diff options
-rw-r--r-- | src/msec/README | 712 |
1 files changed, 625 insertions, 87 deletions
diff --git a/src/msec/README b/src/msec/README index 4bb3846..d2e86b3 100644 --- a/src/msec/README +++ b/src/msec/README @@ -1,87 +1,625 @@ -****************** -Configurations files in /etc/security/msec/ -Shell scripts in /usr/share/msec. -****************** - -Suggestions & comments: -flepied@mandriva.com - -****************** -Doc of the rewritting in python: - - 0 1 2 3 4 5 -root umask 022 022 022 022 022 077 -shell timeout 0 0 0 0 3600 900 -deny services none none none none local all -su only for wheel grp no no no no no yes -user umask 022 022 022 022 077 077 -shell history size default default default default 10 10 -direct root login yes yes yes yes no no -remote root login yes yes yes yes no no -sulogin for single user no no no no yes yes -user list in [kg]dm yes yes yes yes no no -promisc check no no no no yes yes -ignore icmp echo no no no no yes yes -ignore broadcasted icmp echo no no no no yes yes -ignore bogus error responses no no no no yes yes -enable libsafe no no no no yes yes -allow reboot by user yes yes yes yes no no -allow crontab/at yes yes yes yes no no -password aging no no no no 60 30 -allow autologin yes yes yes no no no -console log no no no yes yes yes -issues yes yes yes local local no -ip spoofing protection no no no yes yes yes -dns spoofing protection no no no yes yes yes -log stange ip packets no no no yes yes yes -periodic security check no yes yes yes yes yes -allow X connections yes local local no no no -allow xauth from root yes yes yes yes no no -X server listen to tcp tcp tcp tcp local local -run msec by cron yes yes yes yes yes yes - -Periodic security checks by level: - - 0 1 2 3 4 5 -CHECK_SECURITY no yes yes yes yes yes -CHECK_PERMS no no no yes yes yes -CHECK_SUID_ROOT no no yes yes yes yes -CHECK_SUID_MD5 no no yes yes yes yes -CHECK_SGID no no yes yes yes yes -CHECK_WRITABLE no no yes yes yes yes -CHECK_UNOWNED no no no no yes yes -CHECK_PROMISC no no no no yes yes -CHECK_OPEN_PORT no no no yes yes yes -CHECK_PASSWD no no no yes yes yes -CHECK_SHADOW no no no yes yes yes -TTY_WARN no no no no yes yes -MAIL_WARN no no no yes yes yes -SYSLOG_WARN no no yes yes yes yes -RPM_CHECK no no no yes yes yes -CHKROOTKIT_CHECK no no no yes yes yes - -These variables are configured by the user: - -MAIL_USER the user to send the dayly reports. If not set, the email is -sent to root. - -PERM_LEVEL is used to determine which file to use to fix -permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If -not set, the SECURE_LEVEL is used instead. If the file -/etc/security/msec/perm.local exists, it's used too. The syntax for -each line if the following: - -<file specification> <owner> <permission> [force] - -<file specification> can be any glob to specify one or multiple -files/diretories. - -<owner> must be in the form <user>.<group> or <user>. (force only -user) or .<group> (force only group) or current (keep current user and -group). - -<permission> is an octal number representing the access rights or -current to keep the current permissions. - -If force is present as a 4th argument, it means that msec will enforce -the permission even if the previous permission was lower. +msec(0.60.1) msec(0.60.1) + + + +NAME + msec - Mandriva Linux security tools + +SYNOPSIS + msec [options] + msecperms [options] + msecgui [options] + +DESCRIPTION + msec is responsible to maintain system security in Mandriva. It sup‐ + ports different security configurations, which can be organized into + several security levels. Currently, three preconfigured security levels + are provided: + + + none this level aims to provide the most basic security. It should be + used when you want to manage all aspects of system security on + your own. + + + default + this is the default security level, which configures a reason‐ + ably safe set of security features. It activates several peri‐ + odic system checks, and sends the results of their execution by + email (by default, the local 'root' account is