Support for BASE_LEVEL and correct 'none' level, which disables all msec

checks.

4 files changed, 5 insertions, 147 deletions

diff --git a/conf/level.default b/conf/level.default
index f9c0f7f..3c5d40e 100644
--- a/conf/level.default
+++ b/conf/level.default
@@ -1,3 +1,4 @@
+BASE_LEVEL=default
 ENABLE_APPARMOR=no
 ALLOW_X_CONNECTIONS=local
 CHECK_WRITABLE=yes
diff --git a/conf/level.none b/conf/level.none
index 1e0f2c8..a9efe06 100644
--- a/conf/level.none
+++ b/conf/level.none
@@ -1,54 +1 @@
-ENABLE_APPARMOR=no
-ALLOW_X_CONNECTIONS=yes
-CHECK_WRITABLE=no
-ENABLE_IP_SPOOFING_PROTECTION=yes
-MAIL_EMPTY_CONTENT=no
-ACCEPT_BROADCASTED_ICMP_ECHO=yes
-CHECK_PERMS=no
-CHECK_USER_FILES=no
-ENABLE_SUDO=yes
-ALLOW_XSERVER_TO_LISTEN=yes
-CHECK_CHKROOTKIT=no
-SHELL_HISTORY_SIZE=-1
-ALLOW_REBOOT=yes
-CHECK_SUID_ROOT=no
-SYSLOG_WARN=no
-ENABLE_AT_CRONTAB=yes
-ACCEPT_BOGUS_ERROR_RESPONSES=yes
-CHECK_PASSWD=no
-PASSWORD_HISTORY=0
-CHECK_SUID_MD5=no
-CHECK_SHOSTS=no
-MAIL_USER=root
-ALLOW_AUTOLOGIN=yes
-ENABLE_PAM_WHEEL_FOR_SU=no
-CHECK_SHADOW=no
-ALLOW_ROOT_LOGIN=yes
-CHECK_UNOWNED=no
-ENABLE_CONSOLE_LOG=yes
-ALLOW_USER_LIST=yes
-ENABLE_DNS_SPOOFING_PROTECTION=yes
-CREATE_SERVER_LINK=no
-ENABLE_PASSWORD=yes
-NOTIFY_WARN=yes
-WIN_PARTS_UMASK=no
-CHECK_OPEN_PORT=no
-SHELL_TIMEOUT=0
-ALLOW_REMOTE_ROOT_LOGIN=yes
-ENABLE_LOG_STRANGE_PACKETS=no
-USER_UMASK=022
-CHECK_RPM=no
-ENABLE_SULOGIN=no
-ENABLE_PAM_ROOT_FROM_WHEEL=no
-MAIL_WARN=no
-ALLOW_XAUTH_FROM_ROOT=yes
-CHECK_SECURITY=no
-ACCEPT_ICMP_ECHO=yes
-PASSWORD_LENGTH=0,0,0
-AUTHORIZE_SERVICES=yes
-ROOT_UMASK=022
-ENABLE_MSEC_CRON=no
-TTY_WARN=no
-ENABLE_POLICYKIT=yes
-CHECK_SGID=no
-CHECK_PROMISC=no
+BASE_LEVEL=
diff --git a/conf/level.secure b/conf/level.secure
index 4d12b1d..bd912d0 100644
--- a/conf/level.secure
+++ b/conf/level.secure
@@ -1,3 +1,4 @@
+BASE_LEVEL=secure
 ENABLE_APPARMOR=yes
 ALLOW_X_CONNECTIONS=no
 CHECK_WRITABLE=yes
diff --git a/conf/perm.none b/conf/perm.none
index d7388ec..c95a594 100644
--- a/conf/perm.none
+++ b/conf/perm.none
@@ -1,94 +1,3 @@
-# msec not enabled, so reset permissions to unsecure
+# msec not enabled, so let's user handle the permissions
 ###
-/						root.root		755
-/bin/						root.root		755
-/bin/ping					root.root		4755
-/bin/rpm					rpm.rpm			755
-/boot/						root.root		755
-/dev/						root.root		755
-/etc/						root.root		755
-/etc/conf.modules				root.root		644
-/etc/cron.daily/				root.root		755
-/etc/cron.hourly/				root.root		755
-/etc/cron.monthly/				root.root		755
-/etc/cron.weekly/				root.root		755
-/etc/crontab					root.root		644
-/etc/dhcpcd/					root.root		755
-/etc/dhcpcd/*					root.root		644
-/etc/ftpaccess					root.root		644
-/etc/ftpconversions				root.root		644
