Re-created README from man.

1 files changed, 625 insertions, 87 deletions

diff --git a/src/msec/README b/src/msec/README
index 4bb3846..d2e86b3 100644
--- a/src/msec/README
+++ b/src/msec/README
@@ -1,87 +1,625 @@
-******************
-Configurations files in /etc/security/msec/
-Shell scripts in /usr/share/msec.
-******************
-
-Suggestions & comments:
-flepied@mandriva.com
-
-******************
-Doc of the rewritting in python:
-
-                        	0	1	2	3	4	5
-root umask			022	022	022	022	022	077
-shell timeout			0	0	0	0	3600	900
-deny services			none	none	none	none	local	all
-su only for wheel grp		no	no	no	no	no	yes
-user umask			022	022	022	022	077	077
-shell history size		default	default	default	default	10	10
-direct root login		yes	yes	yes	yes	no	no
-remote root login		yes	yes	yes	yes	no	no
-sulogin for single user		no	no	no	no	yes	yes
-user list in [kg]dm		yes	yes	yes	yes	no	no
-promisc check			no	no	no	no	yes	yes
-ignore icmp echo		no	no	no	no	yes	yes
-ignore broadcasted icmp echo	no	no	no	no	yes	yes
-ignore bogus error responses	no	no	no	no	yes	yes
-enable libsafe			no	no	no	no	yes	yes
-allow reboot by user		yes	yes	yes	yes	no	no
-allow crontab/at		yes	yes	yes	yes	no	no
-password aging			no	no	no	no	60	30
-allow autologin			yes	yes	yes	no	no	no
-console log			no	no	no	yes	yes	yes
-issues				yes	yes	yes	local	local	no
-ip spoofing protection		no	no	no	yes	yes	yes
-dns spoofing protection		no	no	no	yes	yes	yes
-log stange ip packets		no	no	no	yes	yes	yes
-periodic security check		no	yes	yes	yes	yes	yes
-allow X connections		yes	local	local	no	no	no
-allow xauth from root		yes	yes	yes	yes	no	no
-X server listen to		tcp	tcp	tcp	tcp	local	local
-run msec by cron		yes	yes	yes	yes	yes	yes
-
-Periodic security checks by level:
-
-                  0   1   2   3    4    5
-CHECK_SECURITY    no  yes yes yes  yes  yes  
-CHECK_PERMS       no  no  no  yes  yes  yes  
-CHECK_SUID_ROOT   no  no  yes yes  yes  yes  
-CHECK_SUID_MD5    no  no  yes yes  yes  yes  
-CHECK_SGID        no  no  yes yes  yes  yes  
-CHECK_WRITABLE    no  no  yes yes  yes  yes  
-CHECK_UNOWNED     no  no  no  no   yes  yes  
-CHECK_PROMISC     no  no  no  no   yes  yes  
-CHECK_OPEN_PORT   no  no  no  yes  yes  yes  
-CHECK_PASSWD      no  no  no  yes  yes  yes  
-CHECK_SHADOW      no  no  no  yes  yes  yes  
-TTY_WARN          no  no  no  no   yes  yes  
-MAIL_WARN         no  no  no  yes  yes  yes  
-SYSLOG_WARN       no  no  yes yes  yes  yes  
-RPM_CHECK         no  no  no  yes  yes  yes
-CHKROOTKIT_CHECK  no  no  no  yes  yes  yes
-
-These variables are configured by the user:
-
-MAIL_USER the user to send the dayly reports. If not set, the email is
-sent to root.
-
-PERM_LEVEL is used to determine which file to use to fix
-permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If
-not set, the SECURE_LEVEL is used instead. If the file
-/etc/security/msec/perm.local exists, it's used too. The syntax for
-each line if the following:
-
-<file specification>	<owner>	<permission>	[force]
-
-<file specification> can be any glob to specify one or multiple
-files/diretories.
-
-<owner> must be in the form <user>.<group> or <user>. (force only
-user) or .<group> (force only group) or current (keep current user and
-group).
-
-<permission> is an octal number representing the access rights or
-current to keep the current permissions.
-
-If force is present as a 4th argument, it means that msec will enforce
-the permission even if the previous permission was lower.
+msec(0.60.1)                                                      msec(0.60.1)
+
+
+
+NAME
+       msec - Mandriva Linux security tools
+
+SYNOPSIS
+       msec [options]
+       msecperms [options]
+       msecgui [options]
+
+DESCRIPTION
+       msec  is  responsible  to maintain system security in Mandriva. It sup‐
+       ports different security configurations, which can  be  organized  into
+       several security levels. Currently, three preconfigured security levels
+       are provided:
+
+
+       none   this level aims to provide the most basic security. It should be
+              used  when  you want to manage all aspects of system security on
+              your own.
