aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/msec/README712
1 files changed, 625 insertions, 87 deletions
diff --git a/src/msec/README b/src/msec/README
index 4bb3846..d2e86b3 100644
--- a/src/msec/README
+++ b/src/msec/README
@@ -1,87 +1,625 @@
-******************
-Configurations files in /etc/security/msec/
-Shell scripts in /usr/share/msec.
-******************
-
-Suggestions & comments:
-flepied@mandriva.com
-
-******************
-Doc of the rewritting in python:
-
- 0 1 2 3 4 5
-root umask 022 022 022 022 022 077
-shell timeout 0 0 0 0 3600 900
-deny services none none none none local all
-su only for wheel grp no no no no no yes
-user umask 022 022 022 022 077 077
-shell history size default default default default 10 10
-direct root login yes yes yes yes no no
-remote root login yes yes yes yes no no
-sulogin for single user no no no no yes yes
-user list in [kg]dm yes yes yes yes no no
-promisc check no no no no yes yes
-ignore icmp echo no no no no yes yes
-ignore broadcasted icmp echo no no no no yes yes
-ignore bogus error responses no no no no yes yes
-enable libsafe no no no no yes yes
-allow reboot by user yes yes yes yes no no
-allow crontab/at yes yes yes yes no no
-password aging no no no no 60 30
-allow autologin yes yes yes no no no
-console log no no no yes yes yes
-issues yes yes yes local local no
-ip spoofing protection no no no yes yes yes
-dns spoofing protection no no no yes yes yes
-log stange ip packets no no no yes yes yes
-periodic security check no yes yes yes yes yes
-allow X connections yes local local no no no
-allow xauth from root yes yes yes yes no no
-X server listen to tcp tcp tcp tcp local local
-run msec by cron yes yes yes yes yes yes
-
-Periodic security checks by level:
-
- 0 1 2 3 4 5
-CHECK_SECURITY no yes yes yes yes yes
-CHECK_PERMS no no no yes yes yes
-CHECK_SUID_ROOT no no yes yes yes yes
-CHECK_SUID_MD5 no no yes yes yes yes
-CHECK_SGID no no yes yes yes yes
-CHECK_WRITABLE no no yes yes yes yes
-CHECK_UNOWNED no no no no yes yes
-CHECK_PROMISC no no no no yes yes
-CHECK_OPEN_PORT no no no yes yes yes
-CHECK_PASSWD no no no yes yes yes
-CHECK_SHADOW no no no yes yes yes
-TTY_WARN no no no no yes yes
-MAIL_WARN no no no yes yes yes
-SYSLOG_WARN no no yes yes yes yes
-RPM_CHECK no no no yes yes yes
-CHKROOTKIT_CHECK no no no yes yes yes
-
-These variables are configured by the user:
-
-MAIL_USER the user to send the dayly reports. If not set, the email is
-sent to root.
-
-PERM_LEVEL is used to determine which file to use to fix
-permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If
-not set, the SECURE_LEVEL is used instead. If the file
-/etc/security/msec/perm.local exists, it's used too. The syntax for
-each line if the following:
-
-<file specification> <owner> <permission> [force]
-
-<file specification> can be any glob to specify one or multiple
-files/diretories.
-
-<owner> must be in the form <user>.<group> or <user>. (force only
-user) or .<group> (force only group) or current (keep current user and
-group).
-
-<permission> is an octal number representing the access rights or
-current to keep the current permissions.
-
-If force is present as a 4th argument, it means that msec will enforce
-the permission even if the previous permission was lower.
+msec(0.60.1) msec(0.60.1)
+
+
+
+NAME
+ msec - Mandriva Linux security tools
+
+SYNOPSIS
+ msec [options]
+ msecperms [options]
+ msecgui [options]
+
+DESCRIPTION
+ msec is responsible to maintain system security in Mandriva. It sup‐
+ ports different security configurations, which can be organized into
+ several security levels. Currently, three preconfigured security levels
+ are provided:
+
+
+ none this level aims to provide the most basic security. It should be
+ used when you want to manage all aspects of system security on
+ your own.
+
+
+ default
+ this is the default security level, which configures a reason‐
+ ably safe set of security features. It activates several peri‐
+ odic system checks, and sends the results of their execution by
+ email (by default, the local 'root' account is used).
+
+
+ secure this level is configured to provide maximum system security,
+ even at the cost of limiting the remote access to the system,
+ and local user permissions. It also runs a wider set of periodic
+ checks, enforces the local password settings, and periodically
+ checks if the system security settings, configured by msec, were
+ modified directly or by some other application.
