diff options
author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-25 19:44:10 +0000 |
---|---|---|
committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-11-25 19:44:10 +0000 |
commit | 78b13ca5f0677f9e6e5a07a18473a2d7724b51d0 (patch) | |
tree | 1aa278480009928f545f8668bc87c4eaafbc7e7b | |
parent | 7f3bfad3df657529ee81b741c6fb10d847315c85 (diff) | |
download | msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.gz msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.bz2 msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.tar.xz msec-78b13ca5f0677f9e6e5a07a18473a2d7724b51d0.zip |
Initial revision
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | COPYING | 339 | ||||
-rw-r--r-- | Makefile | 36 | ||||
-rw-r--r-- | README | 23 | ||||
-rw-r--r-- | cron-sh/Makefile | 5 | ||||
-rwxr-xr-x | cron-sh/file_check.sh | 191 | ||||
-rwxr-xr-x | cron-sh/promisc_check.sh | 40 | ||||
-rw-r--r-- | doc/msec.spec | 76 | ||||
-rw-r--r-- | doc/security.txt | 94 | ||||
-rwxr-xr-x | init-sh/file_perm.sh | 19 | ||||
-rwxr-xr-x | init-sh/grpuser | 152 | ||||
-rwxr-xr-x | init-sh/init.sh | 19 | ||||
-rwxr-xr-x | init-sh/level1.sh | 49 | ||||
-rwxr-xr-x | init-sh/level2.sh | 57 | ||||
-rwxr-xr-x | init-sh/level3.sh | 60 | ||||
-rwxr-xr-x | init-sh/level4.sh | 67 | ||||
-rwxr-xr-x | init-sh/level5.sh | 96 | ||||
-rw-r--r-- | init-sh/lib.sh | 175 | ||||
-rw-r--r-- | init-sh/perm.1 | 71 | ||||
-rw-r--r-- | init-sh/perm.2 | 72 | ||||
-rw-r--r-- | init-sh/perm.3 | 68 | ||||
-rw-r--r-- | init-sh/perm.4 | 72 | ||||
-rw-r--r-- | init-sh/perm.5 | 67 | ||||
-rw-r--r-- | init-sh/server.4 | 6 | ||||
-rw-r--r-- | init-sh/server.5 | 6 | ||||
-rw-r--r-- | src/promisc_check/Makefile | 13 | ||||
-rw-r--r-- | src/promisc_check/promisc_check.c | 137 |
27 files changed, 2011 insertions, 0 deletions
@@ -0,0 +1 @@ +Vandoorselaere Yoann <yoann@mandrakesoft.com> @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + Appendix: How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) 19yy <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a7e1e15 --- /dev/null +++ b/Makefile @@ -0,0 +1,36 @@ +all: promisc_check + +clean: + find . -name *.o -exec rm -f {} \; + find . -name *~ -exec rm -f {} \; + rm -f src/promisc_check/promisc_check + +promisc_check: + (cd src/promisc_check; make) + +install: + (rm -rf /etc/security/msec) + (mkdir -p /etc/security/msec/init-sh) + (cp init-sh/level* /etc/security/msec/init-sh) + (cp init-sh/init.sh /etc/security/msec/init.sh); + (cp init-sh/lib.sh /etc/security/msec/init-sh); + (cp init-sh/grpuser /etc/security/msec/init-sh); + (cp init-sh/file_perm.sh /etc/security/msec/init-sh); + (cp init-sh/*.[1-5] /etc/security/msec/init-sh/) + (cp init-sh/server.* /etc/security/msec/init-sh) + (touch /etc/security/msec/security.conf) + (cd src/promisc_check; make install) + (cd cron-sh; make install) + + @echo + @echo + @echo "BE CAREFULL !!!" + @echo "This is *alpha* release & it does not contains all planned features..." + @echo "Please help debuging it..." + @echo "See security.txt to know what is done & all :-)" + @echo + @echo + @echo "To switch between runlevel, just launch init.sh ( in init-sh dir )" + @echo + @echo + @@ -0,0 +1,23 @@ +This is really basic stuff at the moment... + +init-sh : + this is where all script / library to switch security level are, + use init.sh only. + +cron-sh : + Here are all security script that will be used in crontab. + +src: + C program for security check. + +Note : i know my Makefile are dirty, + so if someone wish to clean them :-) + + +****************** + +All stuff are installed in /etc/security/msec/ +use init.sh to change security level + +Suggest & Comment : +yoann@mandrakesoft.com diff --git a/cron-sh/Makefile b/cron-sh/Makefile new file mode 100644 index 0000000..d2993db --- /dev/null +++ b/cron-sh/Makefile @@ -0,0 +1,5 @@ +all: + +install: + mkdir -p /etc/security/msec/cron-sh + cp *.sh /etc/security/msec/cron-sh diff --git a/cron-sh/file_check.sh b/cron-sh/file_check.sh new file mode 100755 index 0000000..5118ebc --- /dev/null +++ b/cron-sh/file_check.sh @@ -0,0 +1,191 @@ +#!