aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xinit-sh/custom.sh395
-rwxr-xr-xinit-sh/file_perm.sh18
-rwxr-xr-xinit-sh/grpuser.sh195
-rwxr-xr-xinit-sh/level0.sh100
-rwxr-xr-xinit-sh/level1.sh101
-rwxr-xr-xinit-sh/level2.sh102
-rwxr-xr-xinit-sh/level3.sh103
-rwxr-xr-xinit-sh/level4.sh155
-rwxr-xr-xinit-sh/level5.sh178
-rwxr-xr-xinit-sh/levelsnf.sh160
-rw-r--r--init-sh/lib.sh410
-rw-r--r--init-sh/lib.sh.usermode355
-rwxr-xr-xinit-sh/msec47
13 files changed, 0 insertions, 2319 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
deleted file mode 100755
index b22f96f..0000000
--- a/init-sh/custom.sh
+++ /dev/null
@@ -1,395 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-# Thanks to :
-# - Bryan Paxton.
-# - Thomas Poindessous.
-# for their contributions.
-#
-
-###
-clear
-echo "This script allows you to customize the security on your system."
-echo "If you feel at all you don't know what you're doing abort now!!!"
-# can't use ctrl-c, we trap all signal.
-echo -n "continue [yes/no] : "
-read answer;
-
-if [[ ${answer} != yes ]]; then
- exit 1
-fi
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-clear
-
-WRITE_CRON="false"
-
-###
-
-echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
-echo "( or if an user present in /etc/shutdown.allow is logged locally )"
-WaitAnswer; clear
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-if [[ ${answer} == yes ]]; then
- cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
-else
- cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-fi
-rm -f ${tmpfile}
-
-###
-echo "Do you want to deny any machine to connect to yours ?"
-WaitAnswer
-if [[ ${answer} == yes ]]; then
- echo "Do you want only localhost to be allowed ?"
- WaitAnswer; clear
- if [[ ${answer} == yes ]]; then
- AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
- else
- AddRules "ALL:ALL:DENY" /etc/hosts.deny
- fi
-fi
-
-###
-echo "Do you want root console login to be allowed ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "tty1" /etc/securetty quiet
- AddRules "tty2" /etc/securetty quiet
- AddRules "tty3" /etc/securetty quiet
- AddRules "tty4" /etc/securetty quiet
- AddRules "tty5" /etc/securetty quiet
- AddRules "tty6" /etc/securetty
- AddRules "vc/1" /etc/securetty quiet
- AddRules "vc/2" /etc/securetty quiet
- AddRules "vc/3" /etc/securetty quiet
- AddRules "vc/4" /etc/securetty quiet
- AddRules "vc/5" /etc/securetty quiet
- AddRules "vc/6" /etc/securetty
-fi
-###
-
-if [[ -f /lib/libsafe.so.2 ]]; then
-echo "Do you want to enable the libsafe stack overflow protection ?"
-echo "This stack overflow protection work by catching dangerous function call"
-echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
-echo "and verify the address & the size of the destination buffer in the stack"
-echo "this is done by searching in the stack frame the one which contain the"
-echo "destination address, and by substracting the frame address to the destination buffer one"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
-fi
-fi
-
-###
-echo "Do you want your system to daily check important security problem ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check new open port listening ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to check for grave permission problem on sensibles files ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check SUID Root file change ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check suid files md5 checksum changes ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check SUID Group file change ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check Writable file change ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to daily check Unowned file change ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
- WRITE_CRON="true"
-fi
-
-###
-echo "Do you want your system to verify every minutes if a network interface"
-echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
- AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab
-fi
-###
-
-echo "Do you want security report to be done directly on the console ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
-else
- AddRules "TTY_WARN=no" /etc/security/msec/security.conf
-fi
-###
-
-echo "Do you want security report to be done in syslog ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-else
- AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf
-fi
-###
-
-echo "Do you want security report to be done by mail ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf
- AddRules "MAIL_USER=root" /etc/security/msec/security.conf
-else
- AddRules "MAIL_WARN=no" /etc/security/msec/security.conf
-fi
-###
-
-if [[ ${WRITE_CRON} == "true" ]]; then
- AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
-fi
-
-LoaderUpdate;
-
-###
-clear
-echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )"
-echo "This is only valuable for server installed with rpm."
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- echo -n "Disabling all service, except : {"
- chkconfig --list | awk '{print $1}' | while read service; do
- if grep -qx ${service} /etc/security/msec/server.4; then
- echo -n " ${service}"
- fi
- done
- echo " } : "
-
- chkconfig --list | awk '{print $1}' | while read service; do
- chkconfig --del "${service}"
- if ! chkconfig --msec --add "${service}"; then
- echo -e "\t- Services ${service} is now disabled."
- fi
- done
- echo -e "done.\n";
-fi
-
-###
-echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?"
-echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot."
-echo "no = rpm will do it for you, but you have less control of what is running on your machine."
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- export SECURE_LEVEL=4
- echo "Setting secure level variable to 4 :"
- AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec
-else
- AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec
-fi
-
-###
-echo "Do you want an easy, normal, restricted, or paranoid umask ?"
-echo "easy ( 002 ) = user = rwx, group = rwx, other = rx"
-echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
-echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
-echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx"
-echo "paranoid ( 077 ) = user = rwx, group = , other ="
-answer="nothing"
-while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
- echo -n "easy/normal/restricted/paranoid : "
- read answer
-done
-case "${answer}" in
- "easy")
- echo "Setting umask to 022 (u=rw,g=r,o=r) :"
- AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
- AddRules "UMASK_USER=022" /etc/sysconfig/msec
-
- ;;
- "normal")
- echo "Setting umask to 022 (u=rw,g=r,o=r) :"
- AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
- AddRules "UMASK_USER=022" /etc/sysconfig/msec
- ;;
- "restricted")
- echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :"
- AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
- AddRules "UMASK_USER=077" /etc/sysconfig/msec
- ;;
- "paranoid")
- AddRules "UMASK_ROOT=077" /etc/sysconfig/msec
- AddRules "UMASK_USER=077" /etc/sysconfig/msec
- ;;
-esac
-
-###
-
-echo "Do you want easy, normal, restricted, or paranoid permission ?"
-answer="nothing"
-while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do
- echo -n "easy/normal/restricted/paranoid : "
- read answer
-done
-case "${answer}" in
- "easy")
- /usr/share/msec/file_perm.sh /etc/security/msec/perm.2
- ;;
- "normal")
- /usr/share/msec/file_perm.sh /etc/security/msec/perm.3
- ;;
- "restricted")
- /usr/share/msec/file_perm.sh /etc/security/msec/perm.4
- ;;
- "paranoid")
- /usr/share/msec/file_perm.sh /etc/security/msec/perm.5
- ;;
-esac
-
-#Logging
-clear
-echo "Would you like set to up additional logging ?"
-echo "Logging will still go to its respected places in /var/log as well."
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- echo "Would you like all system events to be logged on a specific tty ?"
- echo "please answer by \"no\" or the tty number."
- echo -n "no/ttynumber :"
- read answer
- if [[ ${answer} != no && ${anwer} != yes ]]; then
- AddRules "*.* /dev/tty${answer}" /etc/syslog.conf
- fi
-
- echo
- echo "Would you like for auth and warnings to a specific tty ?"
- echo "please answer by \"no\" or the tty number."
- echo -n "no/ttynumber :"
- read answer
- if [[ ${answer} != no && ${anwer} != yes ]]; then
- AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf
- fi
-
- echo
- echo "Would you like kernel logging to go on a specific tty ?"
- echo "please answer by \"no\" or the tty number."
- echo -n "no/ttynumber :"
- read answer
- if [[ ${answer} != no && ${anwer} != yes ]]; then
- AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf
- fi
-
- echo
- echo "Would you like mail logging to a specific tty ?"
- echo "This is only useful if you're running a mail server."
- echo "please answer by \"no\" or the tty number."
- echo -n "no/ttynumber :"
- read answer
- if [[ ${answer} != no && ${anwer} != yes ]]; then
- AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf
- fi
-
- /etc/rc.d/init.d/syslog restart >& /dev/null
-fi
-
-clear
-
-###
-clear
-echo "We can setup your system to log who does what commands and when..."
-echo "May we set up proccess accounting ?"
-echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..."
-echo "You need the psacct package."
-WaitAnswer;
-
-if [[ ${answer} == yes ]]; then
- AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
- AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
- AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
- AddRules " postrotate" /etc/logrotate.conf
- AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
- AddRules " }" /etc/logrotate.conf
- touch /var/log/security/pacct.log
- chown root.root /var/log/security/pacct.log
- chmod 600 /var/log/security/pacct.log
- /sbin/accton /var/log/security/pacct.log
-fi
-
-### Pam
-clear
-
-dfsize=40000
-echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)"
-echo "By setting a limit on how big user files may get and how many processes a user may run."
-
-echo "Would you like to set up some PAM configuration ?"
-WaitAnswer; clear
-if [[ ${answer} == yes ]]; then
- AddRules "# Limit user processes" /etc/security/limits.conf
- AddRules "* soft nproc 100" /etc/security/limits.conf
- AddRules "* hard nproc 150" /etc/security/limits.conf
-
- echo "Would you like to set a maximum file size a user is allowed ?"
- WaitAnswer; clear
- if [[ ${answer} == yes ]]; then
- echo "What shall be the maximum file size(default is $(dfsize))"
- echo -n "Size : "
- read fsize
- if [[ -z ${fsize} ]]; then
- AddRules "# limits size of any one of users' files" /etc/security/limits.conf
- AddRules "* hard $dfsize" /etc/security/limits.conf
- else
- AddRules "# limits size of any one of users' files" /etc/security/limits.conf
- AddRules "* hard $fsize" /etc/security/limits.conf
- fi
- fi
-fi
diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh
deleted file mode 100755
index f69b222..0000000
--- a/init-sh/file_perm.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-if [[ ! -s $1 ]]; then
- echo "I need a msec permfile in argument".
- exit 1
-fi
-
-echo -n "Setting files permissions : "
-
-grep -v "^#" $1 | while read file owner perm; do
- if [[ ${owner} != current ]]; then
- chown ${owner} ${file} >& /dev/null
- fi
- chmod ${perm} ${file} >& /dev/null
-done
-
-echo "done."
-
diff --git a/init-sh/grpuser.sh b/init-sh/grpuser.sh
deleted file mode 100755
index 31b6996..0000000
--- a/init-sh/grpuser.sh
+++ /dev/null
@@ -1,195 +0,0 @@
-#!/bin/bash
-
-#
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-# Thanks to Francis Galiegue.
-#
-
-file="group"
-group_line=""
-new_group_line=""
-group_name=$2
-user_name=$3
-
-Usage() {
- echo "Usage :"
- echo " --clean ---> Remove all group change."
- echo " --refresh ---> Read group name in /etc/security/msec/group.conf"
- echo " and add each user in /etc/security/msec/user.conf"
- echo " in these groups ( if security level is <= 2 )"
-}
-
-ModifyFile() {
- tmpfile=`mktemp /tmp/grpuser.XXXXXX`
- cp /etc/${file} ${tmpfile}
-
- head -$((group_line_number - 1)) ${tmpfile} > /etc/${file}
- echo "${new_group_line}" >> /etc/${file}
- tail +$((group_line_number + 1)) ${tmpfile} >> /etc/${file}
-
- rm -f ${tmpfile}
-}
-
-RemoveUserFromGroup() {
- new_group_line=${group}`echo ${group_users} |
- sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g`
-}
-
-AppendUserToGroup() {
- if [[ -z ${group_users} ]]; then
- new_group_line=${group_line}${user_name}
- else
- new_group_line=${group_line}",${user_name}"
- fi
-}
-
-IsUserAlreadyInGroup() {
- if echo ${group_users} | grep -qw "${user_name}"; then
- return 0
- fi
-
- return 1
-}
-
-IsGroupExisting() {
- group_line=""
- group_line_number=""
-
- # We get some group infos as well, will be used later
- tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "`
-
- group_line_number=`echo ${tmp} | awk -F: '{print $1}'`
- group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'`
- group_users=`echo ${tmp} | awk -F: '{print $5}'`
- group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'`
-
- [ -z "${tmp}" ] && return 1
-
- return 0
-}
-
-IsUserExisting() {
- grep -qn "^${user_name}:" /etc/passwd
- if [[ $? == 0 ]]; then
- return 0;
- fi
-
- return 1;
-}
-
-RefreshAdd() {
- if [[ ${SECURE_LEVEL} == 3 || ${SECURE_LEVEL} == 4 || ${SECURE_LEVEL} == 5 || ${SECURE_LEVEL} == snf ]]; then
- echo "You are in a secure level > 2, in this level you need to add group user by yourself."
