diff options
author | Eugeni Dodonov <eugeni@mandriva.org> | 2009-01-06 21:31:46 +0000 |
---|---|---|
committer | Eugeni Dodonov <eugeni@mandriva.org> | 2009-01-06 21:31:46 +0000 |
commit | ff31c9236b1fd7465ea9687fc735e8af882e780e (patch) | |
tree | eec89033b4ad0b2459fbb91fa6dd39077eeaf407 /man | |
parent | ab984707253940bf5ced3a379699e8d0dc757fa6 (diff) | |
download | msec-ff31c9236b1fd7465ea9687fc735e8af882e780e.tar msec-ff31c9236b1fd7465ea9687fc735e8af882e780e.tar.gz msec-ff31c9236b1fd7465ea9687fc735e8af882e780e.tar.bz2 msec-ff31c9236b1fd7465ea9687fc735e8af882e780e.tar.xz msec-ff31c9236b1fd7465ea9687fc735e8af882e780e.zip |
Updated to working version of new msec.
Conflicts:
Makefile
cron-sh/security_check.sh
share/msec.py
Diffstat (limited to 'man')
-rw-r--r-- | man/C/msec.8 | 635 | ||||
-rw-r--r-- | man/C/mseclib.3 | 228 |
2 files changed, 579 insertions, 284 deletions
diff --git a/man/C/msec.8 b/man/C/msec.8 index 16768ad..8a0c098 100644 --- a/man/C/msec.8 +++ b/man/C/msec.8 @@ -1,69 +1,592 @@ -.TH msec 8 "29 Sep 2001" "Mandriva" "Mandriva Linux" -.IX msec +.ds q \N'34' +.TH msec 0.60.1 msec "Mandriva Linux" .SH NAME msec \- Mandriva Linux security tools .SH SYNOPSIS -.B msec -([-o <option>=<value>...]) ([0-5]) +.nf +.B msec [options] +.B msecperms [options] +.B msecgui [options] +.fi .SH DESCRIPTION -\fPmsec\fP is the main script of the msec package. It enables the -system administrator to change the security level for that system. -msec is provided with six preconfigured security levels. These levels -range from poor security and ease of use, to paranoid config, suitable -for very sensitive server applications. -.PP -You must be root to run \fPmsec\fP. -.br -Launch "msec x" to set you security level to x (x=[0-5]). It'll modify -your system according to security level x features. Called without -argument, it will enforce the current security level without lowering -security. -.br -All the changes are logged to syslog(8) at the AUTH facility when called -non interactivelly (by cron for example) or at the LOCAL1 facility -when called interactivelly (on the command line or from Mandriva Linux -Control Center for example). -.br -For a fine description of each security level, consult the -documentation under /usr/share/doc/msec-*/security.txt. -.PP -If you want to make changes to the current level, use -/etc/security/msec/perm.local to override the -permissions/owners/groups (use the same syntax as /usr/share/msec/perm.* -or use the drakperm graphical utility) and /etc/security/msec/level.local to -override the rules (see mseclib(3) for details or use the draksec graphical utility). -.PP -Available options: +.B msec +is responsible to maintain system security in Mandriva. It supports different security +configurations, which can be organized into several security levels. Currently, three +preconfigured security levels are provided: + .TP -\fB\-o all-local-files=<value>\fR -if <value> is 1, consider that all the files are local. +\fBnone\fR +this level aims to provide the most basic security. It should be used when you want to +manage all aspects of system security on your own. + .TP -\fB\-o log=<value>\fR -if <value> is different of syslog do not log to syslog but to the standard error output. +\fBdefault\fR +this is the default security level, which configures a reasonably safe set of security +features. It activates several periodic system checks, and sends the results of their +execution by email (by default, the local 'root' account is used). + .TP -\fB\-o nolocal=<path>\fR -do not load the /etc/security/msec/level.local rules. +\fBsecure\fR +this level is configured to provide maximum system security, even at the cost of limiting +the remote access to the system, and local user permissions. It also runs a wider set of +periodic checks, enforces the local password settings, and periodically checks if the +system security settings, configured by msec, were modified directly or by some other +application. + +.PP + +The security settings are stored in \fB/etc/security/msec/security.conf\fR +file, and default settings for each predefined level are stored in +\fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories +that should be enforced or checked for changes are stored in +\fB/etc/security/msec/perms.conf\fR, and default permissions for each +predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note +that user-modified parameters take precedence over default level settings. For +example, when default level configuration forbids direct root logins, this +setting can be overridden by the user. + +.PP + +The following options are supported by msec applications: + .TP -\fB\-o non-local-fstypes=<value>\fR -<value> is a list of non local file system types separated by spaces. +\fBmsec\fR: +.PP + +This is the console version of msec. It is responsible for system security configuration +and checking and transitions between security levels. + +When executed without parameters, msec will read the system configuration file +(/etc/security/msec/security.conf), and enforce the specified security +settings. The operations are logged to \fB/var/log/msec.log\fP file, and also +to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should +by run as root. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-l, --level <level>\fR + List the default configuration for given security level. + +\fB\-f, --force <level>\fR + Apply the specified security level to the system, overwritting all +local changes. This is necessary to initialize a security level, either on first +install, on when a change to a different level is required. + +\fB\-d\fR + Enable debugging messages. + +\fB\-p, --pretend\fR + Verify the actions that will be performed by msec, without actually +doing anything to the system. In this mode of operation, msec performs all the +required tasks, except effectively writting data back to disk. + .TP -\fB\-o print=<value>\fR -if <value> is equal to 1, output the default values of the rules. +\fBmsecperms\fR: +.PP + +This application is responsible for system permission checking and enforcements. + +When executed without parameters, msecperms will read the permissions +configuration file (/etc/security/msec/perms.conf), and enforce the specified +security settings. The operations are logged to \fB/var/log/msec.log\fP file, +and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms +should by run as root. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-l, --level <level>\fR + List the default configuration for given security level. + +\fB\-f, --force <level>\fR + Apply the specified security level to the system, overwritting all +local changes. This is necessary to initialize a security level, either on first +install, on when a change to a different level is required. + +\fB\-e, --enforce\fR + Enforce the default permissions on all files. + +\fB\-d\fR + Enable debugging messages. + +\fB\-p, --pretend\fR + Verify the actions that will be performed by msec, without actually +doing anything to the system. In this mode of operation, msec performs all the +required tasks, except effectively writting data back to disk. + .TP -\fB\-o root=<path>\fR -use <path> as the root of the file system. -.SH FILES -/usr/sbin/msec -.br -The \fPmsec\fP executable (sh script) +\fBmsecgui\fR: .PP -/var/lib/msec/security.conf -.br -Contains the configuration of the current active security level. These -settings can be overridden in /etc/security/msec/security.conf. -.SH "SEE ALSO" -mseclib(3), draksec, drakperm +This is the GTK version of msec. It acts as frontend to all msec functionalities. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-d\fR + Enable debugging messages. + +.SH "SECURITY OPTIONS" + +The following security options are supported by msec: + + + +.TP 4 +.B \fIenable_dns_spoofing_protection\fP +Enable/Disable name resolution spoofing protection. If \fIalert\fP is true, also reports to syslog. + +MSEC parameter: \fIENABLE_IP_SPOOFING_PROTECTION\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_empty_content\fP +Enables sending of empty mail reports. + +MSEC parameter: \fIMAIL_EMPTY_CONTENT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIaccept_broadcasted_icmp_echo\fP +Accept/Refuse broadcasted icmp echo. + +MSEC parameter: \fIACCEPT_BROADCASTED_ICMP_ECHO\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_xserver_to_listen\fP +The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. + +MSEC parameter: \fIALLOW_XSERVER_TO_LISTEN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_chkrootkit\fP +Enables checking for known rootkits using chkrootkit. + +MSEC parameter: \fICHECK_CHKROOTKIT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_suid_root\fP +Enables checking for additions/removals of suid root files. + +MSEC parameter: \fICHECK_SUID_ROOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_at_crontab\fP +Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). + +MSEC parameter: \fIENABLE_AT_CRONTAB\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIaccept_bogus_error_responses\fP +Accept/Refuse bogus IPv4 error messages. + +MSEC parameter: \fIACCEPT_BOGUS_ERROR_RESPONSES\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_suid_md5\fP +Enables checksum verification for suid files. + +MSEC parameter: \fICHECK_SUID_MD5\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_user\fP +Defines