/bin/bash + +# +# Basic security checking for suid files. +# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +if [ SECURITY_CHECK == "no" ]; then + exit 0 +fi + +# Modified filters coming from debian security scripts. +CS_NFSAFS='(nfs|afs|xfs|coda)' +CS_TYPES=' type (devpts|auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|'$CS_NFSAFS')' +CS_DEVS='^/dev/fd' +CS_DIRS='on /mnt' +FILTERS="$CS_TYPES|$CS_DEVS|$CS_DIRS" +DIR=`mount | grep -vE "$FILTERS" | cut -d ' ' -f3` +### + +SUID_ROOT_TODAY="/var/log/security/suid_root.today" +SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday" +SUID_ROOT_DIFF="/var/log/security/suid_root.diff" +SUID_GROUP_TODAY="/var/log/security/suid_group.today" +SUID_GROUP_YESTERDAY="/var/log/security/suid_group.yesterday" +SUID_GROUP_DIFF="/var/log/security/suid_group.diff" +WRITABLE_TODAY=/var/log/security/writable.today +WRITABLE_YESTERDAY=/var/log/security/writable.yesterday +WRITABLE_DIFF=/var/log/security/writable.diff +UNOWNED_TODAY=/var/log/security/unowned.today +UNOWNED_YESTERDAY=/var/log/security/unowned.yesterday +UNOWNED_DIFF=/var/log/security/unowned.diff + + +if [ ! -d /var/log/security ]; then + mkdir /var/log/security +fi + +chattr -a /var/log/security + +### Functions ### + +Syslog() { + if [ $SYS_LOG=="yes" ]; then + /sbin/initlog --string=$1 + fi +} + +Ttylog() { + if [ $TTY_LOG=="yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e $1 > /dev/$i + done + fi +} + +################## + + +### New Suid root file detection ### +if [ $CHECK_SUID_ROOT=="yes" ]; then + if [ -f $SUID_ROOT_TODAY ]; then + mv $SUID_ROOT_TODAY $SUID_ROOT_YESTERDAY + fi + + find $DIR -xdev -type f -perm +04000 -user root \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_ROOT_TODAY + + if [ -f $SUID_ROOT_YESTERDAY ]; then + if ! diff $SUID_ROOT_YESTERDAY $SUID_ROOT_TODAY > $SUID_ROOT_DIFF; then + Syslog "Change in Suid Root file found, please consult $SUID_ROOT_DIFF" + Ttylog "\\033[1;31mChange in Suid Root file found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $SUID_ROOT_DIFF\\033[0;39m" + fi + fi +fi +############################# + + +### New Suid group file detection ### +if [ $CHECK_SUID_GROUP ]; then + if [ -f $SUID_GROUP_TODAY ]; then + mv $SUID_GROUP_TODAY $SUID_GROUP_YESTERDAY + fi + + find $DIR -xdev -type f -perm +02000 \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | sort > $SUID_GROUP_TODAY + + if [ -f $SUID_GROUP_YESTERDAY ]; then + if ! diff $SUID_GROUP_YESTERDAY $SUID_GROUP_TODAY > $SUID_GROUP_DIFF; then + Syslog "Change in Suid Group file found, please consult $SUID_GROUP_DIFF" + Ttylog "\\033[1;31mChange in Suid Group file found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $SUID_GROUP_DIFF\\033[0;39m" + fi + fi +fi +############################# + +### Writable file detection ### + +if [ $CHECK_WRITABLE=="yes" ]; then + if [ -f $WRITABLE_TODAY ]; then + mv $WRITABLE_TODAY $WRITABLE_YESTERDAY + fi + + find $DIR -xdev -type f -perm -2 \ + -ls -print | sort > $WRITABLE_TODAY + + if [ -f $WRITABLE_YESTERDAY ]; then + if ! diff $WRITABLE_YESTERDAY $WRITABLE_TODAY > $WRITABLE_DIFF; then + Syslog "Change in World Writable File found, please consult $WRITABLE_DIFF" + Ttylog "\\033[1;31mChange in World Writable File found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $WRITABLE_DIFF\\033[0;39m" + fi + fi +fi +################################# + +### Search Un Owned file ### +if [ $CHECK_UNOWNED=="yes" ]; then + if [ -f $UNOWNED_TODAY ]; then + mv $UNOWNED_TODAY $UNOWNED_YESTERDAY + fi + + find $DIR -xdev -nouser -o -nogroup -print \ + -ls | sort > $UNOWNED_TODAY + + if [ -f $UNOWNED_YESTERDAY ]; then + if ! diff $UNOWNED_YESTERDAY $UNOWNED_TODAY; then + Syslog "Change in Un-Owned file user/group, please consult $UNOWNED_DIFF" + Ttylog "\\033[1;31mChange in Un-Owned file user/group found !\\033[0;39m" + Ttylog "\\033[1;31mPlease consult $UNOWNED_DIFF\\033[0;39m" + fi + fi +fi + + +chattr +a /var/log/security + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/cron-sh/promisc_check.sh b/cron-sh/promisc_check.sh new file mode 100755 index 0000000..fa5b538 --- /dev/null +++ b/cron-sh/promisc_check.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +PROMISC_CHECK="/usr/bin/promisc_check -q" +# +# Check if a network interface is in promisc check... +# Written by Vandoorselaere Yoann, <yoann@mandrakesoft.com> +# + +LogPromisc() { + Syslog "Security warning : $1 is in promiscuous mode. (sniffer running ?)" + Ttylog "\\033[1;31mSecurity warning : $1 is in promiscuous mode.\\033[0;39m" + Ttylog "\\033[1;31mA sniffer is probably running on your system.\\033[0;39m +} + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +else + exit 1 +fi + +if [ CHECK_PROMISC == "no" ]; then + exit 0; +fi + +for INTERFACE in `$PROMISC_CHECK`; do + LogPromisc $INTERFACE +done + + + + + + + diff --git a/doc/msec.spec b/doc/msec.spec new file mode 100644 index 0000000..5324cbf --- /dev/null +++ b/doc/msec.spec @@ -0,0 +1,76 @@ +Summary: Security Level & Program for the Linux Mandrake distribution +Name: msec +Version: 0.3 +Release: 5mdk +Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz +Copyright: GPL +Group: System Environment/Base +BuildRoot: /var/tmp/msec +Requires: /bin/bash setup chkconfig + +%description +The Mandrake-Security package is designed to provide generic +secure level to the Mandrake-Linux users... +It will permit you to choose between level 1 to 5 for a +less -> more secured distribution. +This packages includes several program that will be run periodically +in order to test the security of your system and alert you if needed. + +%prep +%setup + +%build +make CFLAGS="$RPM_OPT_FLAGS" + +%install +mkdir -p $RPM_BUILD_ROOT/etc/security/msec/init-sh +mkdir -p $RPM_BUILD_ROOT/etc/security/msec/cron-sh +mkdir -p $RPM_BUILD_ROOT/usr/bin + +cp init-sh/level*.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/lib.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/init.sh $RPM_BUILD_ROOT/etc/security/msec +cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh +touch $RPM_BUILD_ROOT/etc/security/msec/security.conf +cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +/etc/security/msec +/usr/bin/promisc_check + +%changelog +* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Cleaned up tree. + +* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Removed touched file /-i + +* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Create rc.firewall to avoid error, +- Call grpuser with the good path, +- Call groupadd before usermod. + +* Tue Nov 23 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- New release (0.3) : + Now each security level has it's own set of permissions. + Add "." at the end of $PATH for level 1. + Corrected some grave bug, it should work properly now. + +* Thu Nov 18 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- New release (0.2) : + Fixed the path for promisc_check.sh : + now /etc/security/msec/cron-sh/promisc_check.sh + In level 1 & 2, user is now automagically added to the audio group. + +* Tue Nov 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- First packaging attempt :-). + + + diff --git a/doc/security.txt b/doc/security.txt new file mode 100644 index 0000000..4d22ca5 --- /dev/null +++ b/doc/security.txt @@ -0,0 +1,94 @@ + +**************************** + +Security level 1 : +OK - Access to the system as a normal user. +OK - . in $PATH +OK - Login as root from the console granted. +OK - No rules check for password. +OK - Permission for /dev & /etc = 755 +OK - Permission for /home = 755 +OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ). +OK - xhost + localhost + +**************************** + +Security level 2 : +OK - Access to the system as a normal user. +OK - Login as root from the console granted. + + - No rules check for password. + ---> Waiting for Chmouel to verify password... + +OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ). +OK - Permission for /dev & /etc = 755 +OK - Permission for /home = 755 +OK xhost + localhost + +**************************** + +Security level 3 : +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - Low level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Permission for /dev & /etc = 755 +OK - Permission for /home/* = 750 +OK - Detection of interface in promiscuous mode ( one time a minute ) + + +**************************** + +Security level 4 : +OK - lilo pass -> only if the user want it . +- kernel patch -> Secure linux ? +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - Medium level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file. +OK - Device only accessible by root as a default. +OK - Deny all kind of connection except from local network. +OK - Permission for /dev & /etc directories = 755 +OK - Permission for /home = 711 +OK - Permission for /home/* = 750 +OK - Detection of interface in promiscuous mode ( one time a minute ) + +***************************** + +Security level 5 : *Server Only* + +OK - lilo pass -> only if the user want it . +- kernel patch -> Secure linux +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - High level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file. +OK - Device only accessible by root as a default. +OK - No server installed by default. ( except maybe the crontab ) +OK - Deny all kind of connection ( hosts.deny -> ALL:ALL:DENY ) +OK - Permission for /dev & /etc directories = 711 +OK - Permission for /home = 711 +OK - Permission for /home/* = 700 +OK - Permission for /tmp = 700 +OK - Detection of interface in promiscuous mode ( one time a minute ) + + + + + +*** Future Release : *** +- Automatic tty locking ( unlock by passwd ) after X time of inactivity. + + + + + + diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh new file mode 100755 index 0000000..9f76791 --- /dev/null +++ b/init-sh/file_perm.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +IFS=" +" + +for line in `cat /$1`; do + file=`echo ${line} | awk '{print $1}'` + owner=`echo ${line} | awk '{print $2}'` + perm=`echo ${line} | awk '{print $3}'` + + if [ -a "${file}" ]; then + if [ ${owner} != "current" ]; then + chown ${owner} ${file} + fi + chmod ${perm} ${file} + fi +done + + diff --git a/init-sh/grpuser b/init-sh/grpuser new file mode 100755 index 0000000..408e384 --- /dev/null +++ b/init-sh/grpuser @@ -0,0 +1,152 @@ +#!/bin/sh + +# +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# Thanks to Francis Galiegue. +# + +file="group" +group_line="" +new_group_line="" +group_name=$2 +user_name=$3 + +Usage() { + echo "Usage :" + echo " --add [ groupname ] [ username ] ---> Add an user to a group." + echo " --del [ groupname ] [ username ] ---> Delete an user from a group." +} + +ModifyFile() { + mv /etc/${file} /tmp/${file}.old + + head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file} + echo "${new_group_line}" >> /etc/${file} + tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file} + + rm -f /tmp/${file}.old +} + +RemoveUserFromGroup() { + new_group_line=${group}`echo ${group_users} | + sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g` +} + +AppendUserToGroup() { + if [ -z "${group_users}" ]; then + new_group_line=${group_line}${user_name} + else + new_group_line=${group_line}",${user_name}" + fi +} + +IsUserAlreadyInGroup() { + if echo "${group_users}" | grep -qw "${user_name}"; then + return 1 + fi + + return 0 +} + +IsGroupExisting() { + group_line="" + group_line_number="" + + # We get some group infos as well, will be used later + tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "` + + group_line_number=`echo ${tmp} | awk -F: '{print $1}'` + group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'` + group_users=`echo ${tmp} | awk -F: '{print $5}'` + group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'` + + [ -z "${tmp}" ] && return 0 + return 1 +} + +IsUserExisting() { + grep -qn "^${user_name}:" /etc/passwd + if [ $? == 0 ]; then + return 0; + fi + + return 1; +} + +Add() { + IsGroupExisting; + if [ $? == 0 ]; then + echo "Sorry, group \"${group_name}\" does not exist." + echo "Please create it using the \"groupadd\" command." + exit 1 + fi + + IsUserExisting; + if [ $? == 1 ]; then + echo "Sorry, user \"${user_name}\" does not exist." + exit 1 + fi + + IsUserAlreadyInGroup; + if [ $? == 1 ]; then + echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"." + exit 1 + fi + + AppendUserToGroup; + ModifyFile; + + exit 0 +} + +Del() { + IsGroupExisting; + if [ $? == 0 ]; then + echo "Sorry, group \"${group_name}\" does not exist." + exit 1 + fi + + IsUserAlreadyInGroup; + if [ $? == 0 ]; then + echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"." + exit 1 + fi + + RemoveUserFromGroup; + ModifyFile; + + exit 0 +} + +Perm() { + if [ ! -w /etc/${file} ]; then + echo "You're not allowed to write to /etc/group..." + exit 1 + fi +} + +if [ $# == 3 ]; then + case $1 in + "--add") + Perm; + Add; + exit 0 + ;; + "--del") + Perm; + Del; + exit 0 + ;; + esac + Usage; + exit 0 +else + Usage; +fi + + + + + + + diff --git a/init-sh/init.sh b/init-sh/init.sh new file mode 100755 index 0000000..4e89cb9 --- /dev/null +++ b/init-sh/init.