- echo "Use the command : usermod -G group_name user_name"
- exit 1;
- fi
-
- cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do
- IsGroupExisting;
- if [[ $? != 0 ]]; then
- echo "Group \"${group_name}\" doesn't exist. skiping it."
- else
- cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do
- IsUserExisting;
- if [[ $? != 0 ]]; then
- # user doesn't exist
- echo "Can't add user \"${user_name}\" to group \"${group_name}\" user doesn't exist. skiping."
- IsUserAlreadyInGroup;
- if [[ $? == 0 ]]; then
- #User doesn't exist but is in a group... delete user from this group.
- IsGroupExisting;
- RemoveUserFromGroup;
- ModifyFile;
- fi
- else
- echo "Adding user \"${user_name}\" to group \"${group_name}\"."
- IsGroupExisting;
- IsUserAlreadyInGroup;
- if [[ $? == 1 ]]; then
- AppendUserToGroup;
- ModifyFile;
- fi
- fi
- done
- fi
- done
-}
-
-RefreshDel() {
- cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do
- IsGroupExisting;
- if [[ $? != 0 ]]; then
- echo "Group \"${group_name}\" doesn't exist. skiping it."
- else
- cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do
- IsGroupExisting; # We need some variable at each turn.
- IsUserAlreadyInGroup;
- if [[ $? == 0 ]]; then
- echo "Removing \"${user_name}\" from group \"${group_name}\"."
- RemoveUserFromGroup;
- ModifyFile;
- fi
- done
- fi
- done
-}
-
-
-
-Perm() {
- if [[ ${UID} != 0 ]]; then
- echo "You need root access to use this tool."
- echo "And this script shouldn't be used by users."
- exit 1
- fi
-
- if [[ ! -w /etc/${file} ]]; then
- echo "You're not allowed to write to /etc/group..."
- exit 1
- fi
-
- if [[ ! -f /etc/security/msec/group.conf ]]; then
- echo "/etc/security/msec/group.conf doesn't exist..."
- exit 1
- fi
-
- if [[ ! -f /etc/security/msec/user.conf ]]; then
- echo "/etc/security/msec/user.conf doesn't exist..."
- exit 1
- fi
-}
-
-if [[ $# == 1 ]]; then
- case $1 in
- "--refresh")
- Perm;
- RefreshAdd;
- exit 0
- ;;
- "--clean")
- Perm;
- RefreshDel;
- exit 0
- ;;
- esac
- Usage;
- exit 0
-else
- Usage;
-fi
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
deleted file mode 100755
index b893546..0000000
--- a/init-sh/level0.sh
+++ /dev/null
@@ -1,100 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-# login as root on console granted...
-echo "Login as root is granted :"
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : no."
- AddRules "CHECK_SECURITY=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : no."
- AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : no."
- AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : no."
- AddRules "CHECK_SUID_MD5=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : no."
- AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : no."
- AddRules "CHECK_WRITEABLE=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : no."
- AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : no."
- AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : no."
- AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : no."
- AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : no."
- AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : no."
- AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : no."
- AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : no."
- AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf
-# end security check
-
-export SECURE_LEVEL=0
-echo "Setting secure level variable to 0 :"
-AddRules "SECURE_LEVEL=0" /etc/sysconfig/msec
-
-echo "Setting umask to 022 (u=rw,g=r,o=r) :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=022" /etc/sysconfig/msec
-
-# Xserver
-echo "Allowing users to connect X server from everywhere :"
-AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet
-
-# Group
-echo "Adding system users to specific groups :"
-/usr/share/msec/grpuser.sh --refresh
-echo -e "done.\n"
-
-# icmp echo
-echo "Enabling icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf
-
-# bad error
-echo "Disabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf
-
-# log strange packets
-echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf
-
-LoadSysctl
-
-AllowAutologin
-
-# Boot on a shell / authorize ctrl-alt-del
-AllowReboot
-AllowUserList
-RootSshLogin 0
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
deleted file mode 100755
index ce6b2d7..0000000
--- a/init-sh/level1.sh
+++ /dev/null
@@ -1,101 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-# login as root on console granted...
-echo "Login as root is granted :"
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : no."
- AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : no."
- AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : no."
- AddRules "CHECK_SUID_MD5=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : no."
- AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : no."
- AddRules "CHECK_WRITABLE=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : no."
- AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : no."
- AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : no."
- AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : no."
- AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : no."
- AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : no."
- AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : no."
- AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : no."
- AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf
-# end security check
-
-export SECURE_LEVEL=1
-echo "Setting secure level variable to 1 :"
-AddRules "SECURE_LEVEL=1" /etc/sysconfig/msec
-
-echo "Setting umask to 022 (u=rw,g=r,o=r) :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=022" /etc/sysconfig/msec
-
-# Xserver
-echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
-
-# Group
-echo "Adding system users to specific groups :"
-/usr/share/msec/grpuser.sh --refresh
-grpconv
-echo -e "done.\n"
-
-# icmp echo
-echo "Enabling icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf
-
-# bad error
-echo "Disabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf
-
-# log strange packets
-echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf
-
-LoadSysctl
-
-AllowAutologin
-
-# Do not boot on a shell
-AllowReboot
-AllowUserList
-RootSshLogin 1
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
deleted file mode 100755
index 8a82518..0000000
--- a/init-sh/level2.sh
+++ /dev/null
@@ -1,102 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-# login as root on console granted...
-echo "Login as root is granted :"
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : no."
- AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : yes."
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : yes."
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : yes."
- AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : no."
- AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : no."
- AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : no."
- AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : no."
- AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : no."
- AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : no."
- AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : no."
- AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : yes."
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-# end security check
-
-export SECURE_LEVEL=2
-echo "Setting secure level variable to 2 :"
-AddRules "SECURE_LEVEL=2" /etc/sysconfig/msec
-
-echo "Setting umask to 022 (u=rw,g=r,o=r) :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=022" /etc/sysconfig/msec
-
-# Xserver
-echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
-
-# group
-echo "Adding system users to specifics groups :"
-/usr/share/msec/grpuser.sh --refresh
-grpconv
-echo -e "done.\n"
-
-# icmp echo
-echo "Enabling icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf
-
-# bad error
-echo "Disabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf
-
-# log strange packets
-echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf
-
-LoadSysctl
-
-AllowAutologin
-
-# Do not boot on a shell
-AllowReboot
-AllowUserList
-RootSshLogin 2
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
deleted file mode 100755
index 83fccf8..0000000
--- a/init-sh/level3.sh
+++ /dev/null
@@ -1,103 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-echo "Loging all messages on tty12 : "
-AddRules "*.* /dev/tty12" /etc/syslog.conf
-
-# login as root from the console allowed
-echo "Login as root is allowed (on the console) : "
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : yes."
- AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : yes."
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : yes."
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : yes."
- AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : no."
- AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : no."
- AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : yes."
- AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : yes."
- AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : yes."
- AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : yes."
- AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : yes."
- AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet
- AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : yes."
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-# end security check
-
-# Crontab
-echo "Adding permission check in crontab (scheduled every midnight) :"
-AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
-
-export SECURE_LEVEL=3
-echo "Setting secure level variable to 3 :"
-AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec
-
-echo "Setting umask to 022 (u=rw,g=r,o=r) :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=022" /etc/sysconfig/msec
-
-# icmp echo
-echo "Enabling icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf
-
-# bad error
-echo "Enabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf
-
-# log strange packets
-echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf
-
-LoadSysctl
-
-# Do not boot on a shell
-AllowReboot
-
-ForbidAutologin
-
-# Group were modified in lib.sh...
-grpconv
-
-AllowUserList
-RootSshLogin 3
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
deleted file mode 100755
index b4d3d7a..0000000
--- a/init-sh/level4.sh
+++ /dev/null
@@ -1,155 +0,0 @@
-#!/bin/bash
-
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-# Log in append only mode
-echo -e "Changing attribute of /var/log/* to append only...\n"
-
-# All events logged on tty12
-echo "Loging all messages on tty12 : "
-AddRules "*.* /dev/tty12" /etc/syslog.conf
-
-# Prevent all kind of connection except from localhost
-echo "Denying all kind of connection except localhost : "
-AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
-
-# Login as root on the console allowed :
-echo "Denying login as root (except on the console) :"
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : yes."
- AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : yes."
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : yes."
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : yes."
- AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : yes."
- AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : yes."
- AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : yes."
- AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : yes."
- AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : yes."
- AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : yes."
- AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : yes."
- AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet
- AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : yes."
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-# end security check
-
-# Check every 1 minutes for promisc problem
-echo "Adding promisc check in crontab (scheduled every minutes) :"
-AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab
-
-echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
-AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
-
-# Server update
-export SECURE_LEVEL=4
-echo "Setting secure level variable to 4 :"
-AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec
-
-IFS="
-"
-echo -n "Disabling all service, except : {"
-for service in `chkconfig --list | awk '{print $1}'`; do
- if grep -qx ${service} /etc/security/msec/server.4; then
- echo -n " ${service}"
- fi
-done
-echo " } : "
-
-for service in `chkconfig --list | awk '{print $1}'`; do
- chkconfig --del "${service}"
- if ! chkconfig --msec --add "${service}"; then
- echo -e "\t- Services ${service} scheduled to be disabled at next boot."
- fi
-done
-echo -e "done.\n";
-
-echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=077" /etc/sysconfig/msec
-
-if [[ -f /lib/libsafe.so.2 ]]; then
- echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
-fi
-
-# Console timeout
-echo "Setting console timeout :"
-AddRules "TMOUT=7200" /etc/sysconfig/msec
-
-# No history file
-echo "No history file :"
-AddRules "HISTFILESIZE=0" /etc/sysconfig/msec
-
-# Ip spoofing protection
-echo "IP spoofing protection :"
-AddRules "nospoof on" /etc/host.conf
-AddRules "spoofalert on" /etc/host.conf
-
-# icmp echo
-echo "Ignoring icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf
-
-# bad error
-echo "Enabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf
-
-# log strange packets
-echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf
-
-LoadSysctl
-
-# issues
-echo "Removing /etc/issue.net :"
-RemoveIssueNet
-
-# Do not boot on a shell
-ForbidReboot
-
-ForbidAutologin
-
-# Group were modified in lib.sh...
-grpconv
-
-ForbidUserList
-RootSshLogin 4
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
deleted file mode 100755
index 070c770..0000000
--- a/init-sh/level5.sh
+++ /dev/null
@@ -1,178 +0,0 @@
-#!/bin/bash
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-echo -e "Changing attribute of /var/log/* to append only...\n"
-
-# All events logged on tty12
-echo "Loging all messages on tty12 : "
-AddRules "*.* /dev/tty12" /etc/syslog.conf
-
-# Prevent all kind of connection
-echo "Denying all kind of connection : "
-AddRules "ALL:ALL:DENY" /etc/hosts.deny
-
-# No login as root
-echo "Login as root is denied : "
-echo "Modified file : /etc/securetty..."
-echo -e "done.\n\n"
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : yes."
- AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : yes."
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : yes."
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : yes."
- AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : yes."
- AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : yes."
- AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : yes."
- AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : yes."
- AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : yes."
- AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : yes."
- AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : yes."
- AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet
- AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : yes."
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-# end security check
-
-################ Crontab things ###################
-# Check every 1 minutes for promisc problem
-echo "Adding promisc check in crontab (scheduled every minutes) :"
-AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab
-
-echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
-AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
-
-###################################################
-
-# setup BSD accounting.
-
-echo "Setting up BSD process accounting..."
-if [[ -f /sbin/accton ]]; then
- AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local
- AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local
- AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf
- AddRules " postrotate" /etc/logrotate.conf
- AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf
- AddRules " }" /etc/logrotate.conf
- touch /var/log/security/pacct.log
- chown root.root /var/log/security/pacct.log
- chmod 600 /var/log/security/pacct.log
- /sbin/accton /var/log/security/pacct.log
-fi
-
-# Wanna password ?
-LoaderUpdate;
-
-# Disable all server :
-export SECURE_LEVEL=4
-echo "Setting secure level variable to 5 :"
-AddRules "SECURE_LEVEL=5" /etc/sysconfig/msec
-
-IFS="
-"
-
-export SECURE_LEVEL=5
-echo -n "Disabling all service, except : {"
-for service in `chkconfig --list | awk '{print $1}'`; do
- if grep -qx ${service} /etc/security/msec/server.5; then
- echo -n " ${service}"
- fi
-done
-echo " } : "
-
-for service in `chkconfig --list | awk '{print $1}'`; do
- chkconfig --del "${service}"
- if ! chkconfig --msec --add "${service}"; then
- echo -e "\t- Services ${service} scheduled to be disabled at next boot."
