diff options
-rwxr-xr-x | init-sh/custom.sh | 395 | ||||
-rwxr-xr-x | init-sh/file_perm.sh | 18 | ||||
-rwxr-xr-x | init-sh/grpuser.sh | 195 | ||||
-rwxr-xr-x | init-sh/level0.sh | 100 | ||||
-rwxr-xr-x | init-sh/level1.sh | 101 | ||||
-rwxr-xr-x | init-sh/level2.sh | 102 | ||||
-rwxr-xr-x | init-sh/level3.sh | 103 | ||||
-rwxr-xr-x | init-sh/level4.sh | 155 | ||||
-rwxr-xr-x | init-sh/level5.sh | 178 | ||||
-rwxr-xr-x | init-sh/levelsnf.sh | 160 | ||||
-rw-r--r-- | init-sh/lib.sh | 410 | ||||
-rw-r--r-- | init-sh/lib.sh.usermode | 355 | ||||
-rwxr-xr-x | init-sh/msec | 47 |
13 files changed, 0 insertions, 2319 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh deleted file mode 100755 index b22f96f..0000000 --- a/init-sh/custom.sh +++ /dev/null @@ -1,395 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# -# Thanks to : -# - Bryan Paxton. -# - Thomas Poindessous. -# for their contributions. -# - -### -clear -echo "This script allows you to customize the security on your system." -echo "If you feel at all you don't know what you're doing abort now!!!" -# can't use ctrl-c, we trap all signal. -echo -n "continue [yes/no] : " -read answer; - -if [[ ${answer} != yes ]]; then - exit 1 -fi - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -clear - -WRITE_CRON="false" - -### - -echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" -echo "( or if an user present in /etc/shutdown.allow is logged locally )" -WaitAnswer; clear -tmpfile=`mktemp /tmp/secure.XXXXXX` -cp /etc/inittab ${tmpfile} -if [[ ${answer} == yes ]]; then - cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab -else - cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab -fi -rm -f ${tmpfile} - -### -echo "Do you want to deny any machine to connect to yours ?" -WaitAnswer -if [[ ${answer} == yes ]]; then - echo "Do you want only localhost to be allowed ?" - WaitAnswer; clear - if [[ ${answer} == yes ]]; then - AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny - else - AddRules "ALL:ALL:DENY" /etc/hosts.deny - fi -fi - -### -echo "Do you want root console login to be allowed ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "tty1" /etc/securetty quiet - AddRules "tty2" /etc/securetty quiet - AddRules "tty3" /etc/securetty quiet - AddRules "tty4" /etc/securetty quiet - AddRules "tty5" /etc/securetty quiet - AddRules "tty6" /etc/securetty - AddRules "vc/1" /etc/securetty quiet - AddRules "vc/2" /etc/securetty quiet - AddRules "vc/3" /etc/securetty quiet - AddRules "vc/4" /etc/securetty quiet - AddRules "vc/5" /etc/securetty quiet - AddRules "vc/6" /etc/securetty -fi -### - -if [[ -f /lib/libsafe.so.2 ]]; then -echo "Do you want to enable the libsafe stack overflow protection ?" -echo "This stack overflow protection work by catching dangerous function call" -echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf" -echo "and verify the address & the size of the destination buffer in the stack" -echo "this is done by searching in the stack frame the one which contain the" -echo "destination address, and by substracting the frame address to the destination buffer one" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "/lib/libsafe.so.2" /etc/ld.so.preload -fi -fi - -### -echo "Do you want your system to daily check important security problem ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check new open port listening ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to check for grave permission problem on sensibles files ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check SUID Root file change ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check suid files md5 checksum changes ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check SUID Group file change ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check Writable file change ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to daily check Unowned file change ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf - WRITE_CRON="true" -fi - -### -echo "Do you want your system to verify every minutes if a network interface" -echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf - AddRules "*/1 * * * * root nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab -fi -### - -echo "Do you want security report to be done directly on the console ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "TTY_WARN=yes" /etc/security/msec/security.conf -else - AddRules "TTY_WARN=no" /etc/security/msec/security.conf -fi -### - -echo "Do you want security report to be done in syslog ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -else - AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf -fi -### - -echo "Do you want security report to be done by mail ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf - AddRules "MAIL_USER=root" /etc/security/msec/security.conf -else - AddRules "MAIL_WARN=no" /etc/security/msec/security.conf -fi -### - -if [[ ${WRITE_CRON} == "true" ]]; then - AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab -fi - -LoaderUpdate; - -### -clear -echo "Do you want to disable your running server ( except those specified in /etc/security/msec/server.4 )" -echo "This is only valuable for server installed with rpm." -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - echo -n "Disabling all service, except : {" - chkconfig --list | awk '{print $1}' | while read service; do - if grep -qx ${service} /etc/security/msec/server.4; then - echo -n " ${service}" - fi - done - echo " } : " - - chkconfig --list | awk '{print $1}' | while read service; do - chkconfig --del "${service}" - if ! chkconfig --msec --add "${service}"; then - echo -e "\t- Services ${service} is now disabled." - fi - done - echo -e "done.