aboutsummaryrefslogtreecommitdiffstats
path: root/TODO
diff options
context:
space:
mode:
authorFrederic Lepied <flepied@mandriva.com>2001-08-09 08:10:59 +0000
committerFrederic Lepied <flepied@mandriva.com>2001-08-09 08:10:59 +0000
commit7c4523ed3de1cb0e5ea25d8e452c946232449ed4 (patch)
treea6c690d0e4382b47f92173d3f5821bf560951e6b /TODO
parent2672f03b09c111a536856390cb5430b0fb4a6579 (diff)
downloadmsec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar
msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.gz
msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.bz2
msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.tar.xz
msec-7c4523ed3de1cb0e5ea25d8e452c946232449ed4.zip
merge back 0.15-17mdk in CVS
Diffstat (limited to 'TODO')
-rw-r--r--TODO561
1 files changed, 561 insertions, 0 deletions
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..983327d
--- /dev/null
+++ b/TODO
@@ -0,0 +1,561 @@
+ Some new stuff I thought should be implemented as well... And yes they keep
+on a coming!!!!!!!!! : )
+
+ ######## Begin new stuff ##############
+#!/bin/bash
+
+#Logging
+
+echo "Would you like set to up addtional logging ?"
+echo "Logging will still go to its respected places in /var/log as well."
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+echo "Would you like for auth and warnings to be logged to tty11 ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "authpriv.* /dev/tty11" /etc/syslog.conf
+echo "Would you like kernel logging to go tty10 ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "kern.* /dev/tty10" /etc/syslog.conf
+echo "Would you like mail logging to go tty9 ?"
+echo "This is only useful if you're running a mail server(sendmail)."
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "mail.* /dev/tty9" /etc/syslog.conf
+/etc/rc.d/init.d/syslog restart > /dev/null
+fi
+ fi
+ fi
+#End of logging
+
+Is BSD style process accounting on by default in Mandrake ?
+echo "We can setup your system to log who does what commands and when..."
+echo "May we set up proccess accounting ?"
+echo "The log file will get filled up VERY quickly
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs
+it's own script though
+echo "/var/log/pacct { " >> /etc/logrotate.conf
+echo " postrotate" >> /etc/logrotate.conf
+echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf
+echo >> /etc/logrotate.conf
+echo >> "}" /etc/logrotate.conf
+#Got a be a cleaner way to do this : )
+fi
+#End BSD style process accounting
+
+#PAM stuff
+#default file size limit
+dfsize=40000
+echo "We help prevent certain types of DoS attacks through the use of
+PAM(Pluggable Authentication Modules.)"
+echo "By setting a limit on how big user files may get and how many processes a
+user may run."
+echo "Would you like to set up some PAM configuration ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "# Limit user processes" /etc/security/limits.conf
+AddRules "* soft nproc 100" /etc/security/limits.conf
+AddRules "* hard nproc 150" /etc/security/limits.conf
+echo "Would you like to set a maximum file size a user is allowed ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+echo "What shall be the maximum file size(default it 40000 = 40MB)"
+echo -n "Size[40000]: "
+read fsize
+if [[ -z ${fsize} ]]; then
+AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+AddRules "* hard $dfsize" /etc/security/limits.conf
+else
+AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+AddRules "* hard $fsize" /etc/security/limits.conf
+fi
+ fi
+ fi
+#End PAM stuff
+
+
+
+**********************************
+
+ ###########Begin modified custom.sh######################
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [[ -f /usr/share/lsec/lib.sh ]]; then
+ . /usr/share/lsec/lib.sh
+else
+ echo "Can't find /usr/share/lsec/lib.sh, exiting."
+ exit 1
+fi
+
+clear
+
+WRITE_CRON="false"
+
+###
+echo "This script allows you to customize the security on your system. "
+echo "If you feel at all you don't know what you're doing abort now!!! "
+echo "'ctrl-c' to abort"
+echo -n "Otherwise, please press [enter] to continue "
+read FOO
+clear
+
+###
+echo "Do you want all system events to be logged on tty12 ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "*.* /dev/tty12" /etc/syslog.conf
+fi
+
+###
+echo "Do you want to be notified by mail of _all_ root logins ?"
