Support enforcing file permissions in periodic msec runs

2 files changed, 2 insertions, 2 deletions

diff --git a/src/msec/config.py b/src/msec/config.py
index a70ca4f..2be993e 100644
--- a/src/msec/config.py
+++ b/src/msec/config.py
@@ -53,7 +53,7 @@ PLUGINS_DIR="/usr/share/msec/plugins"
 #               OPTION                           callback                            valid values
 SETTINGS =    {'BASE_LEVEL':                    ("libmsec.base_level",                      ['*']),
                'CHECK_SECURITY' :               ("libmsec.check_security",                  ['yes', 'no']),
-               'CHECK_PERMS' :                  ("libmsec.check_perms",                     ['yes', 'no']),
+               'CHECK_PERMS' :                  ("libmsec.check_perms",                     ['yes', 'no', 'enforce']),
                'CHECK_USER_FILES' :             ("libmsec.check_user_files",                ['yes', 'no']),
                'CHECK_SUID_ROOT' :              ("libmsec.check_suid_root",                 ['yes', 'no']),
                'CHECK_SUID_MD5' :               ("libmsec.check_suid_md5",                  ['yes', 'no']),
diff --git a/src/msec/libmsec.py b/src/msec/libmsec.py
index 4d9dc1b..ecd909b 100755
--- a/src/msec/libmsec.py
+++ b/src/msec/libmsec.py
@@ -1405,7 +1405,7 @@ class MSEC:
         pass
 
     def check_perms(self, param):
-        """ Enable periodic permission checking for system files."""
+        """ Enable periodic permission checking for files specified in msec policy. If set to yes, the permissions are verified on every run. If set to enforce, incorrect permissions are restored to the ones specified in msec security policy."""
         pass
 
     def check_user_files(self, param):