\n"; -fi - -### -echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?" -echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot." -echo "no = rpm will do it for you, but you have less control of what is running on your machine." -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - export SECURE_LEVEL=4 - echo "Setting secure level variable to 4 :" - AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec -else - AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec -fi - -### -echo "Do you want an easy, normal, restricted, or paranoid umask ?" -echo "easy ( 002 ) = user = rwx, group = rwx, other = rx" -echo "normal ( 022 ) = user = rwx, group = rx, other = rx" -echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other =" -echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" -echo "paranoid ( 077 ) = user = rwx, group = , other =" -answer="nothing" -while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do - echo -n "easy/normal/restricted/paranoid : " - read answer -done -case "${answer}" in - "easy") - echo "Setting umask to 022 (u=rw,g=r,o=r) :" - AddRules "UMASK_ROOT=022" /etc/sysconfig/msec - AddRules "UMASK_USER=022" /etc/sysconfig/msec - - ;; - "normal") - echo "Setting umask to 022 (u=rw,g=r,o=r) :" - AddRules "UMASK_ROOT=022" /etc/sysconfig/msec - AddRules "UMASK_USER=022" /etc/sysconfig/msec - ;; - "restricted") - echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" - AddRules "UMASK_ROOT=022" /etc/sysconfig/msec - AddRules "UMASK_USER=077" /etc/sysconfig/msec - ;; - "paranoid") - AddRules "UMASK_ROOT=077" /etc/sysconfig/msec - AddRules "UMASK_USER=077" /etc/sysconfig/msec - ;; -esac - -### - -echo "Do you want easy, normal, restricted, or paranoid permission ?" -answer="nothing" -while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid" ]]; do - echo -n "easy/normal/restricted/paranoid : " - read answer -done -case "${answer}" in - "easy") - /usr/share/msec/file_perm.sh /etc/security/msec/perm.2 - ;; - "normal") - /usr/share/msec/file_perm.sh /etc/security/msec/perm.3 - ;; - "restricted") - /usr/share/msec/file_perm.sh /etc/security/msec/perm.4 - ;; - "paranoid") - /usr/share/msec/file_perm.sh /etc/security/msec/perm.5 - ;; -esac - -#Logging -clear -echo "Would you like set to up additional logging ?" -echo "Logging will still go to its respected places in /var/log as well." -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - echo "Would you like all system events to be logged on a specific tty ?" - echo "please answer by \"no\" or the tty number." - echo -n "no/ttynumber :" - read answer - if [[ ${answer} != no && ${anwer} != yes ]]; then - AddRules "*.* /dev/tty${answer}" /etc/syslog.conf - fi - - echo - echo "Would you like for auth and warnings to a specific tty ?" - echo "please answer by \"no\" or the tty number." - echo -n "no/ttynumber :" - read answer - if [[ ${answer} != no && ${anwer} != yes ]]; then - AddRules "authpriv.* /dev/tty${answer}" /etc/syslog.conf - fi - - echo - echo "Would you like kernel logging to go on a specific tty ?" - echo "please answer by \"no\" or the tty number." - echo -n "no/ttynumber :" - read answer - if [[ ${answer} != no && ${anwer} != yes ]]; then - AddRules "kern.* /dev/tty${answer}" /etc/syslog.conf - fi - - echo - echo "Would you like mail logging to a specific tty ?" - echo "This is only useful if you're running a mail server." - echo "please answer by \"no\" or the tty number." - echo -n "no/ttynumber :" - read answer - if [[ ${answer} != no && ${anwer} != yes ]]; then - AddRules "mail.* /dev/tty${answer}" /etc/syslog.conf - fi - - /etc/rc.d/init.d/syslog restart >& /dev/null -fi - -clear - -### -clear -echo "We can setup your system to log who does what commands and when..." -echo "May we set up proccess accounting ?" -echo "The log file (/var/log/security/psacct.log) will get filled up VERY quickly..." -echo "You need the psacct package." -WaitAnswer; - -if [[ ${answer} == yes ]]; then - AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf - AddRules " postrotate" /etc/logrotate.conf - AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf - AddRules " }" /etc/logrotate.conf - touch /var/log/security/pacct.log - chown root.root /var/log/security/pacct.log - chmod 600 /var/log/security/pacct.log - /sbin/accton /var/log/security/pacct.log -fi - -### Pam -clear - -dfsize=40000 -echo "We help prevent certain types of DoS attacks through the use of PAM(Pluggable Authentication Modules.)" -echo "By setting a limit on how big user files may get and how many processes a user may run." - -echo "Would you like to set up some PAM configuration ?" -WaitAnswer; clear -if [[ ${answer} == yes ]]; then - AddRules "# Limit user processes" /etc/security/limits.conf - AddRules "* soft nproc 100" /etc/security/limits.conf - AddRules "* hard nproc 150" /etc/security/limits.conf - - echo "Would you like to set a maximum file size a user is allowed ?" - WaitAnswer; clear - if [[ ${answer} == yes ]]; then - echo "What shall be the maximum file size(default is $(dfsize))" - echo -n "Size : " - read fsize - if [[ -z ${fsize} ]]; then - AddRules "# limits size of any one of users' files" /etc/security/limits.conf - AddRules "* hard $dfsize" /etc/security/limits.conf - else - AddRules "# limits size of any one of users' files" /etc/security/limits.conf - AddRules "* hard $fsize" /etc/security/limits.conf - fi - fi -fi diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh deleted file mode 100755 index f69b222..0000000 --- a/init-sh/file_perm.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -if [[ ! -s $1 ]]; then - echo "I need a msec permfile in argument". - exit 1 -fi - -echo -n "Setting files permissions : " - -grep -v "^#" $1 | while read file owner perm; do - if [[ ${owner} != current ]]; then - chown ${owner} ${file} >& /dev/null - fi - chmod ${perm} ${file} >& /dev/null -done - -echo "done." - diff --git a/init-sh/grpuser.sh b/init-sh/grpuser.sh deleted file mode 100755 index 31b6996..0000000 --- a/init-sh/grpuser.sh +++ /dev/null @@ -1,195 +0,0 @@ -#!/bin/bash - -# -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# Thanks to Francis Galiegue. -# - -file="group" -group_line="" -new_group_line="" -group_name=$2 -user_name=$3 - -Usage() { - echo "Usage :" - echo " --clean ---> Remove all group change." - echo " --refresh ---> Read group name in /etc/security/msec/group.conf" - echo " and add each user in /etc/security/msec/user.conf" - echo " in these groups ( if security level is <= 2 )" -} - -ModifyFile() { - tmpfile=`mktemp /tmp/grpuser.XXXXXX` - cp /etc/${file} ${tmpfile} - - head -$((group_line_number - 1)) ${tmpfile} > /etc/${file} - echo "${new_group_line}" >> /etc/${file} - tail +$((group_line_number + 1)) ${tmpfile} >> /etc/${file} - - rm -f ${tmpfile} -} - -RemoveUserFromGroup() { - new_group_line=${group}`echo ${group_users} | - sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g` -} - -AppendUserToGroup() { - if [[ -z ${group_users} ]]; then - new_group_line=${group_line}${user_name} - else - new_group_line=${group_line}",${user_name}" - fi -} - -IsUserAlreadyInGroup() { - if echo ${group_users} | grep -qw "${user_name}"; then - return 0 - fi - - return 1 -} - -IsGroupExisting() { - group_line="" - group_line_number="" - - # We get some group infos as well, will be used later - tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "` - - group_line_number=`echo ${tmp} | awk -F: '{print $1}'` - group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'` - group_users=`echo ${tmp} | awk -F: '{print $5}'` - group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'` - - [ -z "${tmp}" ] && return 1 - - return 0 -} - -IsUserExisting() { - grep -qn "^${user_name}:" /etc/passwd - if [[ $? == 0 ]]; then - return 0; - fi - - return 1; -} - -RefreshAdd() { - if [[ ${SECURE_LEVEL} == 3 || ${SECURE_LEVEL} == 4 || ${SECURE_LEVEL} == 5 || ${SECURE_LEVEL} == snf ]]; then - echo "You are in a secure level > 2, in this level you need to add group user by yourself." - echo "Use the command : usermod -G group_name user_name" - exit 1; - fi - - cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do - IsGroupExisting; - if [[ $? != 0 ]]; then - echo "Group \"${group_name}\" doesn't exist. skiping it." - else - cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do - IsUserExisting; - if [[ $? != 0 ]]; then - # user doesn't exist - echo "Can't add user \"${user_name}\" to group \"${group_name}\" user doesn't exist. skiping." - IsUserAlreadyInGroup; - if [[ $? == 0 ]]; then - #User doesn't exist but is in a group... delete user from this group. - IsGroupExisting; - RemoveUserFromGroup; - ModifyFile; - fi - else - echo "Adding user \"${user_name}\" to group \"${group_name}\"." - IsGroupExisting; - IsUserAlreadyInGroup; - if [[ $? == 1 ]]; then - AppendUserToGroup; - ModifyFile; - fi - fi - done - fi - done -} - -RefreshDel() { - cat /etc/security/msec/group.conf | grep -v "^$" | while read group_name; do - IsGroupExisting; - if [[ $? != 0 ]]; then - echo "Group \"${group_name}\" doesn't exist. skiping it." - else - cat /etc/security/msec/user.conf | grep -v "^$" | while read user_name; do - IsGroupExisting; # We need some variable at each turn. - IsUserAlreadyInGroup; - if [[ $? == 0 ]]; then - echo "Removing \"${user_name}\" from group \"${group_name}\"." - RemoveUserFromGroup; - ModifyFile; - fi - done - fi - done -} - - - -Perm() { - if [[ ${UID} != 0 ]]; then - echo "You need root access to use this tool." - echo "And this script shouldn't be used by users." - exit 1 - fi - - if [[ ! -w /etc/${file} ]]; then - echo "You're not allowed to write to /etc/group..." - exit 1 - fi - - if [[ ! -f /etc/security/msec/group.conf ]]; then - echo "/etc/security/msec/group.conf doesn't exist..." - exit 1 - fi - - if [[ ! -f /etc/security/msec/user.conf ]]; then - echo "/etc/security/msec/user.conf doesn't exist..." - exit 1 - fi -} - -if [[ $# == 1 ]]; then - case $1 in - "--refresh") - Perm; - RefreshAdd; - exit 0 - ;; - "--clean") - Perm; - RefreshDel; - exit 0 - ;; - esac - Usage; - exit 0 -else - Usage; -fi - - - - - - - - - - - - - - - - diff --git a/init-sh/level0.sh b/init-sh/level0.sh deleted file mode 100755 index b893546..0000000 --- a/init-sh/level0.sh +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -# login as root on console granted... -echo "Login as root is granted :" -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : no." - AddRules "CHECK_SECURITY=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : no." - AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : no." - AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : no." - AddRules "CHECK_SUID_MD5=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : no." - AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : no." - AddRules "CHECK_WRITEABLE=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : no." - AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : no." - AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : no." - AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : no." - AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : no." - AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : no." - AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : no." - AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : no." - AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf -# end security check - -export SECURE_LEVEL=0 -echo "Setting secure level variable to 0 :" -AddRules "SECURE_LEVEL=0" /etc/sysconfig/msec - -echo "Setting umask to 022 (u=rw,g=r,o=r) :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=022" /etc/sysconfig/msec - -# Xserver -echo "Allowing users to connect X server from everywhere :" -AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet - -# Group -echo "Adding system users to specific groups :" -/usr/share/msec/grpuser.sh --refresh -echo -e "done.\n" - -# icmp echo -echo "Enabling icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf - -# bad error -echo "Disabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf - -# log strange packets -echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf - -LoadSysctl - -AllowAutologin - -# Boot on a shell / authorize ctrl-alt-del -AllowReboot -AllowUserList -RootSshLogin 0 diff --git a/init-sh/level1.sh b/init-sh/level1.sh deleted file mode 100755 index ce6b2d7..0000000 --- a/init-sh/level1.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -# login as root on console granted... -echo "Login as root is granted :" -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : no." - AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : no." - AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : no." - AddRules "CHECK_SUID_MD5=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : no." - AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : no." - AddRules "CHECK_WRITABLE=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : no." - AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : no." - AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : no." - AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : no." - AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : no." - AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : no." - AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : no." - AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : no." - AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf -# end security check - -export SECURE_LEVEL=1 -echo "Setting secure level variable to 1 :" -AddRules "SECURE_LEVEL=1" /etc/sysconfig/msec - -echo "Setting umask to 022 (u=rw,g=r,o=r) :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=022" /etc/sysconfig/msec - -# Xserver -echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec - -# Group -echo "Adding system users to specific groups :" -/usr/share/msec/grpuser.sh --refresh -grpconv -echo -e "done.\n" - -# icmp echo -echo "Enabling icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf - -# bad error -echo "Disabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf - -# log strange packets -echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf - -LoadSysctl - -AllowAutologin - -# Do not boot on a shell -AllowReboot -AllowUserList -RootSshLogin 1 diff --git a/init-sh/level2.sh b/init-sh/level2.sh deleted file mode 100755 index 8a82518..0000000 --- a/init-sh/level2.sh +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - - - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -# login as root on console granted... -echo "Login as root is granted :" -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : no." - AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : no." - AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : no." - AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : no." - AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : no." - AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : no." - AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : no." - AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : no." - AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -export SECURE_LEVEL=2 -echo "Setting secure level variable to 2 :" -AddRules "SECURE_LEVEL=2" /etc/sysconfig/msec - -echo "Setting umask to 022 (u=rw,g=r,o=r) :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=022" /etc/sysconfig/msec - -# Xserver -echo "Allowing users to connect X server from localhost :" -AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec - -# group -echo "Adding system users to specifics groups :" -/usr/share/msec/grpuser.sh --refresh -grpconv -echo -e "done.\n" - -# icmp echo -echo "Enabling icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf - -# bad error -echo "Disabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf - -# log strange packets -echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf - -LoadSysctl - -AllowAutologin - -# Do not boot on a shell -AllowReboot -AllowUserList -RootSshLogin 2 diff --git a/init-sh/level3.sh b/init-sh/level3.sh deleted file mode 100755 index 83fccf8..0000000 --- a/init-sh/level3.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -echo "Loging all messages on tty12 : " -AddRules "*.* /dev/tty12" /etc/syslog.conf - -# login as root from the console allowed -echo "Login as root is allowed (on the console) : " -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : yes." - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : no." - AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : no." - AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : yes." - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : yes." - AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : yes." - AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : yes." - AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : yes." - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet - AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -# Crontab -echo "Adding permission check in crontab (scheduled every midnight) :" -AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab - -export SECURE_LEVEL=3 -echo "Setting secure level variable to 3 :" -AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec - -echo "Setting umask to 022 (u=rw,g=r,o=r) :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=022" /etc/sysconfig/msec - -# icmp echo -echo "Enabling icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf - -# bad error -echo "Enabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf - -# log strange packets -echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf - -LoadSysctl - -# Do not boot on a shell -AllowReboot - -ForbidAutologin - -# Group were modified in lib.sh... -grpconv - -AllowUserList -RootSshLogin 3 diff --git a/init-sh/level4.sh b/init-sh/level4.sh deleted file mode 100755 index b4d3d7a..0000000 --- a/init-sh/level4.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/bash - - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -# Log in append only mode -echo -e "Changing attribute of /var/log/* to append only...\n" - -# All events logged on tty12 -echo "Loging all messages on tty12 : " -AddRules "*.* /dev/tty12" /etc/syslog.conf - -# Prevent all kind of connection except from localhost -echo "Denying all kind of connection except localhost : " -AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny - -# Login as root on the console allowed : -echo "Denying login as root (except on the console) :" -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : yes." - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : yes." - AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : yes." - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : yes." - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : yes." - AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : yes." - AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : yes." - AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : yes." - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet - AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -# Check every 1 minutes for promisc problem -echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab - -echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab - -# Server update -export SECURE_LEVEL=4 -echo "Setting secure level variable to 4 :" -AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec - -IFS=" -" -echo -n "Disabling all service, except : {" -for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/server.4; then - echo -n " ${service}" - fi -done -echo " } : " - -for service in `chkconfig --list | awk '{print $1}'`; do - chkconfig --del "${service}" - if ! chkconfig --msec --add "${service}"; then - echo -e "\t- Services ${service} scheduled to be disabled at next boot." - fi -done -echo -e "done.