+
+
+       default
+              this is the default security level, which configures  a  reason‐
+              ably  safe  set of security features. It activates several peri‐
+              odic system checks, and sends the results of their execution  by
+              email (by default, the local 'root' account is used).
+
+
+       secure this  level  is  configured  to provide maximum system security,
+              even at the cost of limiting the remote access  to  the  system,
+              and local user permissions. It also runs a wider set of periodic
+              checks, enforces the local password settings,  and  periodically
+              checks if the system security settings, configured by msec, were
+              modified directly or by some other application.
+
+
+
+       The security settings are  stored  in  /etc/security/msec/security.conf
+       file,  and  default  settings  for  each predefined level are stored in
+       /etc/security/msec/level.LEVEL.  Permissions for files and  directories
+       that should be enforced or checked for changes are stored in /etc/secu‐
+       rity/msec/perms.conf, and default permissions for each predefined level
+       are  stored  in /etc/security/msec/perm.LEVEL.  Note that user-modified
+       parameters take precedence over default level  settings.  For  example,
+       when  default level configuration forbids direct root logins, this set‐
+       ting can be overridden by the user.
+
+
+
+       The following options are supported by msec applications:
+
+
+       msec:
+
+
+       This is the console version of msec. It is responsible for system secu‐
+       rity  configuration  and checking and transitions between security lev‐
+       els.
+
+       When executed without parameters, msec will read the system  configura‐
+       tion file (/etc/security/msec/security.conf), and enforce the specified
+       security settings. The operations are logged to /var/log/msec.log file,
+       and also to syslog, using LOG_AUTHPRIV facility.  Please note that msec
+       should by run as root.
+
+       -h, --help
+           This option  will  display  the  list  of  supported  command  line
+       options.
+
+       -l, --level <level>
+           List the default configuration for given security level.
+
+       -f, --force <level>
+           Apply  the specified security level to the system, overwritting all
+       local changes. This is necessary to initialize a security level, either
+       on first install, on when a change to a different level is required.
+
+       -d
+           Enable debugging messages.
+
+       -p, --pretend
+           Verify the actions that will be performed by msec, without actually
+       doing anything to the system. In this mode of operation, msec  performs
+       all  the required tasks, except effectively writting data back to disk.
+
+
+       msecperms:
+
+
+       This application is responsible  for  system  permission  checking  and
+       enforcements.
+
+       When  executed  without parameters, msecperms will read the permissions
+       configuration file  (/etc/security/msec/perms.conf),  and  enforce  the
+       specified   security   settings.   The   operations   are   logged   to
+       /var/log/msec.log file, and also to syslog, using  LOG_AUTHPRIV  facil‐
+       ity.  Please note that msecperms should by run as root.
+
+       -h, --help
+           This  option  will  display  the  list  of  supported  command line
+       options.
+
+       -l, --level <level>
+           List the default configuration for given security level.
+
+       -f, --force <level>
+           Apply the specified security level to the system, overwritting  all
+       local changes. This is necessary to initialize a security level, either
+       on first install, on when a change to a different level is required.
+
+       -e, --enforce
+           Enforce the default permissions on all files.
+
+       -d
+           Enable debugging messages.
+
+       -p, --pretend
+           Verify the actions that will be performed by msec, without actually
+       doing  anything to the system. In this mode of operation, msec performs
+       all the required tasks, except effectively writting data back to  disk.
+
+
+       msecgui:
+
+
+       This  is the GTK version of msec. It acts as frontend to all msec func‐
+       tionalities.
+
+       -h, --help
+           This option  will  display  the  list  of  supported  command  line
+       options.
+
+       -d
+           Enable debugging messages.
+
+
+SECURITY OPTIONS
+       The following security options are supported by msec:
+
+
+
+
+       enable_dns_spoofing_protection
+           Enable/Disable  name  resolution  spoofing protection.  If alert is
+           true, also reports to syslog.
+
+           MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION
+
+           Accepted values: yes, no
+
+
+
+       mail_empty_content
+           Enables sending of empty mail reports.
+
+           MSEC parameter: MAIL_EMPTY_CONTENT
+
+           Accepted values: yes, no
+
+
+
+       accept_broadcasted_icmp_echo
+           Accept/Refuse broadcasted icmp echo.
+
+           MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO
+
+           Accepted values: yes, no
+
+
+
+       allow_xserver_to_listen
+           The argument specifies if clients are authorized to connect to  the
+           X server on the tcp port 6000 or not.
+
+           MSEC parameter: ALLOW_XSERVER_TO_LISTEN
+
+           Accepted values: yes, no
+
+
+
+       check_chkrootkit
+           Enables checking for known rootkits using chkrootkit.
+
+           MSEC parameter: CHECK_CHKROOTKIT
+
+           Accepted values: yes, no
+
+
+
+       check_suid_root
+           Enables checking for additions/removals of suid root files.
+
+           MSEC parameter: CHECK_SUID_ROOT
+
+           Accepted values: yes, no
+
+
+
+       enable_at_crontab
+           Enable/Disable  crontab  and  at  for  users.  Put allowed users in
+           /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
+
+           MSEC parameter: ENABLE_AT_CRONTAB
+
+           Accepted values: yes, no
+
+
+
+       accept_bogus_error_responses
+           Accept/Refuse bogus IPv4 error messages.
+
+           MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES
+
+           Accepted values: yes, no
+
+
+
+       check_suid_md5
+           Enables checksum verification for suid files.
+
+           MSEC parameter: CHECK_SUID_MD5
+
+           Accepted values: yes, no
+
+
+
+       mail_user
+           Defines email to receive security notifications.
+
+           MSEC parameter: MAIL_USER
+
+           Accepted values: *
+
+
+
+       allow_autologin
+           Allow/Forbid autologin.
+
+           MSEC parameter: ALLOW_AUTOLOGIN
+
+           Accepted values: yes, no
+
+
+
+       enable_pam_wheel_for_su
+           Enabling su only from members of the wheel group or allow  su  from
+           any user.
+
+           MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU
+
+           Accepted values: yes, no
+
+
+
+       create_server_link
+           Creates   the   symlink   /etc/security/msec/server   to  point  to
+           /etc/security/msec/server.<SERVER_LEVEL>.      The       /etc/secu‐
+           rity/msec/server is used by chkconfig --add to decide to add a ser‐
+           vice if it is present in the file during the installation of  pack‐
+           ages.
+
+           MSEC parameter: CREATE_SERVER_LINK
+
+           Accepted values: no, default, secure
+
+
+
+       set_shell_timeout
+           Set the shell timeout. A value of zero means no timeout.
+
+           MSEC parameter: SHELL_TIMEOUT
+
+           Accepted values: *
+
+
+
+       check_shadow
+           Enables checking for empty passwords.
+
+           MSEC parameter: CHECK_SHADOW
+
+           Accepted values: yes, no
+
+
+
+       enable_password
+           Use  password  to authenticate users. Take EXTREMELY care when dis‐
+           abling passwords, as it will leave the machine COMPLETELY  vulnera‐
+           ble.
+
+           MSEC parameter: ENABLE_PASSWORD
+
+           Accepted values: yes, no
+
+
+
+       set_win_parts_umask
+           Set  umask option for mounting vfat and ntfs partitions. A value of
+           None means default umask.
+
+           MSEC parameter: WIN_PARTS_UMASK
+
+           Accepted values: no, *
+
+
+
+       check_open_port
+           Enables checking for open network ports.
+
+           MSEC parameter: CHECK_OPEN_PORT
+
+           Accepted values: yes, no
+
+
+
+       enable_log_strange_packets
+           Enable/Disable the logging of IPv4 strange packets.
+
+           MSEC parameter: ENABLE_LOG_STRANGE_PACKETS
+
+           Accepted values: yes, no
+
+
+
+       check_rpm
+           Enables verification of installed packages.
+
+           MSEC parameter: CHECK_RPM
+
+           Accepted values: yes, no
+
+
+
+       enable_pam_root_from_wheel
+           Allow root access without password for the  members  of  the  wheel
+           group.
+
+           MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL
+
+           Accepted values: yes, no
+
+
+
+       mail_warn
+           Enables security results submission by email.
+
+           MSEC parameter: MAIL_WARN
+
+           Accepted values: yes, no
+
+
+
+       password_length
+           Set  the  password  minimum  length and minimum number of digit and
+           minimum number of capitalized letters.
+
+           MSEC parameter: PASSWORD_LENGTH
+
+           Accepted values: *
+
+
+
+       set_root_umask
+           Set the root umask.
+
+           MSEC parameter: ROOT_UMASK
+
+           Accepted values: *
+
+
+
+       check_sgid
+           Enables checking for additions/removals of sgid files.
+
+           MSEC parameter: CHECK_SGID
+
+           Accepted values: yes, no
+
+
+
+       check_promisc
+           Activate/Disable ethernet cards promiscuity check.
+
+           MSEC parameter: CHECK_PROMISC
+
+           Accepted values: yes, no
+
+
+
+       allow_x_connections
+           Allow/Forbid X connections. Accepted arguments:  yes  (all  connec‐
+           tions  are  allowed), local (only local connection), no (no connec‐
+           tion).
+
+           MSEC parameter: ALLOW_X_CONNECTIONS
+
+           Accepted values: yes, no, local
+
+
+
+       check_writable
+           Enables checking for files/directories writable by everybody.
+
+           MSEC parameter: CHECK_WRITABLE
+
+           Accepted values: yes, no
+
+
+
+       enable_console_log
+           Enable/Disable syslog reports to console 12. expr is the expression
+           describing  what  to  log (see syslog.conf(5) for more details) and
+           dev the device to report the log.