- fi
-done
-echo -e "done.\n";
-
-echo "Setting umask to 077 (u=rw) :"
-AddRules "UMASK_ROOT=077" /etc/sysconfig/msec
-AddRules "UMASK_USER=077" /etc/sysconfig/msec
-
-if [[ -f /lib/libsafe.so.2 ]]; then
- echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
-fi
-
-# Console timeout
-echo "Setting console timeout :"
-AddRules "TMOUT=180" /etc/sysconfig/msec
-
-# No history file
-echo "No history file :"
-AddRules "HISTFILESIZE=0" /etc/sysconfig/msec
-
-# Ip spoofing protection
-echo "IP spoofing protection :"
-AddRules "nospoof on" /etc/host.conf
-AddRules "spoofalert on" /etc/host.conf
-
-# icmp echo
-echo "Ignoring icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf
-
-# bad error
-echo "Enabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf
-
-# log strange packets
-echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf
-
-LoadSysctl
-
-# issues
-echo "Removing /etc/issue and /etc/issue.net :"
-RemoveIssue
-RemoveIssueNet
-
-# Do not boot on a shell
-ForbidReboot
-ForbidAutologin
-
-echo
-echo "You are now running your system in security level 5,"
-echo "All services are disabled : try the chkconfig to enable one..."
-echo "If you're on a senssible machine, ( which is probably the case )"
-echo "you should compile the server from the sources".
-echo
-echo "In order to launch X in this security level,"
-echo "you need to add your user to the \"xgrp\" group..."
-echo "Use : usermod -G xgrp username"
-echo
-
-# Group were modified in lib.sh...
-grpconv
-
-ForbidUserList
-RootSshLogin 5
diff --git a/init-sh/levelsnf.sh b/init-sh/levelsnf.sh
deleted file mode 100755
index 6aba191..0000000
--- a/init-sh/levelsnf.sh
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/bin/bash
-
-
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-if [[ -f /usr/share/msec/lib.sh ]]; then
- . /usr/share/msec/lib.sh
-else
- echo "Can't find /usr/share/msec/lib.sh, exiting."
- exit 1
-fi
-
-# Log in append only mode
-echo -e "Changing attribute of /var/log/* to append only...\n"
-
-# All events logged on tty12
-echo "Loging all messages on tty12 : "
-AddRules "*.* /dev/tty12" /etc/syslog.conf
-
-# Prevent all kind of connection except from localhost
-echo "Denying all kind of connection except localhost : "
-AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
-
-# Allow all the ssh connexions from anywhere
-echo "Allowing the ssh connexions from everywhere : "
-AddRules "ALL:sshd ALL" /etc/hosts.allow
-
-# Login as root on the console allowed :
-echo "Denying login as root (except on the console) :"
-AddRules "tty1" /etc/securetty quiet
-AddRules "tty2" /etc/securetty quiet
-AddRules "tty3" /etc/securetty quiet
-AddRules "tty4" /etc/securetty quiet
-AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
-AddRules "vc/1" /etc/securetty quiet
-AddRules "vc/2" /etc/securetty quiet
-AddRules "vc/3" /etc/securetty quiet
-AddRules "vc/4" /etc/securetty quiet
-AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
-
-# Security check
-echo "Updating file check variable : "
-echo -e "\t- Check security : yes."
- AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : yes."
- AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file : yes."
- AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid root file integrity (backdoor check) : yes."
- AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check world writable file : yes."
- AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check unowned file : yes."
- AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check promiscuous mode : yes."
- AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : yes."
- AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : yes."
- AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : yes."
- AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : yes."
- AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : yes."
- AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet
- AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning in syslog : yes."
- AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
-# end security check
-
-# Check every 1 minutes for promisc problem
-echo "Adding promisc check in crontab (scheduled every minutes) :"
-AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab
-
-echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
-AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
-
-# Server update
-echo "Setting secure level variable to snf :"
-AddRules "SECURE_LEVEL=snf" /etc/sysconfig/msec
-
-# Console timeout
-echo "Setting console timeout :"
-AddRules "TMOUT=180" /etc/sysconfig/msec
-
-# No history file
-echo "No history file :"
-AddRules "HISTFILESIZE=0" /etc/sysconfig/msec
-
-# Ip spoofing protection
-echo "IP spoofing protection :"
-AddRules "nospoof on" /etc/host.conf
-AddRules "spoofalert on" /etc/host.conf
-
-# icmp echo
-echo "Ignoring icmp echo :"
-AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf
-
-# bad error
-echo "Enabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf
-
-# log strange packets
-echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf
-
-LoadSysctl
-
-# issues
-echo "Removing /etc/issue.net :"
-RemoveIssueNet
-
-export SECURE_LEVEL=snf
-
-IFS="
-"
-echo -n "Disabling all service, except : {"
-for service in `chkconfig --list | awk '{print $1}'`; do
- if grep -qx ${service} /etc/security/msec/server.snf; then
- echo -n " ${service}"
- fi
-done
-echo " } : "
-
-for service in `chkconfig --list | awk '{print $1}'`; do
- chkconfig --del "${service}"
- if ! chkconfig --msec --add "${service}"; then
- echo -e "\t- Services ${service} scheduled to be disabled at next boot."
- fi
-done
-echo -e "done.\n";
-
-echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :"
-AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
-AddRules "UMASK_USER=077" /etc/sysconfig/msec
-
-if [[ -f /lib/libsafe.so.2 ]]; then
- echo "Enabling stack overflow protection :"
- AddRules "/lib/libsafe.so.2" /etc/ld.so.preload
-fi
-
-# Do not boot on a shell
-ForbidReboot
-
-ForbidAutologin
-
-# Group were modified in lib.sh...
-grpconv
-
-ForbidUserList
-RootSshLogin snf
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
deleted file mode 100644
index 17b007f..0000000
--- a/init-sh/lib.sh
+++ /dev/null
@@ -1,410 +0,0 @@
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-# Need root access
-if [[ ${UID} != 0 ]]; then
- echo "You need to be root in order to change secure level."
- exit 1
-fi
-
-export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
-
-WaitAnswer() {
- answer="nothing"
-
- while [[ ${answer} != yes && ${answer} != no ]]; do
- echo -n "yes/no : "
- read answer
- done
-}
-
-AddRules() {
- string=$1
- file=$2
- quiet=$3
-
- if [[ -z ${string} ]]; then
- return;
- fi
-
- if [[ -z ${quiet} ]]; then
- echo "Modifying config in ${file}..."
- fi
-
- if ! grep -qEx "^${string}" ${file}; then
- echo -e "${COMMENT}" >> ${file};
- echo -e "${string}" >> ${file};
- fi
-
- if [[ -z ${3} ]]; then
- echo -e "done.\n"
- fi
-}
-
-AddBegRules() {
- echo "Modifying config in ${2}..."
-
- if [[ ! -f ${file} ]]; then
- return;
- fi
-
- export VAL=$1
- perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
-
- echo -e "done.\n"
-}
-
-
-OLD_CleanRules() {
- file=$1
- ctrl=0
-
- if [[ ! -f ${file} ]]; then
- echo "${file} do not exist... can not clean."
- return;
- fi
-
- echo -en "\t- Cleaning msec appended line in ${file} : "
-
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp ${file} ${tmpfile}
-
- while read line; do
- if [[ ${ctrl} == 1 ]]; then
- ctrl=0
- continue;
- fi
-
- if echo "${line}" | grep -qx "${COMMENT}"; then
- ctrl=1
- fi
-
- if [[ ${ctrl} == 0 ]]; then
- echo "${line}"
- fi
- done < ${tmpfile} > ${file}
-
- rm -f ${tmpfile}
-
- echo "done."
-}
-
-CleanRules() {
- echo -en "\t- Cleaning msec appended line in $1 : "
-
- perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
-
- echo "done."
-}
-
-CommentUserRules() {
- file=$1
-
- if [[ ! -f ${file} ]]; then
- return;
- fi
-
- echo -en "\t- Cleaning user appended line in ${file} : "
-
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp -f ${file} ${tmpfile}
-
- while read line; do
- if ! echo "${line}" | grep -qE "^#"; then
- echo "# ${line}"
- else
- echo "${line}"
- fi
- done < ${tmpfile} > ${file}
-
- rm -f ${tmpfile}
-
- echo "done."
-}
-
-Syslog() {
- if [[ ${SYSLOG_WARN} == yes ]]; then
- /sbin/initlog --string=${1}
- fi
-}
-
-Ttylog() {
- if [[ ${TTY_WARN} == yes ]]; then
- w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
- echo -e ${1} > /dev/$i
- done
- fi
-}
-
-
-LoaderUpdate() {
-
- # Ask only if we're not inside DrakX.
- if [[ ! ${DRAKX_PASSWORD+set} ]]; then
- echo "Do you want a password authentication at boot time ?"
- echo "Be very carefull,"
- echo "this will prevent your server to reboot without an operator to enter password".
- WaitAnswer;
- if [[ ${answer} == yes ]]; then
- echo -n "Please enter the password which will be used at boot time : "
- read password
- else
- password=""
- fi
-
- if [[ ! -z ${password} ]]; then
- if [[ -f /etc/lilo.conf ]]; then
- AddBegRules "password=$password" /etc/lilo.conf
- chmod 600 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- AddBegRules "password $password" /boot/grub/menu.lst
- chmod 600 /boot/grub/menu.lst
- fi
-
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
- fi
-}
-
-# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
-LoaderDrakX() {
- if [[ -n "${DRAKX_PASSWORD}" ]]; then
- if [[ -f /etc/lilo.conf ]]; then
- AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
- chmod 600 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
- chmod 600 /boot/grub/menu.lst
- fi
-
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
-}
-
-
-CleanLoaderRules() {
- if [[ -f /etc/lilo.conf ]]; then
- CleanRules /etc/lilo.conf
- chmod 644 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- CleanRules /boot/grub/menu.lst
- chmod 644 /boot/grub/menu.lst
- fi
-
- if [[ -z ${DRAKX_PASSWORD} ]]; then
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
-}
-
-AllowAutologin() {
- file=/etc/sysconfig/autologin
- if [[ -f ${file} ]]; then
- grep -v AUTOLOGIN < ${file} > ${file}.new
- echo "AUTOLOGIN=yes" >> ${file}.new
- mv -f ${file}.new ${file}
- fi
-}
-
-ForbidAutologin() {
- file=/etc/sysconfig/autologin
- if [[ -f ${file} ]]; then
- cat ${file} | grep -v AUTOLOGIN > ${file}.new
- echo "AUTOLOGIN=no" >> ${file}.new
- mv -f ${file}.new ${file}
- fi
-}
-
-ForbidUserList() {
- file=/usr/share/config/kdm/kdmrc
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^ShowUsers=.*$/ShowUsers=None/' ${file}
- fi
-
- file=/etc/X11/gdm/gdm.conf
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
- fi
-}
-
-AllowUserList() {
- file=/usr/share/config/kdm/kdmrc
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^ShowUsers=.*$/ShowUsers=All/' ${file}
- fi
-
- file=/etc/X11/gdm/gdm.conf
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
- fi
-}
-
-ForbidReboot() {
- echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp /etc/inittab ${tmpfile}
- cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
- rm -f ${tmpfile}
- [ -z "$DURING_INSTALL" ] && telinit u
- echo "done."
- echo -n "Forbid console users to reboot/shutdown : "
- for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
- rm -f ${pamfile} 2>&1 > /dev/null
- done
- echo "done."
-}
-
-AllowReboot() {
- echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp /etc/inittab ${tmpfile}
- cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
- rm -f ${tmpfile}
- [ -z "$DURING_INSTALL" ] && telinit u
- echo "done."
- echo -n "Allow console users to reboot/shutdown : "
- for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
- touch -f ${pamfile}
- done
- echo "done."
-}
-
-RootSshLogin () {
- echo -n "Setting up the root ssh login : "
- if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then
- /bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
- mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
- chmod 0600 /etc/ssh/sshd_config
- else
- sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
- mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
- chmod 0600 /etc/ssh/sshd_config
- fi
-}
-
-LoadSysctl () {
- /sbin/sysctl -e -p /etc/sysctl.conf
- service network restart
-}
-
-RemoveIssue () {
- if [ -f /etc/issue ]; then
- mv -f /etc/issue /etc/issue.msec
- fi
-}
-
-RemoveIssueNet () {
- if [ -f /etc/issue.net ]; then
- mv -f /etc/issue.net /etc/issue.net.msec
- fi
-}
-
-RestoreIssues () {
- if [ ! -f /etc/issue.net -a -f /etc/issue.net.msec ]; then
- mv -f /etc/issue.net.msec /etc/issue.net
- fi
-
- if [ ! -f /etc/issue -a -f /etc/issue.msec ]; then
- mv -f /etc/issue.msec /etc/issue
- fi
-}
-
-# If we are currently installing our
-# system with DrakX, we don't ask anything to the user...