-/etc/ftpgroups					root.root		644
-/etc/ftphosts					root.root		644
-/etc/ftpusers					root.root		644
-/etc/gettydefs					root.root		644
-/etc/hosts.allow				root.root		644
-/etc/hosts.deny					root.root		644
-/etc/hosts.equiv				root.root		644
-/etc/httpd/modules.d/*.conf			root.root		644
-/etc/httpd/conf/*.conf				root.root		644
-/etc/httpd/conf/addon-modules/*			root.root		644
-/etc/httpd/conf/vhosts.d/*			root.root		644
-/etc/httpd/conf/webapps.d/*			root.root		644
-/etc/inetd.conf					root.root		644
-/etc/inittab					root.root		644
-/etc/ld.so.conf					root.root		644
-/etc/mandrake-release				root.root		644
-/etc/modules.conf				root.root		644
-/etc/motd					root.root		644
-/etc/printcap					root.root		644
-/etc/profile.d/*				root.root		755
-/etc/rc.d/					root.root		755
-/etc/rc.d/init.d/				root.root		755
-/etc/rc.d/init.d/*				root.root		744
-/etc/rc.d/init.d/functions			root.root		644
-/etc/rc.d/init.d/mandrake_consmap		root.root		644
-/etc/securetty					root.root		644
-/etc/sendmail.cf				root.mail		644
-/etc/shutdown.allow				root.root		644
-/etc/ssh/ssh_config				root.root		644
-/etc/ssh/ssh_host_*key				root.root		600
-/etc/ssh/ssh_host_*key.pub			root.root		644
-/etc/ssh/sshd_config				root.root		644
-/etc/sysconfig					root.root		755
-/etc/syslog.conf				root.root		644
-/etc/updatedb.conf				root.root		644
-/home/						root.root		755
-/home/*						current.current		755
-/lib/						root.root		755
-/mnt/						root.root		755
-/proc						root.root		555
-/root/						root.root		755
-/sbin/						root.root		755
-/tmp/						root.root		1777
-/usr/						root.root		755
-/usr/*						root.root		755
-/usr/bin/					root.root		755
-/usr/bin/cc					root.root		755
-/usr/bin/finger					root.root		755
-/usr/bin/g++*					root.root		755
-/usr/bin/gcc*					root.root		755
-/usr/bin/ssh					root.root		755
-/usr/bin/telnet					root.root		755
-/usr/bin/w					root.root		755
-/usr/bin/who					root.root		755
-/usr/lib/rpm/rpm?				rpm.rpm			755
-/usr/sbin/					root.root		755
-/usr/sbin/sendmail.postfix			root.root		755
-/usr/sbin/sendmail.sendmail			root.mail		2755
-/usr/sbin/traceroute				root.bin		4755
-/usr/share/doc					root.root		755
-/usr/share/man					root.root		755
-/usr/tmp					root.root		1777
-/var/						root.root		755
-/var/lib/rpm/Packages				rpm.rpm			644
-/var/lock/subsys				root.root		755
-/var/log/					root.root		755
-/var/log/*					root.adm		644
-/var/log/lp-errs				lp.lp			600
-/var/log/*/*					current.current		644
-/var/log/*/*/*					current.current		644
-/var/log/*/.					current.current		755
-/var/log/mailman/				root.mail		2775
-/var/log/mailman/*				root.mail		664
-/var/spool/mail/				root.mail		2775
-/var/tmp					root.root		1777
+/						current.current		current