email to receive security notifications. + +MSEC parameter: \fIMAIL_USER\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIallow_autologin\fP +Allow/Forbid autologin. + +MSEC parameter: \fIALLOW_AUTOLOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_pam_wheel_for_su\fP +Enabling su only from members of the wheel group or allow su from any user. + +MSEC parameter: \fIENABLE_PAM_WHEEL_FOR_SU\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcreate_server_link\fP +Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages. + +MSEC parameter: \fICREATE_SERVER_LINK\fP + +Accepted values: \fIno, default, secure\fP + + +.TP 4 +.B \fIset_shell_timeout\fP +Set the shell timeout. A value of zero means no timeout. + +MSEC parameter: \fISHELL_TIMEOUT\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_user_files\fP +Enables permission checking on users' files that should not be owned by someone else, or writable. + +MSEC parameter: \fICHECK_USER_FILES\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_shadow\fP +Enables checking for empty passwords. + +MSEC parameter: \fICHECK_SHADOW\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_password\fP +Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable. + +MSEC parameter: \fIENABLE_PASSWORD\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_win_parts_umask\fP +Set umask option for mounting vfat and ntfs partitions. A value of None means default umask. + +MSEC parameter: \fIWIN_PARTS_UMASK\fP + +Accepted values: \fIno, *\fP + + +.TP 4 +.B \fIcheck_open_port\fP +Enables checking for open network ports. + +MSEC parameter: \fICHECK_OPEN_PORT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_log_strange_packets\fP +Enable/Disable the logging of IPv4 strange packets. + +MSEC parameter: \fIENABLE_LOG_STRANGE_PACKETS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_rpm\fP +Enables verification of installed packages. + +MSEC parameter: \fICHECK_RPM\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_pam_root_from_wheel\fP +Allow root access without password for the members of the wheel group. + +MSEC parameter: \fIENABLE_PAM_ROOT_FROM_WHEEL\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_warn\fP +Enables security results submission by email. + +MSEC parameter: \fIMAIL_WARN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIpassword_length\fP +Set the password minimum length and minimum number of digit and minimum number of capitalized letters. + +MSEC parameter: \fIPASSWORD_LENGTH\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIset_root_umask\fP +Set the root umask. + +MSEC parameter: \fIROOT_UMASK\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_sgid\fP +Enables checking for additions/removals of sgid files. + +MSEC parameter: \fICHECK_SGID\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_promisc\fP +Activate/Disable ethernet cards promiscuity check. + +MSEC parameter: \fICHECK_PROMISC\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_x_connections\fP +Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection). + +MSEC parameter: \fIALLOW_X_CONNECTIONS\fP + +Accepted values: \fIyes, no, local\fP + + +.TP 4 +.B \fIcheck_writable\fP +Enables checking for files/directories writable by everybody. + +MSEC parameter: \fICHECK_WRITABLE\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_console_log\fP +Enable/Disable syslog reports to console 12. \fIexpr\fP is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log. + +MSEC parameter: \fIENABLE_CONSOLE_LOG\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_ip_spoofing_protection\fP +Enable/Disable IP spoofing protection. + +MSEC parameter: \fIENABLE_DNS_SPOOFING_PROTECTION\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_perms\fP +Enables periodic permission checking for system files. + +MSEC parameter: \fICHECK_PERMS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_shell_history_size\fP +Set shell commands history size. A value of -1 means unlimited. + +MSEC parameter: \fISHELL_HISTORY_SIZE\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIallow_reboot\fP +Allow/Forbid system reboot and shutdown to local users. + +MSEC parameter: \fIALLOW_REBOOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIsyslog_warn\fP +Enables logging to system log. + +MSEC parameter: \fISYSLOG_WARN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_shosts\fP +Enables checking for dangerous options in users' .rhosts/.shosts files. + +MSEC parameter: \fICHECK_SHOSTS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_passwd\fP +Enables password-related checks, such as empty passwords and strange super-user accounts. + +MSEC parameter: \fICHECK_PASSWD\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIpassword_history\fP +Set the password history length to prevent password reuse. This is not supported by pam_tcb. + +MSEC parameter: \fIPASSWORD_HISTORY\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_security\fP +Enables daily security checks. + +MSEC parameter: \fICHECK_SECURITY\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_root_login\fP +Allow/Forbid direct root login. + +MSEC parameter: \fIALLOW_ROOT_LOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_unowned\fP +Enables checking for unowned files. + +MSEC parameter: \fICHECK_UNOWNED\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_user_list\fP +Allow/Forbid the list of users on the system on display managers (kdm and gdm). + +MSEC parameter: \fIALLOW_USER_LIST\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_remote_root_login\fP +Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information. + +MSEC parameter: \fIALLOW_REMOTE_ROOT_LOGIN\fP + +Accepted values: \fIyes, no, without_password\fP + + +.TP 4 +.B \fIenable_msec_cron\fP +Enable/Disable msec hourly security check. + +MSEC parameter: \fIENABLE_MSEC_CRON\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_sulogin\fP +Enable/Disable sulogin(8) in single user level. + +MSEC parameter: \fIENABLE_SULOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_xauth_from_root\fP +Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details. + +MSEC parameter: \fIALLOW_XAUTH_FROM_ROOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_user_umask\fP +Set the user umask. + +MSEC parameter: \fIUSER_UMASK\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIaccept_icmp_echo\fP +Accept/Refuse icmp echo. + +MSEC parameter: \fIACCEPT_ICMP_ECHO\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIauthorize_services\fP +Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). + +MSEC parameter: \fIAUTHORIZE_SERVICES\fP + +Accepted values: \fIyes, no, local\fP + + +.TP 4 +.B \fItty_warn\fP +Enables periodic security check results to terminal. + +MSEC parameter: \fITTY_WARN\fP + +Accepted values: \fIyes, no\fP + +.RE +.SH NOTES +Msec applications must be run by root. +.SH AUTHORS +Frederic Lepied <flepied@mandriva.com> + +Eugeni Dodonov <eugeni@mandriva.com> -.SH AUTHOR -Vandoorselaere Yoann, Mandriva diff --git a/man/C/mseclib.3 b/man/C/mseclib.3 deleted file mode 100644 index d5999a5..0000000 --- a/man/C/mseclib.3 +++ /dev/null @@ -1,228 +0,0 @@ -.ds q \N'34' -.TH mseclib 3 V0 msec "Mandriva Linux" -.SH NAME -mseclib -.SH SYNOPSIS -.nf -.B from mseclib import * -.B function1(yes) -.B function2(ignore) -.fi -.SH DESCRIPTION -.B mseclib -is a python library to access the function used by the msec program. This functions can be used -in /etc/security/msec/level.local to override the behaviour of the msec program or in standalone -scripts. The first argument of the functions takes a value of 1 or 0 or -1 (or yes/no/ignore) -except when specified otherwise. - -.TP 4 -.B \fIaccept_bogus_error_responses(arg)\fP -Accept/Refuse bogus IPv4 error messages. - -.TP 4 -.B \fIaccept_broadcasted_icmp_echo(arg)\fP - Accept/Refuse broadcasted icmp echo. - -.TP 4 -.B \fIaccept_icmp_echo(arg)\fP - Accept/Refuse icmp echo. - -.TP 4 -.B \fIallow_autologin(arg)\fP -Allow/Forbid autologin. - -.TP 4 -.B \fIallow_issues(arg)\fP -If \fIarg\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \fIarg\fP = NONE no issues are -allowed else only /etc/issue is allowed. - -.TP 4 -.B \fIallow_reboot(arg)\fP -Allow/Forbid reboot by the console user. - -.TP 4 -.B \fIallow_remote_root_login(arg)\fP -Allow/Forbid remote root login via sshd. You can specify -yes, no and without-password. See sshd_config(5) man page for more -information. - -.TP 4 -.B \fIallow_root_login(arg)\fP -Allow/Forbid direct root login. - -.TP 4 -.B \fIallow_user_list(arg)\fP -Allow/Forbid the list of users on the system on display managers (kdm and gdm). - -.TP 4 -.B \fIallow_x_connections(arg, listen_tcp=None)\fP -Allow/Forbid X connections. First arg specifies what is done -on the client side: ALL (all connections are allowed), LOCAL (only -local connection) and NONE (no connection). - -.TP 4 -.B \fIallow_xauth_from_root(arg)\fP -llow/forbid to export display when passing from the root account -to the other users. See pam_xauth(8) for more details. - -.TP 4 -.B \fIallow_xserver_to_listen(arg)\fP -The argument specifies if clients are authorized to connect -to the X server on the tcp port 6000 or not. - -.TP 4 -.B \fIauthorize_services(arg)\fP -Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \fIarg\fP = ALL. Only local ones -if \fIarg\fP = LOCAL and none if \fIarg\fP = NONE. To authorize the services you need, use /etc/hosts.allow -(see hosts.allow(5)). - -.TP 4 -.B \fIcreate_server_link()\fP -If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 -in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server -to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server -is used by chkconfig --add to decide to add a service if it is present in the file -during the installation of packages. - -.TP 4 -.B \fIenable_at_crontab(arg)\fP -Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow -(see man at(1) and crontab(1)). - -.TP 4 -.B \fIenable_console_log(arg, expr='*.