-# Instead, DrakX does it and gives us a file with some variables.
-if [[ -f /etc/security/msec/security.conf ]]; then
- . /etc/security/msec/security.conf
-fi
-
-clear
-echo "Preparing to run security script : "
-CleanRules /etc/syslog.conf
-CleanRules /etc/hosts.deny
-CommentUserRules /etc/hosts.deny
-CleanRules /etc/hosts.allow
-CommentUserRules /etc/hosts.allow
-CleanRules /etc/securetty
-CommentUserRules /etc/securetty
-CleanRules /etc/security/msec/security.conf
-CommentUserRules /etc/security/msec/security.conf
-touch /etc/ld.so.preload
-CleanRules /etc/ld.so.preload
-CleanRules /etc/host.conf
-CleanRules /etc/sysctl.conf
-
-CleanLoaderRules
-LoaderDrakX
-
-CleanRules /etc/logrotate.conf
-CleanRules /etc/rc.d/rc.local
-CleanRules /etc/rc.d/rc.firewall
-CleanRules /etc/crontab
-CleanRules /etc/profile
-CleanRules /etc/zprofile
-
-RestoreIssues
-
-if [[ -f /etc/X11/xinit.d/msec ]]; then
- CleanRules /etc/X11/xinit.d/msec
-else
- touch /etc/X11/xinit.d/msec
- chmod 755 /etc/X11/xinit.d/msec
-fi
-
-if [[ -f /etc/sysconfig/msec ]]; then
- CleanRules /etc/sysconfig/msec
-fi
-
-if [[ -f /etc/profile.d/msec.sh && -f /etc/profile.d/msec.csh ]]; then
- CleanRules /etc/profile.d/msec.sh
- CleanRules /etc/profile.d/msec.csh
-else
- chmod 755 /etc/profile.d/msec.sh
- chmod 755 /etc/profile.d/msec.csh
-fi
-
-echo -e "\nStarting to reconfigure the system : "
-# For all secure level
-echo "Setting spoofing protection : "
-AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
-
-# default groups which must exist on the system
-# groupadd already checks for their existance...
-groupadd nogroup >& /dev/null
-groupadd -g 26 xgrp >& /dev/null
-groupadd -g 33 ntools >& /dev/null
-groupadd -g 34 ctools >& /dev/null
-groupadd -g 81 audio >& /dev/null
-
-usermod -G xgrp xfs
-
-/usr/share/msec/grpuser.sh --clean
-echo
diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode
deleted file mode 100644
index 0458704..0000000
--- a/init-sh/lib.sh.usermode
+++ /dev/null
@@ -1,355 +0,0 @@
-#
-# Security level implementation...
-# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
-#
-
-# Need root access
-if [[ ${UID} != 0 ]]; then
- echo "You need to be root in order to change secure level."
- exit 1
-fi
-
-export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
-
-WaitAnswer() {
- answer="nothing"
-
- while [[ ${answer} != yes && ${answer} != no ]]; do
- echo -n "yes/no : "
- read answer
- done
-}
-
-AddRules() {
- string=$1
- file=$2
- quiet=$3
-
- if [[ -z ${string} ]]; then
- return;
- fi
-
- if [[ -z ${quiet} ]]; then
- echo "Modifying config in ${file}..."
- fi
-
- if ! grep -Eqx "^${string}" ${file}; then
- echo -e "${COMMENT}" >> ${file};
- echo -e "${string}" >> ${file};
- fi
-
- if [[ -z ${3} ]]; then
- echo -e "done.\n"
- fi
-}
-
-AddBegRules() {
- echo "Modifying config in ${2}..."
-
- if [[ ! -f ${file} ]]; then
- return;
- fi
-
- export VAL=$1
- perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
-
- echo -e "done.\n"
-}
-
-
-OLD_CleanRules() {
- file=$1
- ctrl=0
-
- if [[ ! -f ${file} ]]; then
- echo "${file} do not exist... can not clean."
- return;
- fi
-
- echo -en "\t- Cleaning msec appended line in ${file} : "
-
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp ${file} ${tmpfile}
-
- while read line; do
- if [[ ${ctrl} == 1 ]]; then
- ctrl=0
- continue;
- fi
-
- if echo "${line}" | grep -qx "${COMMENT}"; then
- ctrl=1
- fi
-
- if [[ ${ctrl} == 0 ]]; then
- echo "${line}"
- fi
- done < ${tmpfile} > ${file}
-
- rm -f ${tmpfile}
-
- echo "done."
-}
-
-CleanRules() {
- echo -en "\t- Cleaning msec appended line in $1 : "
-
- perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
-
- echo "done."
-}
-
-CommentUserRules() {
- file=$1
-
- if [[ ! -f ${file} ]]; then
- return;
- fi
-
- echo -en "\t- Cleaning user appended line in ${file} : "
-
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp -f ${file} ${tmpfile}
-
- while read line; do
- if ! echo "${line}" | grep -qE "^#"; then
- echo "# ${line}"
- else
- echo "${line}"
- fi
- done < ${tmpfile} > ${file}
-
- rm -f ${tmpfile}
-
- echo "done."
-}
-
-Syslog() {
- if [[ ${SYSLOG_WARN} == yes ]]; then
- /sbin/initlog --string=${1}
- fi
-}
-
-Ttylog() {
- if [[ ${TTY_WARN} == yes ]]; then
- w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
- echo -e ${1} > /dev/$i
- done
- fi
-}
-
-
-LoaderUpdate() {
-
- # Ask only if we're not inside DrakX.
- if [[ ! ${DRAKX_PASSWORD+set} ]]; then
- echo "Do you want a password authentication at boot time ?"
- echo "Be very carefull,"
- echo "this will prevent your server to reboot without an operator to enter password".