used). + + + secure this level is configured to provide maximum system security, + even at the cost of limiting the remote access to the system, + and local user permissions. It also runs a wider set of periodic + checks, enforces the local password settings, and periodically + checks if the system security settings, configured by msec, were + modified directly or by some other application. + + + + The security settings are stored in /etc/security/msec/security.conf + file, and default settings for each predefined level are stored in + /etc/security/msec/level.LEVEL. Permissions for files and directories + that should be enforced or checked for changes are stored in /etc/secu‐ + rity/msec/perms.conf, and default permissions for each predefined level + are stored in /etc/security/msec/perm.LEVEL. Note that user-modified + parameters take precedence over default level settings. For example, + when default level configuration forbids direct root logins, this set‐ + ting can be overridden by the user. + + + + The following options are supported by msec applications: + + + msec: + + + This is the console version of msec. It is responsible for system secu‐ + rity configuration and checking and transitions between security lev‐ + els. + + When executed without parameters, msec will read the system configura‐ + tion file (/etc/security/msec/security.conf), and enforce the specified + security settings. The operations are logged to /var/log/msec.log file, + and also to syslog, using LOG_AUTHPRIV facility. Please note that msec + should by run as root. + + -h, --help + This option will display the list of supported command line + options. + + -l, --level <level> + List the default configuration for given security level. + + -f, --force <level> + Apply the specified security level to the system, overwritting all + local changes. This is necessary to initialize a security level, either + on first install, on when a change to a different level is required. + + -d + Enable debugging messages. + + -p, --pretend + Verify the actions that will be performed by msec, without actually + doing anything to the system. In this mode of operation, msec performs + all the required tasks, except effectively writting data back to disk. + + + msecperms: + + + This application is responsible for system permission checking and + enforcements. + + When executed without parameters, msecperms will read the permissions + configuration file (/etc/security/msec/perms.conf), and enforce the + specified security settings. The operations are logged to + /var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facil‐ + ity. Please note that msecperms should by run as root. + + -h, --help + This option will display the list of supported command line + options. + + -l, --level <level> + List the default configuration for given security level. + + -f, --force <level> + Apply the specified security level to the system, overwritting all + local changes. This is necessary to initialize a security level, either + on first install, on when a change to a different level is required. + + -e, --enforce + Enforce the default permissions on all files. + + -d + Enable debugging messages. + + -p, --pretend + Verify the actions that will be performed by msec, without actually + doing anything to the system. In this mode of operation, msec performs + all the required tasks, except effectively writting data back to disk. + + + msecgui: + + + This is the GTK version of msec. It acts as frontend to all msec func‐ + tionalities. + + -h, --help + This option will display the list of supported command line + options. + + -d + Enable debugging messages. + + +SECURITY OPTIONS + The following security options are supported by msec: + + + + + enable_dns_spoofing_protection + Enable/Disable name resolution spoofing protection. If alert is + true, also reports to syslog. + + MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION + + Accepted values: yes, no + + + + mail_empty_content + Enables sending of empty mail reports. + + MSEC parameter: MAIL_EMPTY_CONTENT + + Accepted