\n"; - -echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=077" /etc/sysconfig/msec - -if [[ -f /lib/libsafe.so.2 ]]; then - echo "Enabling stack overflow protection :" - AddRules "/lib/libsafe.so.2" /etc/ld.so.preload -fi - -# Console timeout -echo "Setting console timeout :" -AddRules "TMOUT=7200" /etc/sysconfig/msec - -# No history file -echo "No history file :" -AddRules "HISTFILESIZE=0" /etc/sysconfig/msec - -# Ip spoofing protection -echo "IP spoofing protection :" -AddRules "nospoof on" /etc/host.conf -AddRules "spoofalert on" /etc/host.conf - -# icmp echo -echo "Ignoring icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf - -# bad error -echo "Enabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf - -# log strange packets -echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf - -LoadSysctl - -# issues -echo "Removing /etc/issue.net :" -RemoveIssueNet - -# Do not boot on a shell -ForbidReboot - -ForbidAutologin - -# Group were modified in lib.sh... -grpconv - -ForbidUserList -RootSshLogin 4 diff --git a/init-sh/level5.sh b/init-sh/level5.sh deleted file mode 100755 index 070c770..0000000 --- a/init-sh/level5.sh +++ /dev/null @@ -1,178 +0,0 @@ -#!/bin/bash - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -echo -e "Changing attribute of /var/log/* to append only...\n" - -# All events logged on tty12 -echo "Loging all messages on tty12 : " -AddRules "*.* /dev/tty12" /etc/syslog.conf - -# Prevent all kind of connection -echo "Denying all kind of connection : " -AddRules "ALL:ALL:DENY" /etc/hosts.deny - -# No login as root -echo "Login as root is denied : " -echo "Modified file : /etc/securetty..." -echo -e "done.\n\n" - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : yes." - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : yes." - AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : yes." - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : yes." - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : yes." - AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : yes." - AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : yes." - AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : yes." - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet - AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -################ Crontab things ################### -# Check every 1 minutes for promisc problem -echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab - -echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab - -################################################### - -# setup BSD accounting. - -echo "Setting up BSD process accounting..." -if [[ -f /sbin/accton ]]; then - AddRules "touch /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/sbin/accton /var/log/security/pacct.log" /etc/rc.d/rc.local - AddRules "/var/log/security/pacct.log {" /etc/logrotate.conf - AddRules " postrotate" /etc/logrotate.conf - AddRules " /sbin/accton /var/log/security/pacct.log" /etc/logrotate.conf - AddRules " }" /etc/logrotate.conf - touch /var/log/security/pacct.log - chown root.root /var/log/security/pacct.log - chmod 600 /var/log/security/pacct.log - /sbin/accton /var/log/security/pacct.log -fi - -# Wanna password ? -LoaderUpdate; - -# Disable all server : -export SECURE_LEVEL=4 -echo "Setting secure level variable to 5 :" -AddRules "SECURE_LEVEL=5" /etc/sysconfig/msec - -IFS=" -" - -export SECURE_LEVEL=5 -echo -n "Disabling all service, except : {" -for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/server.5; then - echo -n " ${service}" - fi -done -echo " } : " - -for service in `chkconfig --list | awk '{print $1}'`; do - chkconfig --del "${service}" - if ! chkconfig --msec --add "${service}"; then - echo -e "\t- Services ${service} scheduled to be disabled at next boot." - fi -done -echo -e "done.\n"; - -echo "Setting umask to 077 (u=rw) :" -AddRules "UMASK_ROOT=077" /etc/sysconfig/msec -AddRules "UMASK_USER=077" /etc/sysconfig/msec - -if [[ -f /lib/libsafe.so.2 ]]; then - echo "Enabling stack overflow protection :" - AddRules "/lib/libsafe.so.2" /etc/ld.so.preload -fi - -# Console timeout -echo "Setting console timeout :" -AddRules "TMOUT=180" /etc/sysconfig/msec - -# No history file -echo "No history file :" -AddRules "HISTFILESIZE=0" /etc/sysconfig/msec - -# Ip spoofing protection -echo "IP spoofing protection :" -AddRules "nospoof on" /etc/host.conf -AddRules "spoofalert on" /etc/host.conf - -# icmp echo -echo "Ignoring icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf - -# bad error -echo "Enabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf - -# log strange packets -echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf - -LoadSysctl - -# issues -echo "Removing /etc/issue and /etc/issue.net :" -RemoveIssue -RemoveIssueNet - -# Do not boot on a shell -ForbidReboot -ForbidAutologin - -echo -echo "You are now running your system in security level 5," -echo "All services are disabled : try the chkconfig to enable one..." -echo "If you're on a senssible machine, ( which is probably the case )" -echo "you should compile the server from the sources". -echo -echo "In order to launch X in this security level," -echo "you need to add your user to the \"xgrp\" group..." -echo "Use : usermod -G xgrp username" -echo - -# Group were modified in lib.sh... -grpconv - -ForbidUserList -RootSshLogin 5 diff --git a/init-sh/levelsnf.sh b/init-sh/levelsnf.sh deleted file mode 100755 index 6aba191..0000000 --- a/init-sh/levelsnf.sh +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/bash - - -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -if [[ -f /usr/share/msec/lib.sh ]]; then - . /usr/share/msec/lib.sh -else - echo "Can't find /usr/share/msec/lib.sh, exiting." - exit 1 -fi - -# Log in append only mode -echo -e "Changing attribute of /var/log/* to append only...\n" - -# All events logged on tty12 -echo "Loging all messages on tty12 : " -AddRules "*.