%_tmppath for BuildRoot + +* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-14mdk +- call telinit after modifying inittab + +* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-13mdk +- Applied Warly patch to fix user list problem under kdm. +- User list option for gdm too. + +* Tue Oct 10 2000 Warly <warly@mandrakesoft.com> 0.15-12mdk +- change the UserList method to not append at the end of kdmrc (in the wrong section) + +* Mon Oct 9 2000 Pixel <pixel@mandrakesoft.com> 0.15-11mdk +- remove the fix for #760 (it needs real fixing!) + +* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-10mdk +- conf/server.[45]: add pcmcia + +* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-9mdk +- fix for #760 (kdm should not display the list of users for high security + levels) + +* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-8mdk +- fix a typo in conf/perm.0 + +* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-7mdk +- Autologin allowed in level 0, 1, 2.... I'm against this... but... + +* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-6mdk +- fix some entry in perm.* +- Autologin will only work in level 0 + +* Tue Oct 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-5mdk + * init-sh/*.sh : instead of modifying Xsession, + create the /etc/X11/xinit.d/msec file which can contain eventual + rules appended by msec. + +* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-4mdk +- some fix. + +* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-3mdk +- init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession + nor /etc/X11/xinit/xinitrc anymore, as they all load + /etc/X11/Xsession. + +* Fri Sep 01 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-2mdk +- install manually +- use %{_mandir} macros +- use %config(noreplace) for /etc/msec and for logfile + +* Tue Jul 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-1mdk +- cron-sh/security_check.sh : use -L in ls, + to dereference symbolic link Chris Green <cmg@dok.org> +- conf/perm.*: /var/log/squid must be owned by squid.squid. +- cron-sh/security.sh: +- init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>, + if no user to mail security report to is availlable, send to root. + +* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-6mdk +- Handle new libsafe path. + +* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-5mdk +- corrected a wrong path. + * Wed May 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-4mdk - LoaderUpdate() make a difference between an empty variable, and a non existing one. |