values: yes, no + + + + accept_broadcasted_icmp_echo + Accept/Refuse broadcasted icmp echo. + + MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO + + Accepted values: yes, no + + + + allow_xserver_to_listen + The argument specifies if clients are authorized to connect to the + X server on the tcp port 6000 or not. + + MSEC parameter: ALLOW_XSERVER_TO_LISTEN + + Accepted values: yes, no + + + + check_chkrootkit + Enables checking for known rootkits using chkrootkit. + + MSEC parameter: CHECK_CHKROOTKIT + + Accepted values: yes, no + + + + check_suid_root + Enables checking for additions/removals of suid root files. + + MSEC parameter: CHECK_SUID_ROOT + + Accepted values: yes, no + + + + enable_at_crontab + Enable/Disable crontab and at for users. Put allowed users in + /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). + + MSEC parameter: ENABLE_AT_CRONTAB + + Accepted values: yes, no + + + + accept_bogus_error_responses + Accept/Refuse bogus IPv4 error messages. + + MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES + + Accepted values: yes, no + + + + check_suid_md5 + Enables checksum verification for suid files. + + MSEC parameter: CHECK_SUID_MD5 + + Accepted values: yes, no + + + + mail_user + Defines email to receive security notifications. + + MSEC parameter: MAIL_USER + + Accepted values: * + + + + allow_autologin + Allow/Forbid autologin. + + MSEC parameter: ALLOW_AUTOLOGIN + + Accepted values: yes, no + + + + enable_pam_wheel_for_su + Enabling su only from members of the wheel group or allow su from + any user. + + MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU + + Accepted values: yes, no + + + + create_server_link + Creates the symlink /etc/security/msec/server to point to + /etc/security/msec/server.<SERVER_LEVEL>. The /etc/secu‐ + rity/msec/server is used by chkconfig --add to decide to add a ser‐ + vice if it is present in the file during the installation of pack‐ + ages. + + MSEC parameter: CREATE_SERVER_LINK + + Accepted values: no, default, secure + + + + set_shell_timeout + Set the shell timeout. A value of zero means no timeout. + + MSEC parameter: SHELL_TIMEOUT + + Accepted values: * + + + + check_shadow + Enables checking for empty passwords. + + MSEC parameter: CHECK_SHADOW + + Accepted values: yes, no + + + + enable_password + Use password to authenticate users. Take EXTREMELY care when dis‐ + abling passwords, as it will leave the machine COMPLETELY vulnera‐ + ble. + + MSEC parameter: ENABLE_PASSWORD + + Accepted values: yes, no + + + + set_win_parts_umask + Set umask option for mounting vfat and ntfs partitions. A value of + None means default umask. + + MSEC parameter: WIN_PARTS_UMASK + + Accepted values: no, * + + + + check_open_port + Enables checking for open network ports. + + MSEC parameter: CHECK_OPEN_PORT + + Accepted values: yes, no + + + + enable_log_strange_packets + Enable/Disable the logging of IPv4 strange packets. + + MSEC parameter: ENABLE_LOG_STRANGE_PACKETS + + Accepted values: yes, no + + + + check_rpm + Enables verification of installed packages. + + MSEC parameter: CHECK_RPM + + Accepted values: yes, no + + + + enable_pam_root_from_wheel + Allow root access without password for the members of the wheel + group. + + MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL + + Accepted values: yes, no + + + + mail_warn + Enables security results submission by email. + + MSEC parameter: MAIL_WARN + + Accepted values: yes, no + + + + password_length + Set the password minimum length and minimum number of digit and + minimum number of capitalized letters. + + MSEC parameter: PASSWORD_LENGTH + + Accepted values: * + + + + set_root_umask + Set the root umask. + + MSEC parameter: ROOT_UMASK + + Accepted values: * + + + + check_sgid + Enables checking for additions/removals of sgid files. + + MSEC parameter: CHECK_SGID + + Accepted values: yes, no + + + + check_promisc + Activate/Disable ethernet cards promiscuity check. + + MSEC parameter: CHECK_PROMISC + + Accepted values: yes, no + + + + allow_x_connections + Allow/Forbid X connections. Accepted