* /dev/tty12" /etc/syslog.conf - -# Prevent all kind of connection except from localhost -echo "Denying all kind of connection except localhost : " -AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny - -# Allow all the ssh connexions from anywhere -echo "Allowing the ssh connexions from everywhere : " -AddRules "ALL:sshd ALL" /etc/hosts.allow - -# Login as root on the console allowed : -echo "Denying login as root (except on the console) :" -AddRules "tty1" /etc/securetty quiet -AddRules "tty2" /etc/securetty quiet -AddRules "tty3" /etc/securetty quiet -AddRules "tty4" /etc/securetty quiet -AddRules "tty5" /etc/securetty quiet -AddRules "tty6" /etc/securetty -AddRules "vc/1" /etc/securetty quiet -AddRules "vc/2" /etc/securetty quiet -AddRules "vc/3" /etc/securetty quiet -AddRules "vc/4" /etc/securetty quiet -AddRules "vc/5" /etc/securetty quiet -AddRules "vc/6" /etc/securetty - -# Security check -echo "Updating file check variable : " -echo -e "\t- Check security : yes." - AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check important permissions : yes." - AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file : yes." - AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid root file integrity (backdoor check) : yes." - AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check suid group file : yes." - AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check world writable file : yes." - AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check unowned file : yes." - AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check promiscuous mode : yes." - AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check listening port : yes." - AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check passwd file integrity : yes." - AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Check shadow file integrity : yes." - AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning on tty : yes." - AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning by mail : yes." - AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet - AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet -echo -e "\t- Security warning in syslog : yes." - AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf -# end security check - -# Check every 1 minutes for promisc problem -echo "Adding promisc check in crontab (scheduled every minutes) :" -AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab - -echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" -AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab - -# Server update -echo "Setting secure level variable to snf :" -AddRules "SECURE_LEVEL=snf" /etc/sysconfig/msec - -# Console timeout -echo "Setting console timeout :" -AddRules "TMOUT=180" /etc/sysconfig/msec - -# No history file -echo "No history file :" -AddRules "HISTFILESIZE=0" /etc/sysconfig/msec - -# Ip spoofing protection -echo "IP spoofing protection :" -AddRules "nospoof on" /etc/host.conf -AddRules "spoofalert on" /etc/host.conf - -# icmp echo -echo "Ignoring icmp echo :" -AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf -AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf - -# bad error -echo "Enabling bad error message Protection :" -AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf - -# log strange packets -echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" -AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf - -LoadSysctl - -# issues -echo "Removing /etc/issue.net :" -RemoveIssueNet - -export SECURE_LEVEL=snf - -IFS=" -" -echo -n "Disabling all service, except : {" -for service in `chkconfig --list | awk '{print $1}'`; do - if grep -qx ${service} /etc/security/msec/server.snf; then - echo -n " ${service}" - fi -done -echo " } : " - -for service in `chkconfig --list | awk '{print $1}'`; do - chkconfig --del "${service}" - if ! chkconfig --msec --add "${service}"; then - echo -e "\t- Services ${service} scheduled to be disabled at next boot." - fi -done -echo -e "done.\n"; - -echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" -AddRules "UMASK_ROOT=022" /etc/sysconfig/msec -AddRules "UMASK_USER=077" /etc/sysconfig/msec - -if [[ -f /lib/libsafe.so.2 ]]; then - echo "Enabling stack overflow protection :" - AddRules "/lib/libsafe.so.2" /etc/ld.so.preload -fi - -# Do not boot on a shell -ForbidReboot - -ForbidAutologin - -# Group were modified in lib.sh... -grpconv - -ForbidUserList -RootSshLogin snf diff --git a/init-sh/lib.sh b/init-sh/lib.sh deleted file mode 100644 index 17b007f..0000000 --- a/init-sh/lib.sh +++ /dev/null @@ -1,410 +0,0 @@ -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -# Need root access -if [[ ${UID} != 0 ]]; then - echo "You need to be root in order to change secure level." - exit 1 -fi - -export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." - -WaitAnswer() { - answer="nothing" - - while [[ ${answer} != yes && ${answer} != no ]]; do - echo -n "yes/no : " - read answer - done -} - -AddRules() { - string=$1 - file=$2 - quiet=$3 - - if [[ -z ${string} ]]; then - return; - fi - - if [[ -z ${quiet} ]]; then - echo "Modifying config in ${file}..." - fi - - if ! grep -qEx "^${string}" ${file}; then - echo -e "${COMMENT}" >> ${file}; - echo -e "${string}" >> ${file}; - fi - - if [[ -z ${3} ]]; then - echo -e "done.\n" - fi -} - -AddBegRules() { - echo "Modifying config in ${2}..." - - if [[ ! -f ${file} ]]; then - return; - fi - - export VAL=$1 - perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 - - echo -e "done.