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +if [ -z $1 ]; then + echo "Usage : $0 [0-5]" + exit 1 +fi + + +if [ -f /etc/security/msec/init-sh/level$1.sh ]; then + /etc/security/msec/init-sh/level$1.sh + if [ -f /etc/security/msec/init-sh/perm.$1 ]; then + /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1 + else + echo "Couldn't find the default permissions for level $1." + fi +else + echo "Security level $1 not availlable..." +fi + diff --git a/init-sh/level1.sh b/init-sh/level1.sh new file mode 100755 index 0000000..acd0622 --- /dev/null +++ b/init-sh/level1.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# login as root on console granted... +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID=no" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# umask +AddRules "umask 022" /etc/profile + +# Group +usermod -G audio "${USERNAME}" + +# For X auth : +xhost + localhost 2>&1 >& /dev/null + +# lilo update +lilo + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin:." /etc/profile +else + AddRUles "PATH=$PATH:." /etc/profile +fi + + + + diff --git a/init-sh/level2.sh b/init-sh/level2.sh new file mode 100755 index 0000000..8d20ea1 --- /dev/null +++ b/init-sh/level2.sh @@ -0,0 +1,57 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# login as root on console granted... +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Permissions +AddRules "umask 002" /etc/profile + +# Group +usermod -G audio ${USERNAME} >& /dev/null + +# For X auth : +xhost + localhost 2>&1 >& /dev/null + +# lilo update +/sbin/lilo + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +else + AddRules "PATH=$PATH" /etc/profile +fi + + + + + + + + + + + + diff --git a/init-sh/level3.sh b/init-sh/level3.sh new file mode 100755 index 0000000..400305a --- /dev/null +++ b/init-sh/level3.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# login as root from the console allowed +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid Check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf +AddRules "TTY_WARN=no" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Permissions +AddRules "umask 022" /etc/profile + +/sbin/lilo + + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" +fi + + + + + + + + + + + + + diff --git a/init-sh/level4.sh b/init-sh/level4.sh new file mode 100755 index 0000000..283817a --- /dev/null +++ b/init-sh/level4.sh @@ -0,0 +1,67 @@ +#!/bin/bash + + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# Log in append only mode +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection except from localhost +AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + +# Login as root on the console allowed : +AddRules "tty1" /etc/securetty +AddRules "tty2" /etc/securetty +AddRules "tty3" /etc/securetty +AddRules "tty4" /etc/securetty +AddRules "tty5" /etc/securetty +AddRules "tty6" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + +# Do you want a password ? +LiloUpdate; +/sbin/lilo + +# Permissions +AddRules "umask 022" /etc/profile + +# Path + +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + + + + + + + + + + diff --git a/init-sh/level5.sh b/init-sh/level5.sh new file mode 100755 index 0000000..f2b7a55 --- /dev/null +++ b/init-sh/level5.sh @@ -0,0 +1,96 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + +chattr +a /var/log/* + +# All events logged on tty12 +AddRules "*.* /dev/tty12" /etc/syslog.conf + +# Prevent all kind of connection +AddRules "ALL:ALL:DENY" /etc/hosts.deny + +# No login as root +AddRules "" /etc/securetty + +# Suid check +AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf +AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf +AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf +AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf +AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf +AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf + +# Check every 1 minutes for promisc problem +AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + + +# Wanna a password ? +LiloUpdate; +/sbin/lilo + +# Disable all server : +IFS=" +" + +for service in `chkconfig --list | awk '{print $1}'`; do + if [ "${service}" == "xfs" ]; then + if [ ${HAVE_X}==1 ]; then + continue; + fi + fi + + if [ "${service}" == "network" ]; then continue; fi + if [ "${service}" == "keytable" ]; then continue; fi + if [ "${service}" == "crond" ]; then continue; fi + if [ "${service}" == "gpm" ]; then continue; fi + if [ "${service}" == "syslog" ]; then continue; fi + + + chkconfig --del "${service}" +done + +# Permissions +AddRules "umask 077" /etc/profile + +# Path +if [ ${HAVE_X}==1 ]; then + AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile +fi + +echo +echo "You are now running your system in security level 5," +echo "All services are disabled : try the chkconfig to enable one..." +echo "If you're on a senssible machine, ( which is probably the case )" +echo "you should compile the server from the sources". +echo +echo "Good luck. :-)" +echo + + + + + + + + + + + + + + + + + + + diff --git a/init-sh/lib.sh b/init-sh/lib.sh new file mode 100644 index 0000000..a48c945 --- /dev/null +++ b/init-sh/lib.sh @@ -0,0 +1,175 @@ +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +# Need root access +if [ $UID != 0 ]; then + echo "You need to be root in order to change secure level." + exit 1 +fi + +# To avoid error, while new initscript package isn't released... +touch /etc/rc.d/rc.firewall + +# If we are currently installing our +# system with DrakX, we don't ask anything to the user... +# Instead, DrakX do it and give us a file with some variable. +if [ -f /tmp/secure.DrakX ]; then + . /tmp/secure.DrakX +fi + +if [ -f /etc/security/msec/security.conf ]; then + . /etc/security/msec/security.conf +fi + +if rpm -q XFree86 2>&1 > /dev/null; then + HAVE_X=1 +else + HAVE_X=0 +fi + +USERNAME="blah" +COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." + +AddRules () { + string=$1 + file=$2 + + if [ -z "${string}" ]; then + return; + fi + + if ! grep -qx "${string}" ${file}; then + echo "${COMMENT}" >> ${file}; + echo "${string}" >> ${file}; + fi +} + +CleanRules() { + file=$1 + ctrl=0 + + mv -f ${file} /tmp/secure.tmp + touch ${file} + + while read line; do + if [ ${ctrl} == 1 ]; then + ctrl=0 + continue; + fi + + if echo "${line}" | grep -qx "${COMMENT}"; then + ctrl=1 + fi + + if [ ${ctrl} == 0 ]; then + echo "${line}" >> ${file} + fi + done < /tmp/secure.tmp + + rm -f /tmp/secure.tmp + +} + +CommentUserRules() { + file=$1 + + mv -f ${file} /tmp/secure.tmp + touch ${file} + + while read line; do + if ! echo "${line}" | grep -qE "^#"; then + echo "# ${line}" >> ${file} + fi + done < /tmp/secure.tmp + + rm -f /tmp/secure.tmp +} + +Syslog() { + if [ "${SYS_LOG}" == "yes" ]; then + /sbin/initlog --string=${1} + fi +} + +Ttylog() { + if [ "${TTY_LOG}" == "yes" ]; then + for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do + echo -e ${1} > /dev/$i + done + fi +} + + +LiloUpdate() { + if [ ! -f /tmp/secure.DrakX ]; then + echo "Do you want a password authentication at boot time ?" + echo "Be very carefull," + echo "this will prevent your server to reboot without an operator to enter password". + echo -n "[yes]/no : " + read answer + if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then + echo -n "Please enter the password which will be used at boot time : " + read password + else + password="" + fi + else + password=${DRAKX_PASSWORD} + fi + + if [ ! -z "${password}" ]; then + mv /etc/lilo.conf /tmp/secure.tmp + while read line; do + if ! echo "${line}" | grep -q "password"; then + echo "${line}" >> /etc/lilo.conf + fi + done < /etc/secure.tmp + + rm -f /etc/secure.tmp + AddRules "password=$PASSWORD" /etc/lilo.conf + fi +} + + +CleanRules /etc/syslog.conf + +CleanRules /etc/hosts.deny +CommentUserRules /etc/hosts.deny + +CleanRules /etc/hosts.allow +CommentUserRules /etc/hosts.allow + +CleanRules /etc/securetty +CommentUserRules /etc/securetty + +CleanRules /etc/security/msec/security.conf +CommentUserRules /etc/security/msec/security.conf + +CleanRules /etc/profile +CleanRules /etc/lilo.conf +CleanRules /etc/rc.d/rc.firewall +CleanRules /etc/crontab + + +# For all secure level +AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall + +# default group which must exist on the system +groupadd audio >& /dev/null +groupadd xgrp >& /dev/null +usermod -G xgrp xfs + +if ! /etc/security/msec/init-sh/grpuser --del audio "${USERNAME}"; then + echo "Problem removing