+
+           MSEC parameter: ENABLE_CONSOLE_LOG
+
+           Accepted values: yes, no
+
+
+
+       enable_ip_spoofing_protection
+           Enable/Disable IP spoofing protection.
+
+           MSEC parameter: ENABLE_DNS_SPOOFING_PROTECTION
+
+           Accepted values: yes, no
+
+
+
+       check_perms
+           Enables permission checking in users' home.
+
+           MSEC parameter: CHECK_PERMS
+
+           Accepted values: yes, no
+
+
+
+       set_shell_history_size
+           Set shell commands history size. A value of -1 means unlimited.
+
+           MSEC parameter: SHELL_HISTORY_SIZE
+
+           Accepted values: *
+
+
+
+       allow_reboot
+           Allow/Forbid system reboot and shutdown to local users.
+
+           MSEC parameter: ALLOW_REBOOT
+
+           Accepted values: yes, no
+
+
+
+       syslog_warn
+           Enables logging to system log.
+
+           MSEC parameter: SYSLOG_WARN
+
+           Accepted values: yes, no
+
+
+
+       check_shosts
+           Enables checking for dangerous options  in  users'  .rhosts/.shosts
+           files.
+
+           MSEC parameter: CHECK_SHOSTS
+
+           Accepted values: yes, no
+
+
+
+       check_passwd
+           Enables  password-related  checks,  such  as  empty  passwords  and
+           strange super-user accounts.
+
+           MSEC parameter: CHECK_PASSWD
+
+           Accepted values: yes, no
+
+
+
+       password_history
+           Set the password history length to prevent password reuse. This  is
+           not supported by pam_tcb.
+
+           MSEC parameter: PASSWORD_HISTORY
+
+           Accepted values: *
+
+
+
+       check_security
+           Enables daily security checks.
+
+           MSEC parameter: CHECK_SECURITY
+
+           Accepted values: yes, no
+
+
+
+       allow_root_login
+           Allow/Forbid direct root login.
+
+           MSEC parameter: ALLOW_ROOT_LOGIN
+
+           Accepted values: yes, no
+
+
+
+       check_unowned
+           Enables checking for unowned files.
+
+           MSEC parameter: CHECK_UNOWNED
+
+           Accepted values: yes, no
+
+
+
+       allow_user_list
+           Allow/Forbid  the  list  of users on the system on display managers
+           (kdm and gdm).
+
+           MSEC parameter: ALLOW_USER_LIST
+
+           Accepted values: yes, no
+
+
+
+       allow_remote_root_login
+           Allow/Forbid remote root login via sshd. You can  specify  yes,  no
+           and without-password. See sshd_config(5) man page for more informa‐
+           tion.
+
+           MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN
+
+           Accepted values: yes, no, without_password
+
+
+
+       enable_msec_cron
+           Enable/Disable msec hourly security check.
+
+           MSEC parameter: ENABLE_MSEC_CRON
+
+           Accepted values: yes, no
+
+
+
+       enable_sulogin
+           Enable/Disable sulogin(8) in single user level.
+
+           MSEC parameter: ENABLE_SULOGIN
+
+           Accepted values: yes, no
+
+
+
+       allow_xauth_from_root
+           Allow/forbid to export display when passing from the  root  account
+           to the other users. See pam_xauth(8) for more details.
+
+           MSEC parameter: ALLOW_XAUTH_FROM_ROOT
+
+           Accepted values: yes, no
+
+
+
+       set_user_umask
+           Set the user umask.
+
+           MSEC parameter: USER_UMASK
+
+           Accepted values: *
+
+
+
+       accept_icmp_echo
+           Accept/Refuse icmp echo.
+
+           MSEC parameter: ACCEPT_ICMP_ECHO
+
+           Accepted values: yes, no
+
+
+
+       authorize_services
+           Configure  access to tcp_wrappers services (see hosts.deny(5)).  If
+           arg = yes, all services are authorized. If arg = local, only  local
+           ones  are,  and  if  arg  = no, no services are authorized. In this
+           case, To authorize the services you need, use /etc/hosts.allow (see
+           hosts.allow(5)).
+
+           MSEC parameter: AUTHORIZE_SERVICES
+
+           Accepted values: yes, no, local
+
+
+
+       tty_warn
+           Enables periodic security check results to terminal.
+
+           MSEC parameter: TTY_WARN
+
+           Accepted values: yes, no
+
+
+NOTES
+       Msec applications must be run by root.
+
+AUTHORS
+       Frederic Lepied <flepied@mandriva.com>
+
+       Eugeni Dodonov <eugeni@mandriva.com>
+
+
+
+
+Mandriva Linux                       msec                         msec(0.60.1)