*', dev='tty12')\fP -Enable/Disable syslog reports to console 12. \fIexpr\fP is the -expression describing what to log (see syslog.conf(5) for more details) and -dev the device to report the log. - -.TP 4 -.B \fIenable_dns_spoofing_protection(arg, alert=1)\fP -Enable/Disable name resolution spoofing protection. If -\fIalert\fP is true, also reports to syslog. - -.TP 4 -.B \fIenable_ip_spoofing_protection(arg, alert=1)\fP -Enable/Disable IP spoofing protection. - -.TP 4 -.B \fIenable_libsafe(arg)\fP -Enable/Disable libsafe if libsafe is found on the system. - -.TP 4 -.B \fIenable_log_strange_packets(arg)\fP -Enable/Disable the logging of IPv4 strange packets. - -.TP 4 -.B \fIenable_msec_cron(arg)\fP -Enable/Disable msec hourly security check. - -.TP 4 -.B \fIenable_pam_root_from_wheel(arg)\fP - Allow root access without password for the members of the wheel group. - -.TP 4 -.B \fIenable_pam_wheel_for_su(arg)\fP - Enabling su only from members of the wheel group or allow su from any user. - -.TP 4 -.B \fIenable_password(arg)\fP -Use password to authenticate users. - -.TP 4 -.B \fIenable_promisc_check(arg)\fP -Activate/Disable ethernet cards promiscuity check. - -.TP 4 -.B \fIenable_security_check(arg)\fP - Activate/Disable daily security check. - -.TP 4 -.B \fIenable_sulogin(arg)\fP - Enable/Disable sulogin(8) in single user level. - -.TP 4 -.B \fIno_password_aging_for(name)\fP -Add the name as an exception to the handling of password aging by msec. -Name must be put between '. Msec will then no more manage password aging for -name so you have to use chage(1) to manage it by hand. - -.TP 4 -.B \fIpassword_aging(max, inactive=-1)\fP -Set password aging to \fImax\fP days and delay to change to \fIinactive\fP. - -.TP 4 -.B \fIpassword_history(arg)\fP -Set the password history length to prevent password reuse. - -.TP 4 -.B \fIpassword_length(length, ndigits=0, nupper=0)\fP -Set the password minimum length and minimum number of digit and minimum number of capitalized letters. - -.TP 4 -.B \fIset_root_umask(umask)\fP -Set the root umask. - -.TP 4 -.B \fIset_security_conf(var, value)\fP -Set the variable \fIvar\fP to the value \fIvalue\fP in /var/lib/msec/security.conf. -The best way to override the default setting is to create /etc/security/msec/security.conf -with the value you want. These settings are used to configure the daily check run each night. - -The following variables are currentrly recognized by msec: - -CHECK_UNOWNED if set to yes, report unowned files. - -CHECK_SHADOW if set to yes, check empty password in /etc/shadow. - -CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files. - -CHECK_SECURITY if set to yes, run the daily security checks. - -CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root. - -SYSLOG_WARN if set to yes, report check result to syslog. - -CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files. - -CHECK_PERMS if set to yes, check permissions of files in the users' home. - -CHKROOTKIT_CHECK if set to yes, run chkrootkit checks. - -CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode. - -RPM_CHECK if set to yes, run some checks against the rpm database. - -TTY_WARN if set to yes, reports check result to tty. - -CHECK_WRITABLE if set to yes, check files/directories writable by everybody. - -MAIL_WARN if set to yes, report check result by mail. - -MAIL_USER if set, send the mail report to this email address else send it to root. - -CHECK_OPEN_PORT if set to yes, check open ports. - -CHECK_SGID if set to yes, check additions/removals of sgid files. - -EXCLUDE_REGEXP is used to exclude files from consideration by msec. - -.TP 4 -.B \fIset_shell_history_size(size)\fP -Set shell commands history size. A value of -1 means unlimited. - -.TP 4 -.B \fIset_shell_timeout(val)\fP -Set the shell timeout. A value of zero means no timeout. - -.TP 4 -.B \fIset_user_umask(umask)\fP -Set the user umask. - -.TP 4 -.B \fIset_win_parts_umask(umask)\fP -Set umask option for mounting vfat and ntfs partitions. A value of None means default umask. -.RE -.SH "SEE ALSO" -msec(8) -.SH AUTHORS -Frederic Lepied <flepied@mandriva.com> |