+
+
+
+ The security settings are stored in /etc/security/msec/security.conf
+ file, and default settings for each predefined level are stored in
+ /etc/security/msec/level.LEVEL. Permissions for files and directories
+ that should be enforced or checked for changes are stored in /etc/secu‐
+ rity/msec/perms.conf, and default permissions for each predefined level
+ are stored in /etc/security/msec/perm.LEVEL. Note that user-modified
+ parameters take precedence over default level settings. For example,
+ when default level configuration forbids direct root logins, this set‐
+ ting can be overridden by the user.
+
+
+
+ The following options are supported by msec applications:
+
+
+ msec:
+
+
+ This is the console version of msec. It is responsible for system secu‐
+ rity configuration and checking and transitions between security lev‐
+ els.
+
+ When executed without parameters, msec will read the system configura‐
+ tion file (/etc/security/msec/security.conf), and enforce the specified
+ security settings. The operations are logged to /var/log/msec.log file,
+ and also to syslog, using LOG_AUTHPRIV facility. Please note that msec
+ should by run as root.
+
+ -h, --help
+ This option will display the list of supported command line
+ options.
+
+ -l, --level <level>
+ List the default configuration for given security level.
+
+ -f, --force <level>
+ Apply the specified security level to the system, overwritting all
+ local changes. This is necessary to initialize a security level, either
+ on first install, on when a change to a different level is required.
+
+ -d
+ Enable debugging messages.
+
+ -p, --pretend
+ Verify the actions that will be performed by msec, without actually
+ doing anything to the system. In this mode of operation, msec performs
+ all the required tasks, except effectively writting data back to disk.
+
+
+ msecperms:
+
+
+ This application is responsible for system permission checking and
+ enforcements.
+
+ When executed without parameters, msecperms will read the permissions
+ configuration file (/etc/security/msec/perms.conf), and enforce the
+ specified security settings. The operations are logged to
+ /var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facil‐
+ ity. Please note that msecperms should by run as root.
+
+ -h, --help
+ This option will display the list of supported command line
+ options.
+
+ -l, --level <level>
+ List the default configuration for given security level.
+
+ -f, --force <level>
+ Apply the specified security level to the system, overwritting all
+ local changes. This is necessary to initialize a security level, either
+ on first install, on when a change to a different level is required.
+
+ -e, --enforce
+ Enforce the default permissions on all files.
+
+ -d
+ Enable debugging messages.
+
+ -p, --pretend
+ Verify the actions that will be performed by msec, without actually
+ doing anything to the system. In this mode of operation, msec performs
+ all the required tasks, except effectively writting data back to disk.
+
+
+ msecgui:
+
+
+ This is the GTK version of msec. It acts as frontend to all msec func‐
+ tionalities.
+
+ -h, --help
+ This option will display the list of supported command line
+ options.
+
+ -d
+ Enable debugging messages.
+
+
+SECURITY OPTIONS
+ The following security options are supported by msec:
+
+
+
+
+ enable_dns_spoofing_protection
+ Enable/Disable name resolution spoofing protection. If alert is
+ true, also reports to syslog.
+
+ MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION
+
+ Accepted values: yes, no
+
+
+
+ mail_empty_content
+ Enables sending of empty mail reports.
+
+ MSEC parameter: MAIL_EMPTY_CONTENT
+
+ Accepted values: yes, no
+
+
+
+ accept_broadcasted_icmp_echo
+ Accept/Refuse broadcasted icmp echo.
+
+ MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO
+
+ Accepted values: yes, no
+
+
+
+ allow_xserver_to_listen
+ The argument specifies if clients are authorized to connect to the
+ X server on the tcp port 6000 or not.
+
+ MSEC parameter: ALLOW_XSERVER_TO_LISTEN
+
+ Accepted values: yes, no
+
+
+
+ check_chkrootkit
+ Enables checking for known rootkits using chkrootkit.
+
+ MSEC parameter: CHECK_CHKROOTKIT
+
+ Accepted values: yes, no
+
+
+
+ check_suid_root
+ Enables checking for additions/removals of suid root files.
+
+ MSEC parameter: CHECK_SUID_ROOT
+
+ Accepted values: yes, no
+
+
+
+ enable_at_crontab
+ Enable/Disable crontab and at for users. Put allowed users in
+ /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
+
+ MSEC parameter: ENABLE_AT_CRONTAB
+
+ Accepted values: yes, no
+
+
+
+ accept_bogus_error_responses
+ Accept/Refuse bogus IPv4 error messages.
+
+ MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES
+
+ Accepted values: yes, no
+
+
+
+ check_suid_md5
+ Enables checksum verification for suid files.
+
+ MSEC parameter: CHECK_SUID_MD5
+
+ Accepted values: yes, no
+
+
+
+ mail_user
+ Defines email to receive security notifications.
+
+ MSEC parameter: MAIL_USER
+
+ Accepted values: *
+
+
+
+ allow_autologin
+ Allow/Forbid autologin.
+
+ MSEC parameter: ALLOW_AUTOLOGIN
+
+ Accepted values: yes, no
+
+
+
+ enable_pam_wheel_for_su
+ Enabling su only from members of the wheel group or allow su from
+ any user.
+
+ MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU
+
+ Accepted values: yes, no
+
+
+
+ create_server_link
+ Creates the symlink /etc/security/msec/server to point to
+ /etc/security/msec/server.<SERVER_LEVEL>. The /etc/secu‐
+ rity/msec/server is used by chkconfig --add to decide to add a ser‐
+ vice if it is present in the file during the installation of pack‐
+ ages.
+
+ MSEC parameter: CREATE_SERVER_LINK
+
+ Accepted values: no, default, secure
+
+
+
+ set_shell_timeout
+ Set the shell timeout. A value of zero means no timeout.
+
+ MSEC parameter: SHELL_TIMEOUT
+
+ Accepted values: *
+
+
+
+ check_shadow
+ Enables checking for empty passwords.
+
+ MSEC parameter: CHECK_SHADOW
+
+ Accepted values: yes, no
+
+
+
+ enable_password
+ Use password to authenticate users. Take EXTREMELY care when dis‐
+ abling passwords, as it will leave the machine COMPLETELY vulnera‐
+ ble.
+
+ MSEC parameter: ENABLE_PASSWORD
+
+ Accepted values: yes, no
+
+
+
+ set_win_parts_umask
+ Set umask option for mounting vfat and ntfs partitions. A value of
+ None means default umask.
+
+ MSEC parameter: WIN_PARTS_UMASK
+
+ Accepted values: no, *
+
+
+
+ check_open_port
+ Enables checking for open network ports.
+
+ MSEC parameter: CHECK_OPEN_PORT
+
+ Accepted values: yes, no
+
+
+
+ enable_log_strange_packets
+ Enable/Disable the logging of IPv4 strange packets.
+
+ MSEC parameter: ENABLE_LOG_STRANGE_PACKETS
+
+ Accepted values: yes, no
+
+
+
+ check_rpm
+ Enables verification of installed packages.
+
+ MSEC parameter: CHECK_RPM
+
+ Accepted values: yes, no
+
+
+
+ enable_pam_root_from_wheel
+ Allow root access without password for the members of the wheel
+ group.
+
+ MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL
+
+ Accepted values: yes, no
+
+
+
+ mail_warn
+ Enables security results submission by email.
+
+ MSEC parameter: MAIL_WARN
+
+ Accepted values: yes, no
+
+
+
+ password_length
+ Set the password minimum length and minimum number of digit and
+ minimum number of capitalized letters.
+
+ MSEC parameter: PASSWORD_LENGTH
+
+ Accepted values: *
+
+
+
+ set_root_umask
+ Set the root umask.
+
+ MSEC parameter: ROOT_UMASK
+
+ Accepted values: *
+
+
+
+ check_sgid
+ Enables checking for additions/removals of sgid files.
+
+ MSEC parameter: CHECK_SGID
+
+ Accepted values: yes, no
+
+
+
+ check_promisc
+ Activate/Disable ethernet cards promiscuity check.
+
+ MSEC parameter: CHECK_PROMISC
+
+ Accepted values: yes, no
+
+
+
+ allow_x_connections
+ Allow/Forbid X connections. Accepted arguments: yes (all connec‐
+ tions are allowed), local (only local connection), no (no connec‐
+ tion).
+
+ MSEC parameter: ALLOW_X_CONNECTIONS
+
+ Accepted values: yes, no, local
+
+
+
+ check_writable
+ Enables checking for files/directories writable by everybody.
+
+ MSEC parameter: CHECK_WRITABLE
+
+ Accepted values: yes, no
+
+
+
+ enable_console_log
+ Enable/Disable syslog reports to console 12. expr is the expression
+ describing what to log (see syslog.conf(5) for more details) and
+ dev the device to report the log.
+
+ MSEC parameter: ENABLE_CONSOLE_LOG
+
+ Accepted values: yes, no
+
+
+
+ enable_ip_spoofing_protection
+ Enable/Disable IP spoofing protection.
+
+ MSEC parameter: ENABLE_DNS_SPOOFING_PROTECTION
+
+ Accepted values: yes, no
+
+
+
+ check_perms
+ Enables permission checking in users' home.
+
+ MSEC parameter: CHECK_PERMS
+
+ Accepted values: yes, no
+
+
+
+ set_shell_history_size
+ Set shell commands history size. A value of -1 means unlimited.
+
+ MSEC parameter: SHELL_HISTORY_SIZE
+
+ Accepted values: *
+
+
+
+ allow_reboot
+ Allow/Forbid system reboot and shutdown to local users.
+
+ MSEC parameter: ALLOW_REBOOT
+
+ Accepted values: yes, no
+
+
+
+ syslog_warn
+ Enables logging to system log.
+
+ MSEC parameter: SYSLOG_WARN
+
+ Accepted values: yes, no
+
+
+
+ check_shosts
+ Enables checking for dangerous options in users' .rhosts/.shosts
+ files.
+
+ MSEC parameter: CHECK_SHOSTS
+
+ Accepted values: yes, no
+
+
+
+ check_passwd
+ Enables password-related checks, such as empty passwords and
+ strange super-user accounts.
+
+ MSEC parameter: CHECK_PASSWD
+
+ Accepted values: yes, no
+
+
+
+ password_history
+ Set the password history length to prevent password reuse. This is
+ not supported by pam_tcb.
+
+ MSEC parameter: PASSWORD_HISTORY
+
+ Accepted values: *
+
+
+
+ check_security
+ Enables daily security checks.
+
+ MSEC parameter: CHECK_SECURITY
+
+ Accepted values: yes, no
+
+
+
+ allow_root_login
+ Allow/Forbid direct root login.
+
+ MSEC parameter: ALLOW_ROOT_LOGIN
+
+ Accepted values: yes, no
+
+
+
+ check_unowned
+ Enables checking for unowned files.
+
+ MSEC parameter: CHECK_UNOWNED
+
+ Accepted values: yes, no
+
+
+
+ allow_user_list
+ Allow/Forbid the list of users on the system on display managers
+ (kdm and gdm).
+
+ MSEC parameter: ALLOW_USER_LIST
+
+ Accepted values: yes, no
+
+
+
+ allow_remote_root_login
+ Allow/Forbid remote root login via sshd. You can specify yes, no
+ and without-password. See sshd_config(5) man page for more informa‐
+ tion.
+
+ MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN
+
+ Accepted values: yes, no, without_password
+
+
+
+ enable_msec_cron
+ Enable/Disable msec hourly security check.
+
+ MSEC parameter: ENABLE_MSEC_CRON
+
+ Accepted values: yes, no
+
+
+
+ enable_sulogin
+ Enable/Disable sulogin(8) in single user level.
+
+ MSEC parameter: ENABLE_SULOGIN
+
+ Accepted values: yes, no
+
+
+
+ allow_xauth_from_root
+ Allow/forbid to export display when passing from the root account
+ to the other users. See pam_xauth(8) for more details.
+
+ MSEC parameter: ALLOW_XAUTH_FROM_ROOT
+
+ Accepted values: yes, no
+
+
+
+ set_user_umask
+ Set the user umask.
+
+ MSEC parameter: USER_UMASK
+
+ Accepted values: *
+
+
+
+ accept_icmp_echo
+ Accept/Refuse icmp echo.
+
+ MSEC parameter: ACCEPT_ICMP_ECHO
+
+ Accepted values: yes, no
+
+
+
+ authorize_services
+ Configure access to tcp_wrappers services (see hosts.deny(5)). If
+ arg = yes, all services are authorized. If arg = local, only local
+ ones are, and if arg = no, no services are authorized. In this
+ case, To authorize the services you need, use /etc/hosts.allow (see
+ hosts.allow(5)).
+
+ MSEC parameter: AUTHORIZE_SERVICES
+
+ Accepted values: yes, no, local
+
+
+
+ tty_warn
+ Enables periodic security check results to terminal.
+
+ MSEC parameter: TTY_WARN
+
+ Accepted values: yes, no
+
+
+NOTES
+ Msec applications must be run by root.
+
+AUTHORS
+ Frederic Lepied <flepied@mandriva.com>
+
+ Eugeni Dodonov <eugeni@mandriva.com>
+
+
+
+
+Mandriva Linux msec msec(0.60.1)