+echo "(This is strongle recommended)"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+if [[ -s /root/.bashrc ]]; then
+cp /root/.bashrc /tmp/bashrc
+sed '/root login/d' /tmp/bashrc > /root/.bashrc
+AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s
+"Root Login" root' /root/.bashrc
+rm -f /tmp/bashrc
+echo "Done"
+fi
+fi
+
+
+###
+echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
+echo "( or if a user present in /etc/shutdown.allow is logged locally )"
+WaitAnswer; clear
+tmpfile=`mktemp /tmp/secure.XXXXXX`
+cp /etc/inittab ${tmpfile}
+if [[ ${answer} == yes ]]; then
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r
+now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+else
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r
+now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+fi
+rm -f ${tmpfile}
+
+#Compile tools
+#More needs to be added and this is very sloppy but you get the idea : )
+mgtools()
+{
+mgcon=mgcon1
+echo "Do you want only root to have access to the system compiler(gcc/g++) ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+chmod 0700 /usr/bin/gcc
+chmod 0700 /usr/bin/g++
+fi
+}
+gtools()
+{
+gcon=gcon0
+dgrp=devel
+echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may"
+echo "be used by a certain group ?"
+echo -n "yes/no: "
+read answer
+if [[ ${answer} == yes ]]; then
+gcon=gcon1
+echo
+echo -n "What shall the name of this group be [devel]: "
+read grp
+if [[ -z ${grp} ]]; then
+groupadd ${dgrp}
+.. /etc/security/lsec/perm.ctoolsd
+else
+groupadd ${grp}
+.. /etc/security/lsec/perm.ctools
+fi
+fi
+}
+gtools
+#if [[ ${gcon} = gcon1 ]]; then
+#ntools
+#else
+#mgtools
+#fi
+
+#network tools
+mntools()
+{
+echo "Do you want to disable 'ping' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer} == yes ]]; then
+chmod 0700 /bin/ping
+fi
+
+echo "Do you want to disable 'traceroute' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/sbin/traceroute
+fi
+
+echo "Do you want to disable 'who' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/who
+fi
+
+echo "Do you want to disable 'w' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/w
+fi
+
+echo "Do you want to disable 'finger' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/finger
+fi
+
+echo "Do you want to disable telnet client to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/telnet
+fi
+
+echo "Do you want to disable ssh client to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/ssh
+fi
+}
+ntools()
+{
+ncon=ncon0
+ngrpd=netsys
+echo "Do you want to set up network tools so that they may be used only"
+echo "by users of a certain group ?"
+echo -n "yes/no: "
+read answer
+if [[ ${answer} == yes ]]; then
+ncon=ncon1
+echo
+echo -n "What shall the name of this group be [netsys]: "
+read ngrp
+if [[ -z ${ngrp} ]]; then
+groupadd ${ngrpd}
+.. /etc/security/lsec/perm.netsysd
+else
+groupadd ${ngrp}
+.. /etc/security/lsec/perm.netsysd
+fi
+fi
+}
+if [[ ${gcon} = gcon1 ]]; then
+ntools
+else
+mgtools
+fi
+
+if [[ ${mgcon} = mgcon1 ]]; then
+ntools
+else
+mntools
+fi
+
+if [[ $ncon = ncon1 ]]; then
+echo "Done"
+else
+mntools
+fi
+
+###
+echo "Do you want to deny any machine to connect to yours ?"
+WaitAnswer
+if [[ ${answer} == yes ]]; then
+ echo "Do you want only localhost to be allowed ?"
+ WaitAnswer; clear
+ if [[ ${answer} == yes ]]; then
+ AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+ else
+ AddRules "ALL:ALL:DENY" /etc/hosts.deny
+ fi
+fi
+
+###
+echo "Do you want root console login to be allowed ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "tty1" /etc/securetty quiet
+ AddRules "tty2" /etc/securetty quiet
+ AddRules "tty3" /etc/securetty quiet
+ AddRules "tty4" /etc/securetty quiet
+ AddRules "tty5" /etc/securetty quiet
+ AddRules "tty6" /etc/securetty
+fi
+###
+
+if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
+echo "Do you want to enable the libsafe stack overflow protection ?"
+echo "This stack overflow protection work by catching dangerous function call"
+echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
+echo "and verify the address & the size of the destination buffer in the stack"
+echo "this is done by searching in the stack frame the one which contain the"
+echo "destination address, and by substracting the frame address to the
+destination buffer one"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
+fi
+fi
+
+###
+echo "Do you want your system to daily check important security problem ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check new open port listening ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to check for grave permission problem on
+sensibles files ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check SUID Root file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check suid files md5 checksum changes ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check SUID Group file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check Writeable file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check Unowned file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to verify every minutes if a network interface"
+echo "is in promiscuous state (which mean someone is probably running a sniffer
+on your machine ) ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf
+ AddRules "*/1 * * * * root nice --adjustment=+19
+/usr/share/lsec/promisc_check.sh" /etc/crontab
+fi
+###
+
+###
+echo "Do you want security report to be done in syslog ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf
+else
+ AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf
+fi
+###
+
+echo "Do you want security report to be done by mail ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf
+else
+ AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf
+fi
+###
+
+if [[ ${WRITE_CRON} == "true" ]]; then
+ AddRules "0 0-23 * * * root nice --adjustment=+19
+/usr/share/lsec/security.sh" /etc/crontab
+fi
+
+LiloUpdate;
+/sbin/lilo >& /dev/null
+
+###
+echo "Do you want to disable all services except(gpm,xfs,keytable,"
+echo "network,crond, and syslogd ?"
