diff options
author | Frederic Lepied <flepied@mandriva.com> | 2001-08-09 08:10:59 +0000 |
---|---|---|
committer | Frederic Lepied <flepied@mandriva.com> | 2001-08-09 08:10:59 +0000 |
commit | 7c4523ed3de1cb0e5ea25d8e452c946232449ed4 (patch) | |
tree | a6c690d0e4382b47f92173d3f5821bf560951e6b /TODO | |
parent | 2672f03b09c111a536856390cb5430b0fb4a6579 (diff) | |
download | msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.gz msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.bz2 msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.xz msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.zip |
merge back 0.15-17mdk in CVS
Diffstat (limited to 'TODO')
-rw-r--r-- | TODO | 561 |
1 files changed, 561 insertions, 0 deletions
@@ -0,0 +1,561 @@ + Some new stuff I thought should be implemented as well... And yes they keep +on a coming!!!!!!!!! : ) + + ######## Begin new stuff ############## +#!/bin/bash + +#Logging + +echo "Would you like set to up addtional logging ?" +echo "Logging will still go to its respected places in /var/log as well." +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +echo "Would you like for auth and warnings to be logged to tty11 ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "authpriv.* /dev/tty11" /etc/syslog.conf +echo "Would you like kernel logging to go tty10 ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "kern.* /dev/tty10" /etc/syslog.conf +echo "Would you like mail logging to go tty9 ?" +echo "This is only useful if you're running a mail server(sendmail)." +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "mail.* /dev/tty9" /etc/syslog.conf +/etc/rc.d/init.d/syslog restart > /dev/null +fi + fi + fi +#End of logging + +Is BSD style process accounting on by default in Mandrake ? +echo "We can setup your system to log who does what commands and when..." +echo "May we set up proccess accounting ?" +echo "The log file will get filled up VERY quickly +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs +it's own script though +echo "/var/log/pacct { " >> /etc/logrotate.conf +echo " postrotate" >> /etc/logrotate.conf +echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf +echo >> /etc/logrotate.conf +echo >> "}" /etc/logrotate.conf +#Got a be a cleaner way to do this : ) +fi +#End BSD style process accounting + +#PAM stuff +#default file size limit +dfsize=40000 +echo "We help prevent certain types of DoS attacks through the use of +PAM(Pluggable Authentication Modules.)" +echo "By setting a limit on how big user files may get and how many processes a +user may run." +echo "Would you like to set up some PAM configuration ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +AddRules "# Limit user processes" /etc/security/limits.conf +AddRules "* soft nproc 100" /etc/security/limits.conf +AddRules "* hard nproc 150" /etc/security/limits.conf +echo "Would you like to set a maximum file size a user is allowed ?" +WaitAnswer;clear +if [[ ${answer} == yes ]]; then +echo "What shall be the maximum file size(default it 40000 = 40MB)" +echo -n "Size[40000]: " +read fsize +if [[ -z ${fsize} ]]; then +AddRules "# limits size of any one of users' files" /etc/security/limits.conf +AddRules "* hard $dfsize" /etc/security/limits.conf +else +AddRules "# limits size of any one of users' files" /etc/security/limits.conf +AddRules "* hard $fsize" /etc/security/limits.conf +fi + fi + fi +#End PAM stuff + + + +********************************** + + ###########Begin modified custom.sh###################### +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [[ -f /usr/share/lsec/lib.sh ]]; then + . /usr/share/lsec/lib.sh +else + echo "Can't find /usr/share/lsec/lib.sh, exiting." + exit 1 +fi + +clear + +WRITE_CRON="false" + +### +echo "This script allows you to customize the security on your system. " +echo "If you feel at all you don't know what you're doing abort now!!! " +echo "'ctrl-c' to abort" +echo -n "Otherwise, please press [enter] to continue " +read FOO +clear + +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi + +### +echo "Do you want to be notified by mail of _all_ root logins ?" +echo "(This is strongle recommended)" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then +if [[ -s /root/.bashrc ]]; then +cp /root/.bashrc /tmp/bashrc +sed '/root login/d' /tmp/bashrc > /root/.bashrc +AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s +"Root Login" root' /root/.bashrc +rm -f /tmp/bashrc +echo "Done" +fi +fi + + +### +echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" +echo "( or if a user present in /etc/shutdown.allow is logged locally )" +WaitAnswer; clear +tmpfile=`mktemp /tmp/secure.XXXXXX` +cp /etc/inittab ${tmpfile} +if [[ ${answer} == yes ]]; then + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r +now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab +else + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r +now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab +fi +rm -f ${tmpfile} + +#Compile tools +#More needs to be added and this is very sloppy but you get the idea : ) +mgtools() +{ +mgcon=mgcon1 +echo "Do you want only root to have access to the system compiler(gcc/g++) ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then +chmod 0700 /usr/bin/gcc +chmod 0700 /usr/bin/g++ +fi +} +gtools() +{ +gcon=gcon0 +dgrp=devel +echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may" +echo "be used by a certain group ?" +echo -n "yes/no: " +read answer +if [[ ${answer} == yes ]]; then +gcon=gcon1 +echo +echo -n "What shall the name of this group be [devel]: " +read grp +if [[ -z ${grp} ]]; then +groupadd ${dgrp} +.. /etc/security/lsec/perm.ctoolsd +else +groupadd ${grp} +.. /etc/security/lsec/perm.ctools +fi +fi +} +gtools +#if [[ ${gcon} = gcon1 ]]; then +#ntools +#else +#mgtools +#fi + +#network tools +mntools() +{ +echo "Do you want to disable 'ping' to all users except root ?" +WaitAnswer; clear +if [[ $answer} == yes ]]; then +chmod 0700 /bin/ping +fi + +echo "Do you want to disable 'traceroute' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/sbin/traceroute +fi + +echo "Do you want to disable 'who' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/who +fi + +echo "Do you want to disable 'w' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/w +fi + +echo "Do you want to disable 'finger' to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/finger +fi + +echo "Do you want to disable telnet client to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/telnet +fi + +echo "Do you want to disable ssh client to all users except root ?" +WaitAnswer; clear +if [[ $answer == yes ]]; then +chmod 0700 /usr/bin/ssh +fi +} +ntools() +{ +ncon=ncon0 +ngrpd=netsys +echo "Do you want to set up network tools so that they may be used only" +echo "by users of a certain group ?" +echo -n "yes/no: " +read answer +if [[ ${answer} == yes ]]; then +ncon=ncon1 +echo +echo -n "What shall the name of this group be [netsys]: " +read ngrp +if [[ -z ${ngrp} ]]; then +groupadd ${ngrpd} +.. /etc/security/lsec/perm.netsysd +else +groupadd ${ngrp} +.. /etc/security/lsec/perm.netsysd +fi +fi +} +if [[ ${gcon} = gcon1 ]]; then +ntools +else +mgtools +fi + +if [[ ${mgcon} = mgcon1 ]]; then +ntools +else +mntools +fi + +if [[ $ncon = ncon1 ]]; then +echo "Done" +else +mntools +fi + +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [[ ${answer} == yes ]]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [[ ${answer} == yes ]]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi + +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### + +if [[ -f /usr/lib/libsafe.so.1.2 ]]; then +echo "Do you want to enable the libsafe stack overflow protection ?" +echo "This stack overflow protection work by catching dangerous function call" +echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" +echo "and verify the address & the size of the destination buffer in the stack" +echo "this is done by searching in the stack frame the one which contain the" +echo "destination address, and by substracting the frame address to the +destination buffer one" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile +fi +fi + +### +echo "Do you want your system to daily check important security problem ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check new open port listening ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to check for grave permission problem on +sensibles files ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check suid files md5 checksum changes ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check Writeable file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf + WRITE_CRON="true" +fi + +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer +on your machine ) ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 +/usr/share/lsec/promisc_check.sh" /etc/crontab +fi +### + +### +echo "Do you want security report to be done in syslog ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf +else + AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf +fi +### + +echo "Do you want security report to be done by mail ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf +else + AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf +fi +### + +if [[ ${WRITE_CRON} == "true" ]]; then + AddRules "0 0-23 * * * root nice --adjustment=+19 +/usr/share/lsec/security.sh" /etc/crontab +fi + +LiloUpdate; +/sbin/lilo >& /dev/null + +### +echo "Do you want to disable all services except(gpm,xfs,keytable," +echo "network,crond, and syslogd ?" +echo "This is _highly_ recommended if you have not configured other" +echo "said services." +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + echo -n "Disabling all service, except : {" + chkconfig --list | awk '{print $1}' | while read service; do + if grep -qx ${service} /etc/security/lsec/server.4; then + echo -n " ${service}" + fi + done + echo " } : " + + chkconfig --list | awk '{print $1}' | while read service; do + chkconfig --del "${service}" + if ! chkconfig --add "${service}"; then + echo -e "\t- Services ${service} is now disabled." + fi + done + chkconfig --add gpm + chkconfig --add xfs + chkconfig --add network + chkconfig --add keytable + chkconfig --add syslog + chkconfig --add crond + echo -e "done.\n"; +fi + +### +echo "Do you want an easy, normal, restricted, or paranoid umask ?" +echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" +echo "normal ( 022 ) = user = rwx, group = rx, other = rx" +echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" +echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" +echo "paranoid ( 077 ) = user = rwx, group = , other =" +answer="nothing" +while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != +"restricted" && "${answer}" != "paranoid" ]]; do + echo -n "easy/normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "easy") + AddRules "umask 002" /etc/profile + ;; + "normal") + AddRules "umask 022" /etc/profile + ;; + "restricted") + AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" +/etc/profile + ;; + "paranoid") + AddRules "umask 077" /etc/profile + ;; +esac + +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet +else + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet +fi + +AddRules "export PATH SECURE_LEVEL" /etc/profile + +echo "Do you want normal, restricted, or paranoid file permissions ?" +while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" != +"paranoid" ]]; do +echo -n "normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "normal") + /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3 + ;; + "strict") + /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4 + ;; + "paranoid")#!/bin/bash +/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5 + ;; +esac +#EOF +# /etc/security/msec/perm.ctools +chown root.$grp /usr/bin/gcc +chmod 750 /usr/bin/gcc +chown root.$grp /usr/bin/cc +chmod 750 /usr/bin/cc +chown root.$grp /usr/bin/g++ +chmod 750 /usr/bin/g++ + +# /etc/security/msec/perm.ctoolsd +chown root.$dgrp /usr/bin/gcc +chmod 750 /usr/bin/gcc +chown root.$dgrp /usr/bin/cc +chmod 750 /usr/bin/cc +chown root.$dgrp /usr/bin/g++ +chmod 750 /usr/bin/g++ + + +# /etc/security/msec/perm.netsys +chown root.$ngrp /usr/bin/ping +chmod 750 /usr/bin/gcc +chown root.$ngrp /usr/bin/w +chmod 750 /usr/bin/w +chown root.$ngrp /usr/bin/w +chmod 750 /usr/bin/who +chown root.$ngrp /usr/bin/telnet +chmod 750 /usr/bin/telnet +chown root.$ngrp /usr/bin/ssh +chmod 750 /usr/bin/ssh +chown root.$ngrp /usr/sbin/traceroute +chmod 750 /usr/sbin/traceoute +chown root.$ngrp /usr/bin/finger +chmod 750 /usr/bin/finger + +# /etc/security/msec/perm.netsys.d +chown root.$ngrpd /bin/ping +chmod 750 /usr/bin/gcc +chown root.$ngrpd /usr/bin/w +chmod 750 /usr/bin/w +chown root.$ngrpd /usr/bin/w +chmod 750 /usr/bin/who +chown root.$ngrpd /usr/bin/telnet +chmod 750 /usr/bin/telnet +chown root.$ngrpd /usr/bin/ssh +chmod 750 /usr/bin/ssh +chown root.$ngrpd /usr/sbin/traceroute +chmod 750 /usr/sbin/traceroute +chown root.$ngrpd /usr/bin/finger +chmod 750 /usr/bin/finger + +######## END + + |