- WaitAnswer;
- if [[ ${answer} == yes ]]; then
- echo -n "Please enter the password which will be used at boot time : "
- read password
- else
- password=""
- fi
-
- if [[ ! -z ${password} ]]; then
- if [[ -f /etc/lilo.conf ]]; then
- AddBegRules "password=$password" /etc/lilo.conf
- chmod 600 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- AddBegRules "password $password" /boot/grub/menu.lst
- chmod 600 /boot/grub/menu.lst
- fi
-
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
- fi
-}
-
-# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
-LoaderDrakX() {
- if [[ -n "${DRAKX_PASSWORD}" ]]; then
- if [[ -f /etc/lilo.conf ]]; then
- AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
- chmod 600 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
- chmod 600 /boot/grub/menu.lst
- fi
-
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
-}
-
-
-CleanLoaderRules() {
- if [[ -f /etc/lilo.conf ]]; then
- CleanRules /etc/lilo.conf
- chmod 644 /etc/lilo.conf
- fi
- if [[ -f /boot/grub/menu.lst ]]; then
- CleanRules /boot/grub/menu.lst
- chmod 644 /boot/grub/menu.lst
- fi
-
- if [[ -z ${DRAKX_PASSWORD} ]]; then
- loader=`/usr/sbin/detectloader`
- case "${loader}" in
- "LILO")
- /sbin/lilo
- ;;
- "GRUB")
- ;;
- esac
- fi
-}
-
-AllowAutologin() {
- file=/etc/sysconfig/autologin
- if [[ -f ${file} ]]; then
- grep -v AUTOLOGIN < ${file} > ${file}.new
- echo "AUTOLOGIN=yes" >> ${file}.new
- mv -f ${file}.new ${file}
- fi
-}
-
-ForbidAutologin() {
- file=/etc/sysconfig/autologin
- if [[ -f ${file} ]]; then
- cat ${file} | grep -v AUTOLOGIN > ${file}.new
- echo "AUTOLOGIN=no" >> ${file}.new
- mv -f ${file}.new ${file}
- fi
-}
-
-ForbidUserList() {
- file=/usr/share/config/kdmrc
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
- fi
-
- file=/etc/X11/gdm/gdm.conf
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
- fi
-}
-
-AllowUserList() {
- file=/usr/share/config/kdmrc
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
- fi
-
- file=/etc/X11/gdm/gdm.conf
- if [[ -f ${file} ]]; then
- perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
- fi
-}
-
-ForbidReboot() {
- echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp /etc/inittab ${tmpfile}
- cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
- rm -f ${tmpfile}
- [ -z "$DURING_INSTALL" ] && telinit u
- echo "done."
-}
-
-AllowReboot() {
- echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
- tmpfile=`mktemp /tmp/secure.XXXXXX`
- cp /etc/inittab ${tmpfile}
- cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
- rm -f ${tmpfile}
- [ -z "$DURING_INSTALL" ] && telinit u
- echo "done."
-}
-
-RootSshLogin () {
- echo -n "Setting up the root ssh login : "
- if [[ $1 == 4 || $1 == 5 ]]; then
- /bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
- mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
- chmod 0600 /etc/ssh/sshd_config
- else
- sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
- mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
- chmod 0600 /etc/ssh/sshd_config
- fi
-}
-
-
-# If we are currently installing our
-# system with DrakX, we don't ask anything to the user...
-# Instead, DrakX does it and gives us a file with some variables.
-if [[ -f /etc/security/msec/security.conf ]]; then
- . /etc/security/msec/security.conf
-fi
-
-clear
-echo "Preparing to run security script : "
-CleanRules /etc/syslog.conf
-CleanRules /etc/hosts.deny
-CommentUserRules /etc/hosts.deny
-CleanRules /etc/hosts.allow
-CommentUserRules /etc/hosts.allow
-CleanRules /etc/securetty
-CommentUserRules /etc/securetty
-CleanRules /etc/security/msec/security.conf
-CommentUserRules /etc/security/msec/security.conf
-CleanRules /etc/ld.so.preload
-
-CleanLoaderRules
-LoaderDrakX
-
-CleanRules /etc/logrotate.conf
-CleanRules /etc/rc.d/rc.local
-CleanRules /etc/rc.d/rc.firewall
-CleanRules /etc/crontab
-
-if [[ -f /etc/X11/xinit.d/msec ]]; then
- CleanRules /etc/X11/xinit.d/msec
-else
- touch /etc/X11/xinit.d/msec
- chmod 755 /etc/X11/xinit.d/msec
-fi
-
-echo -e "\nStarting to reconfigure the system : "
-# For all secure level
-echo "Setting spoofing protection : "
-AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
-
-# default groups which must exist on the system
-# groupadd already checks for their existance...
-groupadd nogroup >& /dev/null
-groupadd -g 26 xgrp >& /dev/null
-groupadd -g 33 ntools >& /dev/null
-groupadd -g 34 ctools >& /dev/null
-groupadd -g 81 audio >& /dev/null
-
-usermod -G xgrp xfs
-
-/usr/share/msec/grpuser.sh --clean
-echo
diff --git a/init-sh/msec b/init-sh/msec
deleted file mode 100755
index 0892699..0000000
--- a/init-sh/msec
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-# Trap the sigint signal
-# so the msec process / subprocess can not be aborted by the user...
-# This will avoid trashing of config file while they are modified
-# if msec is interupted. ( thanks fg ).
-
-trap "" sigint
-
-if [[ -z $1 ]]; then
- echo "Usage : $0 [0-5] | snf"
- echo "Usage : $0 \"custom\""
- exit 1
-fi
-
-
-if [[ ${1} == custom ]]; then
- /usr/share/msec/custom.sh
- echo
- echo "You might logout of your session for some change to be activated."
- echo
- exit 0;
-fi
-
-if [[ -f /usr/share/msec/level$1.sh ]]; then
- if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then
- ln -sf /etc/security/msec/server.$1 /etc/security/msec/server
- else
- rm -rf /etc/security/msec/server
- chkconfig --list |awk ' {print $1}' | grep -v ":" | sort -u > /etc/security/msec/server
- fi
- ln -sf /usr/share/msec/level$1.sh /usr/share/msec/current-level.sh
- /usr/share/msec/current-level.sh
- echo
- echo "You might logout of your session for some change to be activated."
- echo
- if [[ -f /etc/security/msec/perm.$1 ]]; then
- ln -sf /etc/security/msec/perm.$1 /etc/security/msec/current.perm
- /usr/share/msec/file_perm.sh /etc/security/msec/current.perm
- else
- echo "Couldn't find the default permissions for level $1."
- fi
-else
- echo "Security level $1 not availlable..."
-fi
-
-