+echo "This is _highly_ recommended if you have not configured other"
+echo "said services."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ echo -n "Disabling all service, except : {"
+ chkconfig --list | awk '{print $1}' | while read service; do
+ if grep -qx ${service} /etc/security/lsec/server.4; then
+ echo -n " ${service}"
+ fi
+ done
+ echo " } : "
+
+ chkconfig --list | awk '{print $1}' | while read service; do
+ chkconfig --del "${service}"
+ if ! chkconfig --add "${service}"; then
+ echo -e "\t- Services ${service} is now disabled."
+ fi
+ done
+ chkconfig --add gpm
+ chkconfig --add xfs
+ chkconfig --add network
+ chkconfig --add keytable
+ chkconfig --add syslog
+ chkconfig --add crond
+ echo -e "done.\n";
+fi
+
+###
+echo "Do you want an easy, normal, restricted, or paranoid umask ?"
+echo "easy ( 002 ) = user = rwx, group = rwx, other = rx"
+echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
+echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
+echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx"
+echo "paranoid ( 077 ) = user = rwx, group = , other ="
+answer="nothing"
+while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" !=
+"restricted" && "${answer}" != "paranoid" ]]; do
+ echo -n "easy/normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "easy")
+ AddRules "umask 002" /etc/profile
+ ;;
+ "normal")
+ AddRules "umask 022" /etc/profile
+ ;;
+ "restricted")
+ AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi"
+/etc/profile
+ ;;
+ "paranoid")
+ AddRules "umask 077" /etc/profile
+ ;;
+esac
+
+###
+echo "Do you want a "." in your PATH variable ?"
+echo "This permit you to not use ./progname & to just type progname"
+echo "However this is a *high* security risk."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet
+else
+ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
+fi
+
+AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+echo "Do you want normal, restricted, or paranoid file permissions ?"
+while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" !=
+"paranoid" ]]; do
+echo -n "normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "normal")
+ /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3
+ ;;
+ "strict")
+ /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4
+ ;;
+ "paranoid")#!/bin/bash
+/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5
+ ;;
+esac
+#EOF
+# /etc/security/msec/perm.ctools
+chown root.$grp /usr/bin/gcc
+chmod 750 /usr/bin/gcc
+chown root.$grp /usr/bin/cc
+chmod 750 /usr/bin/cc
+chown root.$grp /usr/bin/g++
+chmod 750 /usr/bin/g++
+
+# /etc/security/msec/perm.ctoolsd
+chown root.$dgrp /usr/bin/gcc
+chmod 750 /usr/bin/gcc
+chown root.$dgrp /usr/bin/cc
+chmod 750 /usr/bin/cc
+chown root.$dgrp /usr/bin/g++
+chmod 750 /usr/bin/g++
+
+
+# /etc/security/msec/perm.netsys
+chown root.$ngrp /usr/bin/ping
+chmod 750 /usr/bin/gcc
+chown root.$ngrp /usr/bin/w
+chmod 750 /usr/bin/w
+chown root.$ngrp /usr/bin/w
+chmod 750 /usr/bin/who
+chown root.$ngrp /usr/bin/telnet
+chmod 750 /usr/bin/telnet
+chown root.$ngrp /usr/bin/ssh
+chmod 750 /usr/bin/ssh
+chown root.$ngrp /usr/sbin/traceroute
+chmod 750 /usr/sbin/traceoute
+chown root.$ngrp /usr/bin/finger
+chmod 750 /usr/bin/finger
+
+# /etc/security/msec/perm.netsys.d
+chown root.$ngrpd /bin/ping
+chmod 750 /usr/bin/gcc
+chown root.$ngrpd /usr/bin/w
+chmod 750 /usr/bin/w
+chown root.$ngrpd /usr/bin/w
+chmod 750 /usr/bin/who
+chown root.$ngrpd /usr/bin/telnet
+chmod 750 /usr/bin/telnet
+chown root.$ngrpd /usr/bin/ssh
+chmod 750 /usr/bin/ssh
+chown root.$ngrpd /usr/sbin/traceroute
+chmod 750 /usr/sbin/traceroute
+chown root.$ngrpd /usr/bin/finger
+chmod 750 /usr/bin/finger
+
+######## END
+
+