user \"${USERNAME}\" from group audio." +fi + + + + + + + + + diff --git a/init-sh/perm.1 b/init-sh/perm.1 new file mode 100644 index 0000000..c63483a --- /dev/null +++ b/init-sh/perm.1 @@ -0,0 +1,71 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 1 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 755 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + + + + diff --git a/init-sh/perm.2 b/init-sh/perm.2 new file mode 100644 index 0000000..dcaf293 --- /dev/null +++ b/init-sh/perm.2 @@ -0,0 +1,72 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 2 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + + + + + diff --git a/init-sh/perm.3 b/init-sh/perm.3 new file mode 100644 index 0000000..94d12e7 --- /dev/null +++ b/init-sh/perm.3 @@ -0,0 +1,68 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Directories / +# Welcome in Level 3 +### + +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/dhcpcd/ root.root 755 +/etc/init.d/ root.root 755 +/etc/profile root.root 644 +/home/ root.root 755 +/home/* current 700 +/lib root.root 755 +/mnt root.root 755 +/root root.root 700 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 + +/etc/conf.modules root.root 644 +/etc/crontab root.root 644 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 + + diff --git a/init-sh/perm.4 b/init-sh/perm.4 new file mode 100644 index 0000000..8e422df --- /dev/null +++ b/init-sh/perm.4 @@ -0,0 +1,72 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Welcome in Level 4, aka secure & usable. + +/bin root.root 711 +/boot root.root 700 +/dev root.root 711 +/dev/audio* root.audio 600 +/dev/dsp* root.audio 600 +/etc/ root.adm 711 +/etc/conf.modules root.adm 640 +/etc/cron.daily/ root.adm 750 +/etc/cron.hourly/ root.adm 750 +/etc/cron.monthly/ root.adm 750 +/etc/cron.weekly/ root.adm 750 +/etc/crontab root.adm 640 +/etc/dhcpcd/ root.adm 750 +/etc/dhcpcd/* root.adm 640 +/etc/esd.conf root.audio 640 +/etc/ftpaccess root.adm 640 +/etc/ftpconversions root.adm 640 +/etc/ftpgroups root.adm 640 +/etc/ftphosts root.adm 640 +/etc/ftpusers root.adm 640 +/etc/gettydefs root.adm 640 +/etc/hosts.allow root.adm 640 +/etc/hosts.deny root.adm 640 +/etc/hosts.equiv root.adm 640 +/etc/inetd.conf root.adm 640 +/etc/inittab root.adm 640 +/etc/ld.so.conf root.adm 640 +/etc/lilo.conf root.adm 640 +/etc/modules.conf root.adm 640 +/etc/motd root.adm 644 +/etc/printcap root.adm 640 +/etc/profile root.root 644 +/etc/rc.d/ root.adm 640 +/etc/securetty root.adm 640 +/etc/sendmail.cf root.adm 640 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.adm 640 +/etc/ssh_host_key.pub root.adm 644 +/etc/sshd_config root.adm 640 +/etc/syslog.conf root.adm 640 +/etc/updatedb.conf root.adm 640 + +/home/ root.adm 751 +/home/* current 700 +/lib root.adm 751 +/mnt root.adm 750 +/root root.root 700 +/sbin root.adm 751 +/tmp root.root 1777 +/usr root.adm 751 +/usr/* root.adm 751 +/usr/X11R6/ root.xgrp 751 +/usr/bin/ root.adm 751 +/usr/bin/* root.root 755 +/usr/sbin/ root.adm 751 +/usr/sbin/* root.root 755 +/var root.root 755 + + + + + + + diff --git a/init-sh/perm.5 b/init-sh/perm.5 new file mode 100644 index 0000000..1965860 --- /dev/null +++ b/init-sh/perm.5 @@ -0,0 +1,67 @@ +# +# +# - Group for X user +# - Group for audio user +# - Group for dialout user +# - Group for video user +# Welcome in Level 5, aka paranoid. + +/bin root.root 711 +/boot root.root 700 +/dev root.root 711 +/dev/audio* root.audio 600 +/dev/dsp* root.audio 600 +/etc/ root.root 711 +/etc/conf.modules root.root 600 +/etc/cron.daily/ root.root 700 +/etc/cron.hourly/ root.root 700 +/etc/cron.monthly/ root.root 700 +/etc/cron.weekly/ root.root 700 +/etc/crontab root.root 600 +/etc/dhcpcd/ root.root 700 +/etc/dhcpcd/* root.root 600 +/etc/esd.conf root.audio 640 +/etc/ftpaccess root.root 600 +/etc/ftpconversions root.root 600 +/etc/ftpgroups root.root 600 +/etc/ftphosts root.root 600 +/etc/ftpusers root.root 600 +/etc/gettydefs root.root 600 +/etc/hosts.allow root.root 600 +/etc/hosts.deny root.root 600 +/etc/hosts.equiv root.root 600 +/etc/inetd.conf root.root 600 +/etc/inittab root.root 600 +/etc/ld.so.conf root.root 600 +/etc/lilo.conf root.root 600 +/etc/modules.conf root.root 600 +/etc/motd root.root 644 +/etc/printcap root.root 640 +/etc/profile root.root 644 +/etc/rc.d/ root.root 600 +/etc/securetty root.root 600 +/etc/sendmail.cf root.root 600 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 600 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 600 +/etc/syslog.conf root.root 600 +/etc/updatedb.conf root.root 600 + +/home/ root.root 711 +/home/* current 700 +/lib root.root 711 +/mnt root.root 710 +/root root.root 700 +/sbin root.root 711 +/tmp root.root 1777 +/usr root.root 711 +/usr/* root.root 711 +/usr/X11R6/ root.xgrp 710 +/usr/bin/ root.root 711 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 711 +/usr/sbin/* root.root 700 +/usr/sbin/sendmail root.root 755 +/var root.root 755 + diff --git a/init-sh/server.4 b/init-sh/server.4 new file mode 100644 index 0000000..044f0bf --- /dev/null +++ b/init-sh/server.4 @@ -0,0 +1,6 @@ +crond +syslog +keytable +network +gpm +xfs diff --git a/init-sh/server.5 b/init-sh/server.5 new file mode 100644 index 0000000..044f0bf --- /dev/null +++ b/init-sh/server.5 @@ -0,0 +1,6 @@ +crond +syslog +keytable +network +gpm +xfs diff --git a/src/promisc_check/Makefile b/src/promisc_check/Makefile new file mode 100644 index 0000000..b7bb4e9 --- /dev/null +++ b/src/promisc_check/Makefile @@ -0,0 +1,13 @@ +CC=gcc +NAME=promisc_check + +CFLAGS = -ggdb -Wall -Wmissing-prototypes -Wmissing-declarations \ +-Wpointer-arith -m486 -O2 -finline-functions -fkeep-inline-functions + +OBJ=promisc_check.o + +promisc_check: $(OBJ) + $(CC) $(OBJ) -o $(NAME) + +install: + cp $(NAME) /usr/bin diff --git a/src/promisc_check/promisc_check.c b/src/promisc_check/promisc_check.c new file mode 100644 index 0000000..411fe12 --- /dev/null +++ b/src/promisc_check/promisc_check.c @@ -0,0 +1,137 @@ +/***************************************************************************** + * Mandrake Security * + * Written by Vandoorselaere Yoann * + * (C) 1999, Mandrakesoft * + *****************************************************************************/ + +/***** +* +* Copyright (C) 1999 Mandrakesoft +* All Rights Reserved +* +* This file is part of the Mandrake Security program. +* +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2, or (at your option) +* any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; see the file COPYING. If not, write to +* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. +* +*****/ + +/* + * This program will verify each interface on the machine to + * see if one of them is in promisc state. + * + * In this program, buf is an array containing many structure ifreq... + * this allow you to print out : + * ( BUFSIZ / sizeof(struct ifreq )) number of ether card configuration. + */ + +#include <stdio.h> +#include <unistd.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <net/if.h> + +static int quiet_mode = 0; + +void usage(void); +void check_args(int argc, char **argv); +void PrintResult(struct ifreq *ifr); + +int main(int argc, char **argv) +{ + struct ifconf ifc; + char buf[BUFSIZ], *ptr, *ptr_end; + int ret, sock; + + check_args(argc, argv); + + sock = socket(AF_INET, SOCK_DGRAM, 0); + if (sock < 0) { + perror("socket"); + exit(1); + } + + ifc.ifc_len = sizeof(buf); + ifc.ifc_buf = buf; + + ret = ioctl(sock, SIOCGIFCONF, (char *) &ifc); + if (ret < 0) { + perror("ioctl: SIOCGIFCONF"); + exit(1); + } + + ptr_end = buf + ifc.ifc_len; + for (ptr = ifc.ifc_buf; ptr < ptr_end; ptr += sizeof(struct ifreq)) { + struct ifreq *ifr; + + ifr = (struct ifreq *) ptr; + + ret = ioctl(sock, SIOCGIFFLAGS, (char *) ifr); + if (ret < 0) { + perror("ioctl : SIOCGIFFLAGS"); + exit(1); + } + + PrintResult(ifr); + } + + close(sock); + exit(0); +} + +void PrintResult(struct ifreq *ifr) +{ + if (quiet_mode == 0) { + if ((ifr->ifr_flags & IFF_PROMISC) != 0) + printf("%s : Promiscuous mode detected.\n", + ifr->ifr_name); + else + printf("%s : Not in promiscuous mode.\n", + ifr->ifr_name); + } else { + if ((ifr->ifr_flags & IFF_PROMISC) != 0) + printf("%s\n", ifr->ifr_name); + } +} + + + +void check_args(int argc, char **argv) +{ + while (1) { + int c; + + c = getopt(argc, argv, "qh"); + if (c == -1) + break; + + switch (c) { + case 'q': + quiet_mode = 1; + break; + case 'h': + usage(); + exit(0); + default: + exit(1); + } + } +} + +void usage(void) +{ + fprintf(stderr, "Usage:\n"); + fprintf(stderr, + "\t-q Quiet mode ( only report interface name ).\n\n"); +} |