\n" -} - - -OLD_CleanRules() { - file=$1 - ctrl=0 - - if [[ ! -f ${file} ]]; then - echo "${file} do not exist... can not clean." - return; - fi - - echo -en "\t- Cleaning msec appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp ${file} ${tmpfile} - - while read line; do - if [[ ${ctrl} == 1 ]]; then - ctrl=0 - continue; - fi - - if echo "${line}" | grep -qx "${COMMENT}"; then - ctrl=1 - fi - - if [[ ${ctrl} == 0 ]]; then - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -CleanRules() { - echo -en "\t- Cleaning msec appended line in $1 : " - - perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 - - echo "done." -} - -CommentUserRules() { - file=$1 - - if [[ ! -f ${file} ]]; then - return; - fi - - echo -en "\t- Cleaning user appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp -f ${file} ${tmpfile} - - while read line; do - if ! echo "${line}" | grep -qE "^#"; then - echo "# ${line}" - else - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -Syslog() { - if [[ ${SYSLOG_WARN} == yes ]]; then - /sbin/initlog --string=${1} - fi -} - -Ttylog() { - if [[ ${TTY_WARN} == yes ]]; then - w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do - echo -e ${1} > /dev/$i - done - fi -} - - -LoaderUpdate() { - - # Ask only if we're not inside DrakX. - if [[ ! ${DRAKX_PASSWORD+set} ]]; then - echo "Do you want a password authentication at boot time ?" - echo "Be very carefull," - echo "this will prevent your server to reboot without an operator to enter password". - WaitAnswer; - if [[ ${answer} == yes ]]; then - echo -n "Please enter the password which will be used at boot time : " - read password - else - password="" - fi - - if [[ ! -z ${password} ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$password" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $password" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi - fi -} - -# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) -LoaderDrakX() { - if [[ -n "${DRAKX_PASSWORD}" ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - - -CleanLoaderRules() { - if [[ -f /etc/lilo.conf ]]; then - CleanRules /etc/lilo.conf - chmod 644 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - CleanRules /boot/grub/menu.lst - chmod 644 /boot/grub/menu.lst - fi - - if [[ -z ${DRAKX_PASSWORD} ]]; then - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - -AllowAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - grep -v AUTOLOGIN < ${file} > ${file}.new - echo "AUTOLOGIN=yes" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - cat ${file} | grep -v AUTOLOGIN > ${file}.new - echo "AUTOLOGIN=no" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidUserList() { - file=/usr/share/config/kdm/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^ShowUsers=.*$/ShowUsers=None/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} - fi -} - -AllowUserList() { - file=/usr/share/config/kdm/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^ShowUsers=.*$/ShowUsers=All/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} - fi -} - -ForbidReboot() { - echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." - echo -n "Forbid console users to reboot/shutdown : " - for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do - rm -f ${pamfile} 2>&1 > /dev/null - done - echo "done." -} - -AllowReboot() { - echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." - echo -n "Allow console users to reboot/shutdown : " - for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do - touch -f ${pamfile} - done - echo "done." -} - -RootSshLogin () { - echo -n "Setting up the root ssh login : " - if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then - /bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - else - sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - fi -} - -LoadSysctl () { - /sbin/sysctl -e -p /etc/sysctl.conf - service network restart -} - -RemoveIssue () { - if [ -f /etc/issue ]; then - mv -f /etc/issue /etc/issue.msec - fi -} - -RemoveIssueNet () { - if [ -f /etc/issue.net ]; then - mv -f /etc/issue.net /etc/issue.net.msec - fi -} - -RestoreIssues () { - if [ ! -f /etc/issue.net -a -f /etc/issue.net.msec ]; then - mv -f /etc/issue.net.msec /etc/issue.net - fi - - if [ ! -f /etc/issue -a -f /etc/issue.msec ]; then - mv -f /etc/issue.msec /etc/issue - fi -} - -# If we are currently installing our -# system with DrakX, we don't ask anything to the user... -# Instead, DrakX does it and gives us a file with some variables. -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -fi - -clear -echo "Preparing to run security script : " -CleanRules /etc/syslog.conf -CleanRules /etc/hosts.deny -CommentUserRules /etc/hosts.deny -CleanRules /etc/hosts.allow -CommentUserRules /etc/hosts.allow -CleanRules /etc/securetty -CommentUserRules /etc/securetty -CleanRules /etc/security/msec/security.conf -CommentUserRules /etc/security/msec/security.conf -touch /etc/ld.so.preload -CleanRules /etc/ld.so.preload -CleanRules /etc/host.conf -CleanRules /etc/sysctl.conf - -CleanLoaderRules -LoaderDrakX - -CleanRules /etc/logrotate.conf -CleanRules /etc/rc.d/rc.local -CleanRules /etc/rc.d/rc.firewall -CleanRules /etc/crontab -CleanRules /etc/profile -CleanRules /etc/zprofile - -RestoreIssues - -if [[ -f /etc/X11/xinit.d/msec ]]; then - CleanRules /etc/X11/xinit.d/msec -else - touch /etc/X11/xinit.d/msec - chmod 755 /etc/X11/xinit.d/msec -fi - -if [[ -f /etc/sysconfig/msec ]]; then - CleanRules /etc/sysconfig/msec -fi - -if [[ -f /etc/profile.d/msec.sh && -f /etc/profile.d/msec.csh ]]; then - CleanRules /etc/profile.d/msec.sh - CleanRules /etc/profile.d/msec.csh -else - chmod 755 /etc/profile.d/msec.sh - chmod 755 /etc/profile.d/msec.csh -fi - -echo -e "\nStarting to reconfigure the system : " -# For all secure level -echo "Setting spoofing protection : " -AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall - -# default groups which must exist on the system -# groupadd already checks for their existance... -groupadd nogroup >& /dev/null -groupadd -g 26 xgrp >& /dev/null -groupadd -g 33 ntools >& /dev/null -groupadd -g 34 ctools >& /dev/null -groupadd -g 81 audio >& /dev/null - -usermod -G xgrp xfs - -/usr/share/msec/grpuser.sh --clean -echo diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode deleted file mode 100644 index 0458704..0000000 --- a/init-sh/lib.sh.usermode +++ /dev/null @@ -1,355 +0,0 @@ -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -# Need root access -if [[ ${UID} != 0 ]]; then - echo "You need to be root in order to change secure level." - exit 1 -fi - -export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." - -WaitAnswer() { - answer="nothing" - - while [[ ${answer} != yes && ${answer} != no ]]; do - echo -n "yes/no : " - read answer - done -} - -AddRules() { - string=$1 - file=$2 - quiet=$3 - - if [[ -z ${string} ]]; then - return; - fi - - if [[ -z ${quiet} ]]; then - echo "Modifying config in ${file}..." - fi - - if ! grep -Eqx "^${string}" ${file}; then - echo -e "${COMMENT}" >> ${file}; - echo -e "${string}" >> ${file}; - fi - - if [[ -z ${3} ]]; then - echo -e "done.