arguments: yes (all connec‐ + tions are allowed), local (only local connection), no (no connec‐ + tion). + + MSEC parameter: ALLOW_X_CONNECTIONS + + Accepted values: yes, no, local + + + + check_writable + Enables checking for files/directories writable by everybody. + + MSEC parameter: CHECK_WRITABLE + + Accepted values: yes, no + + + + enable_console_log + Enable/Disable syslog reports to console 12. expr is the expression + describing what to log (see syslog.conf(5) for more details) and + dev the device to report the log. + + MSEC parameter: ENABLE_CONSOLE_LOG + + Accepted values: yes, no + + + + enable_ip_spoofing_protection + Enable/Disable IP spoofing protection. + + MSEC parameter: ENABLE_DNS_SPOOFING_PROTECTION + + Accepted values: yes, no + + + + check_perms + Enables permission checking in users' home. + + MSEC parameter: CHECK_PERMS + + Accepted values: yes, no + + + + set_shell_history_size + Set shell commands history size. A value of -1 means unlimited. + + MSEC parameter: SHELL_HISTORY_SIZE + + Accepted values: * + + + + allow_reboot + Allow/Forbid system reboot and shutdown to local users. + + MSEC parameter: ALLOW_REBOOT + + Accepted values: yes, no + + + + syslog_warn + Enables logging to system log. + + MSEC parameter: SYSLOG_WARN + + Accepted values: yes, no + + + + check_shosts + Enables checking for dangerous options in users' .rhosts/.shosts + files. + + MSEC parameter: CHECK_SHOSTS + + Accepted values: yes, no + + + + check_passwd + Enables password-related checks, such as empty passwords and + strange super-user accounts. + + MSEC parameter: CHECK_PASSWD + + Accepted values: yes, no + + + + password_history + Set the password history length to prevent password reuse. This is + not supported by pam_tcb. + + MSEC parameter: PASSWORD_HISTORY + + Accepted values: * + + + + check_security + Enables daily security checks. + + MSEC parameter: CHECK_SECURITY + + Accepted values: yes, no + + + + allow_root_login + Allow/Forbid direct root login. + + MSEC parameter: ALLOW_ROOT_LOGIN + + Accepted values: yes, no + + + + check_unowned + Enables checking for unowned files. + + MSEC parameter: CHECK_UNOWNED + + Accepted values: yes, no + + + + allow_user_list + Allow/Forbid the list of users on the system on display managers + (kdm and gdm). + + MSEC parameter: ALLOW_USER_LIST + + Accepted values: yes, no + + + + allow_remote_root_login + Allow/Forbid remote root login via sshd. You can specify yes, no + and without-password. See sshd_config(5) man page for more informa‐ + tion. + + MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN + + Accepted values: yes, no, without_password + + + + enable_msec_cron + Enable/Disable msec hourly security check. + + MSEC parameter: ENABLE_MSEC_CRON + + Accepted values: yes, no + + + + enable_sulogin + Enable/Disable sulogin(8) in single user level. + + MSEC parameter: ENABLE_SULOGIN + + Accepted values: yes, no + + + + allow_xauth_from_root + Allow/forbid to export display when passing from the root account + to the other users. See pam_xauth(8) for more details. + + MSEC parameter: ALLOW_XAUTH_FROM_ROOT + + Accepted values: yes, no + + + + set_user_umask + Set the user umask. + + MSEC parameter: USER_UMASK + + Accepted values: * + + + + accept_icmp_echo + Accept/Refuse icmp echo. + + MSEC parameter: ACCEPT_ICMP_ECHO + + Accepted values: yes, no + + + + authorize_services + Configure access to tcp_wrappers services (see hosts.deny(5)). If + arg = yes, all services are authorized. If arg = local, only local + ones are, and if arg = no, no services are authorized. In this + case, To authorize the services you need, use /etc/hosts.allow (see + hosts.allow(5)). + + MSEC parameter: AUTHORIZE_SERVICES + + Accepted values: yes, no, local + + + + tty_warn + Enables periodic security check results to terminal. + + MSEC parameter: TTY_WARN + + Accepted values: yes, no + + +NOTES + Msec applications must be run by root. + +AUTHORS + Frederic Lepied <flepied@mandriva.com> + + Eugeni Dodonov <eugeni@mandriva.com> + + + + +Mandriva Linux msec msec(0.60.1) |