diff options
| author | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-12-08 12:00:22 +0000 |
|---|---|---|
| committer | Yoann Vandoorselaere <yoann@mandriva.com> | 1999-12-08 12:00:22 +0000 |
| commit | 27d842aa9fa2e9fc83b49da73bb8cbaea89220e2 (patch) | |
| tree | 66bc80fb5d10f8dd1024abbb99ec99984002d31c /init-sh/custom.sh | |
| parent | b9b97333067488941954d9991d8dd47c9b2fb9d1 (diff) | |
| download | msec-27d842aa9fa2e9fc83b49da73bb8cbaea89220e2.tar msec-27d842aa9fa2e9fc83b49da73bb8cbaea89220e2.tar.gz msec-27d842aa9fa2e9fc83b49da73bb8cbaea89220e2.tar.bz2 msec-27d842aa9fa2e9fc83b49da73bb8cbaea89220e2.tar.xz msec-27d842aa9fa2e9fc83b49da73bb8cbaea89220e2.zip | |
*** empty log message ***
Diffstat (limited to 'init-sh/custom.sh')
| -rwxr-xr-x | init-sh/custom.sh | 124 |
1 files changed, 111 insertions, 13 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh index feb5fdc..367f5aa 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -18,12 +18,14 @@ WaitAnswer; clear if [ ${answer} == "yes" ]; then find /var/log/ -type f -exec chattr +a {} \; fi + ### echo "Do you want all system events to be logged on tty12 ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi + ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer @@ -36,6 +38,7 @@ if [ ${answer} == "yes" ]; then AddRules "ALL:ALL:DENY" /etc/hosts.deny fi fi + ### echo "Do you want root console login to be allowed ?" WaitAnswer; clear @@ -48,33 +51,70 @@ if [ ${answer} == "yes" ]; then AddRules "tty6" /etc/securetty fi ### +echo "Do you want your system to daily check important security problem ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to daily check new open port listening ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to check for permission problem ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/security_check.sh" /etc/crontab +fi + +### echo "Do you want your system to daily check SUID Root file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab +fi + +### +echo "Do you want your system to daily check suid files md5 checksum changes ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to daily check SUID Group file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### -echo "Do you want your system to daily check Writable file change ?" +echo "Do you want your system to daily check Writeable file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to daily check Unowned file change ?" WaitAnswer; clear if [ ${answer} == "yes" ]; then AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf - AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/diff_check.sh" /etc/crontab fi + ### echo "Do you want your system to verify every minutes if a network interface" echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" @@ -84,23 +124,81 @@ if [ ${answer} == "yes" ]; then AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab fi ### + LiloUpdate; /sbin/lilo >& /dev/null + ### -echo "Do you want a "." in your PATH variable ?" -echo "This permit you to not use ./progname & to just type progname" -echo "However this is a *high* security risk." +echo "Do you want to disable your running server ( except important one )" +echo "This is only valuable for server installed with rpm." WaitAnswer; clear if [ ${answer} == "yes" ]; then - AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile + echo -n "Disabling all service, except : {" + for service in `chkconfig --list | awk '{print $1}'`; do + if grep -qx ${service} /etc/security/msec/init-sh/server.5 | grep -v "^#"; + then + echo -n " ${service}" + fi + done + echo " } : " + + for service in `chkconfig --list | awk '{print $1}'`; do + chkconfig --del "${service}" + if ! chkconfig --msec --add "${service}"; then + echo -e "\t- Services ${service} is now disabled." + fi + done + echo -e "done.\n"; fi + ### -AddRules "SECURE_LEVEL=\"custom\"" /etc/profile -export SECURE_LEVEL="custom" -### -AddRules "umask 077" /etc/profile +echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?" +echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." +echo "no = rpm will do it for you, but you have less control of what is running on your machine." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + export SECURE_LEVEL="4" + AddRules "SECURE_LEVEL=\"4\"" /etc/profile +else + AddRules "SECURE_LEVEL=\"3\"" /etc/profile +fi +### +echo "Do you want an easy, normal, restricted, or paranoid umask ?" +echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" +echo "normal ( 022 ) = user = rwx, group = rx, other = rx" +echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" +echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" +echo "paranoid ( 077 ) = user = rwx, group = , other =" +answer="nothing" +while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer} != "restricted" && "${answer}" != "paranoid" ]]; do + echo -n "easy/normal/restricted/paranoid : " + read answer +done +case "${answer}" in + "easy") + AddRules "umask 002" /etc/profile + ;; + "normal") + AddRules "umask 022" /etc/profile + ;; + "restricted") + AddRules "if [ \${UID} == 0 ]; then umask 022; else umask 077; fi" /etc/profile + ;; + "paranoid") + AddRules "umask 077" /etc/profile + ;; +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile +else + AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile +fi |