\n" - fi -} - -AddBegRules() { - echo "Modifying config in ${2}..." - - if [[ ! -f ${file} ]]; then - return; - fi - - export VAL=$1 - perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 - - echo -e "done.\n" -} - - -OLD_CleanRules() { - file=$1 - ctrl=0 - - if [[ ! -f ${file} ]]; then - echo "${file} do not exist... can not clean." - return; - fi - - echo -en "\t- Cleaning msec appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp ${file} ${tmpfile} - - while read line; do - if [[ ${ctrl} == 1 ]]; then - ctrl=0 - continue; - fi - - if echo "${line}" | grep -qx "${COMMENT}"; then - ctrl=1 - fi - - if [[ ${ctrl} == 0 ]]; then - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -CleanRules() { - echo -en "\t- Cleaning msec appended line in $1 : " - - perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 - - echo "done." -} - -CommentUserRules() { - file=$1 - - if [[ ! -f ${file} ]]; then - return; - fi - - echo -en "\t- Cleaning user appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp -f ${file} ${tmpfile} - - while read line; do - if ! echo "${line}" | grep -qE "^#"; then - echo "# ${line}" - else - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -Syslog() { - if [[ ${SYSLOG_WARN} == yes ]]; then - /sbin/initlog --string=${1} - fi -} - -Ttylog() { - if [[ ${TTY_WARN} == yes ]]; then - w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do - echo -e ${1} > /dev/$i - done - fi -} - - -LoaderUpdate() { - - # Ask only if we're not inside DrakX. - if [[ ! ${DRAKX_PASSWORD+set} ]]; then - echo "Do you want a password authentication at boot time ?" - echo "Be very carefull," - echo "this will prevent your server to reboot without an operator to enter password". - WaitAnswer; - if [[ ${answer} == yes ]]; then - echo -n "Please enter the password which will be used at boot time : " - read password - else - password="" - fi - - if [[ ! -z ${password} ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$password" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $password" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi - fi -} - -# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) -LoaderDrakX() { - if [[ -n "${DRAKX_PASSWORD}" ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - - -CleanLoaderRules() { - if [[ -f /etc/lilo.conf ]]; then - CleanRules /etc/lilo.conf - chmod 644 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - CleanRules /boot/grub/menu.lst - chmod 644 /boot/grub/menu.lst - fi - - if [[ -z ${DRAKX_PASSWORD} ]]; then - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - -AllowAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - grep -v AUTOLOGIN < ${file} > ${file}.new - echo "AUTOLOGIN=yes" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - cat ${file} | grep -v AUTOLOGIN > ${file}.new - echo "AUTOLOGIN=no" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidUserList() { - file=/usr/share/config/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} - fi -} - -AllowUserList() { - file=/usr/share/config/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} - fi -} - -ForbidReboot() { - echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." -} - -AllowReboot() { - echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." -} - -RootSshLogin () { - echo -n "Setting up the root ssh login : " - if [[ $1 == 4 || $1 == 5 ]]; then - /bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - else - sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - fi -} - - -# If we are currently installing our -# system with DrakX, we don't ask anything to the user... -# Instead, DrakX does it and gives us a file with some variables. -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -fi - -clear -echo "Preparing to run security script : " -CleanRules /etc/syslog.conf -CleanRules /etc/hosts.deny -CommentUserRules /etc/hosts.deny -CleanRules /etc/hosts.allow -CommentUserRules /etc/hosts.allow -CleanRules /etc/securetty -CommentUserRules /etc/securetty -CleanRules /etc/security/msec/security.conf -CommentUserRules /etc/security/msec/security.conf -CleanRules /etc/ld.so.preload - -CleanLoaderRules -LoaderDrakX - -CleanRules /etc/logrotate.conf -CleanRules /etc/rc.d/rc.local -CleanRules /etc/rc.d/rc.firewall -CleanRules /etc/crontab - -if [[ -f /etc/X11/xinit.d/msec ]]; then - CleanRules /etc/X11/xinit.d/msec -else - touch /etc/X11/xinit.d/msec - chmod 755 /etc/X11/xinit.d/msec -fi - -echo -e "\nStarting to reconfigure the system : " -# For all secure level -echo "Setting spoofing protection : " -AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall - -# default groups which must exist on the system -# groupadd already checks for their existance... -groupadd nogroup >& /dev/null -groupadd -g 26 xgrp >& /dev/null -groupadd -g 33 ntools >& /dev/null -groupadd -g 34 ctools >& /dev/null -groupadd -g 81 audio >& /dev/null - -usermod -G xgrp xfs - -/usr/share/msec/grpuser.sh --clean -echo diff --git a/init-sh/msec b/init-sh/msec deleted file mode 100755 index 0892699..0000000 --- a/init-sh/msec +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash - -# Trap the sigint signal -# so the msec process / subprocess can not be aborted by the user... -# This will avoid trashing of config file while they are modified -# if msec is interupted. ( thanks fg ). - -trap "" sigint - -if [[ -z $1 ]]; then - echo "Usage : $0 [0-5] | snf" - echo "Usage : $0 \"custom\"" - exit 1 -fi - - -if [[ ${1} == custom ]]; then - /usr/share/msec/custom.sh - echo - echo "You might logout of your session for some change to be activated." - echo - exit 0; -fi - -if [[ -f /usr/share/msec/level$1.sh ]]; then - if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then - ln -sf /etc/security/msec/server.$1 /etc/security/msec/server - else - rm -rf /etc/security/msec/server - chkconfig --list |awk ' {print $1}' | grep -v ":" | sort -u > /etc/security/msec/server - fi - ln -sf /usr/share/msec/level$1.sh /usr/share/msec/current-level.sh - /usr/share/msec/current-level.sh - echo - echo "You might logout of your session for some change to be activated." - echo - if [[ -f /etc/security/msec/perm.$1 ]]; then - ln -sf /etc/security/msec/perm.$1 /etc/security/msec/current.perm - /usr/share/msec/file_perm.sh /etc/security/msec/current.perm - else - echo "Couldn't find the default permissions for level $1." - fi -else - echo "Security level $1 not availlable..." -fi - - |