aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYoann Vandoorselaere <yoann@mandriva.com>2000-03-22 17:39:12 +0000
committerYoann Vandoorselaere <yoann@mandriva.com>2000-03-22 17:39:12 +0000
commit80a65450bd92bd7d24c8e5087856053bbacfe9d9 (patch)
tree5e8858584f8e33a80645e9284b7616741d142fbf
parentee50375647abff0b29c25673938835cbac434eb7 (diff)
downloadmsec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.gz
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.bz2
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.tar.xz
msec-80a65450bd92bd7d24c8e5087856053bbacfe9d9.zip
*** empty log message ***
-rw-r--r--ChangeLog3
-rw-r--r--README22
-rwxr-xr-xinit-sh/custom.sh156
-rwxr-xr-xinit-sh/level5.sh18
-rw-r--r--init-sh/lib.sh6
5 files changed, 178 insertions, 27 deletions
diff --git a/ChangeLog b/ChangeLog
index cab6bba..5c31b53 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2000-03-22 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Added many of the proposed feature from Bryan Paxton.
+
2000-03-19 Yoann Vandoorselaere <yoann@mandrakesoft.com>
* security.sh : added patch from Thomas Poindessous.
* find.c : many modification :)
diff --git a/README b/README
index 3852e7d..acd2946 100644
--- a/README
+++ b/README
@@ -1,23 +1,9 @@
-This is really basic stuff at the moment...
-
-init-sh :
- this is where all script / library to switch security level are,
- use init.sh only.
-
-cron-sh :
- Here are all security script that will be used in crontab.
-
-src:
- C program for security check.
-
-Note : i know my Makefile are dirty,
- so if someone wish to clean them :-)
-
-
+******************
+Configurations files in /etc/security/msec/
+Shell scripts in /usr/share/msec.
******************
-All stuff are installed in /etc/security/msec/
-use init.sh to change security level
+Many thanks to Bryan Paxton for a good bunch of idea & contribution.
Suggest & Comment :
yoann@mandrakesoft.com
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index 253d9d9..3018f75 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -1,10 +1,23 @@
#!/bin/bash
+
#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
+###
+clear
+echo "This script allows you to customize the security on your system."
+echo "If you feel at all you don't know what you're doing abort now!!!"
+# can't use ctrl-c, we trap all signal.
+echo -n "continue [yes/no] : "
+read answer;
+
+if [[ ${answer} != yes ]]; then
+ exit 1
+fi
+
if [[ -f /usr/share/msec/lib.sh ]]; then
. /usr/share/msec/lib.sh
else
@@ -17,13 +30,7 @@ clear
WRITE_CRON="false"
###
-echo "Do you want all system events to be logged on tty12 ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "*.* /dev/tty12" /etc/syslog.conf
-fi
-###
echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
echo "( or if an user present in /etc/shutdown.allow is logged locally )"
WaitAnswer; clear
@@ -186,7 +193,8 @@ LiloUpdate;
/sbin/lilo >& /dev/null
###
-echo "Do you want to disable your running server ( except important one )"
+clear
+echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )"
echo "This is only valuable for server installed with rpm."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
@@ -229,7 +237,7 @@ echo "paranoid ( 077 ) = user = rwx, group = , other ="
answer="nothing"
while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
echo -n "easy/normal/restricted/paranoid : "
- read answer
+ read answer
done
case "${answer}" in
"easy")
@@ -247,6 +255,129 @@ case "${answer}" in
esac
###
+
+echo "Do you want easy, normal, restricted, or paranoid permission ?"
+answer="nothing"
+while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
+ echo -n "easy/normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "easy")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.2
+ ;;
+ "normal")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.3
+ ;;
+ "restricted")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.4
+ ;;
+ "paranoid")
+ /usr/share/msec/file_perm.sh /etc/security/msec/perm.5
+ ;;
+esac
+
+#Logging
+clear
+echo "Would you like set to up additional logging ?"
+echo "Logging will still go to its respected places in /var/log as well."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ echo "Would you like all system events to be logged on a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "*.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like for auth and warnings to a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like kernel logging to go on a specific tty ?"
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ echo
+ echo "Would you like mail logging to a specific tty ?"
+ echo "This is only useful if you're running a mail server."
+ echo "please answer by \"no\" or the tty number."
+ echo -n "no/ttynumber :"
+ read answer
+ if [[ ${answer} != no && ${anwer} != yes ]]; then
+ AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf
+ fi
+
+ /etc/rc.d/init.d/syslog restart >& /dev/null
+fi
+
+clear
+
+###
+clear
+echo "We can setup your system to log who does what commands and when..."
+echo "May we set up proccess accounting ?"
+echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..."
+echo "You need the psacct package."
+WaitAnswer;
+
+if [[ ${answer} == yes ]]; then
+ AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
+ AddRules " postrotate" /etc/logrotate.conf
+ AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
+ AddRules " }" /etc/logrotate.conf
+ touch /var/log/security/pacct.log
+ chown root.root /var/log/security/pacct.log
+ chmod 600 /var/log/security/pacct.log
+ /sbin/accton /var/log/security/pacct.log
+fi
+
+### Pam
+clear
+
+dfsize=40000
+echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)"
+echo "By setting a limit on how big user files may get and how many processes a user may run."
+
+echo "Would you like to set up some PAM configuration ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "# Limit user processes" /etc/security/limits.conf
+ AddRules "* soft nproc 100" /etc/security/limits.conf
+ AddRules "* hard nproc 150" /etc/security/limits.conf
+
+ echo "Would you like to set a maximum file size a user is allowed ?"
+ WaitAnswer; clear
+ if [[ ${answer} == yes ]]; then
+ echo "What shall be the maximum file size(default is $(dfsize))"
+ echo -n "Size : "
+ read fsize
+ if [[ -z ${fsize} ]]; then
+ AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+ AddRules "* hard $dfsize" /etc/security/limits.conf
+ else
+ AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+ AddRules "* hard $fsize" /etc/security/limits.conf
+ fi
+ fi
+fi
+
+
+
+###
echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
@@ -273,3 +404,12 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index 0e458b7..0d9b58c 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -70,7 +70,23 @@ AddRules "0 0 * * * root /usr/share/msec/security.sh" /etc/crontab
###################################################
-# Wanna a password ?
+# setup BSD accounting.
+
+echo "Setting up BSD process accounting..."
+if [[ -f /sbin/accton ]]; then
+ AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
+ AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
+ AddRules " postrotate" /etc/logrotate.conf
+ AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
+ AddRules " }" /etc/logrotate.conf
+ touch /var/log/security/pacct.log
+ chown root.root /var/log/security/pacct.log
+ chmod 600 /var/log/security/pacct.log
+ /sbin/accton /var/log/security/pacct.log
+fi
+
+# Wanna password ?
LiloUpdate;
echo -n "Running lilo to record new config : "
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 7f55c7c..7b395a7 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -181,6 +181,8 @@ CleanRules /etc/security/msec/security.conf
CommentUserRules /etc/security/msec/security.conf
CleanRules /etc/profile
CleanRules /etc/lilo.conf
+CleanRules /etc/logrotate.conf
+CleanRules /etc/rc.d/rc.local
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
CleanRules /etc/X11/xdm/Xsession
@@ -192,9 +194,13 @@ echo "Setting spoofing protection : "
AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
# default group which must exist on the system
+# groupadd already check for their existance...
groupadd nogroup >& /dev/null
groupadd audio >& /dev/null
groupadd xgrp >& /dev/null
+groupadd ntools >& /dev/null
+groupadd ctools >& /dev/null
+
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean