6 files changed, 148 insertions, 74 deletions

diff --git a/doc/security.txt b/doc/security.txt
index 4d22ca5..ae44383 100644
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -1,84 +1,127 @@
-
 ****************************
-
 Security level 1 :
-OK - Access to the system as a normal user.
-OK - . in $PATH
-OK - Login as root from the console granted.
-OK - No rules check for password.
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home = 755
-OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
-OK - xhost + localhost
 
-****************************
+- Global security check.
+- umask is 002 ( user = read,write | greoup = read,write | other = read ) 
+- easy file permission.
+- localhost authorized to connect to X display.
+- User in audio group. 
+- . in $PATH
+- Warning in /var/log/security.log
 
+****************************
 Security level 2 :
-OK - Access to the system as a normal user.
-OK - Login as root from the console granted.
 
-	- No rules check for password.
-		---> Waiting for Chmouel to verify password...
+- Global security check
+- Suid root file check
+- Suid root file md5sum check
+- Writeable file check
+- Warning directly on tty 
+- Warning in syslog
+- Warning in /var/log/security.log 
 
-OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ).
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home = 755
-OK xhost + localhost
+- umask is 022 ( user = read,write | group = read | other = read )
+- easy file permission.
+- localhost authorized to connect to X display.
+- User in audio group.
 
 ****************************
-
-Security level 3 :
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
-
-	- Low level rules check on password.
-		---> Waiting for Chmouel to verify password...
-
-OK - Permission for /dev & /etc = 755
-OK - Permission for /home/* = 750
-OK - Detection of interface in promiscuous mode ( one time a minute )
-
+Security level 3  ( Aka normal system ) :
+
+- Global security check 
+- Permissions check
+- Suid root file check
+- Suid root file md5sum check
+- Suid group file check 
+- Writeable file check 
+- Unowned file check 
+- Promiscuous check 
+- Listening port check 
+- Passwd file integrity check
+- Shadow file integrity check
+- Warning in syslog
+- Warning in /var/log/security.log
+
+- umask is 022 ( user = read,write | group = read | other = read )
+- Normal file permission.
+- All system events additionally logged to /dev/tty12
+- Some system security check launched every midnight from the ( crontab ).
 
 ****************************
-
-Security level 4 :
-OK - lilo pass -> only if the user want it .
-- kernel patch -> Secure linux ?
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
-
-	- Medium level rules check on password.
-		---> Waiting for Chmouel to verify password...
-
-OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
-OK - Device only accessible by root as a default.
-OK - Deny all kind of connection except from local network.
-OK - Permission for /dev & /etc directories = 755
-OK - Permission for /home = 711
-OK - Permission for /home/* = 750
-OK - Detection of interface in promiscuous mode ( one time a minute )
-
-*****************************
-
-Security level 5 : *Server Only*
+Security level 4 ( Aka Secured system ) :
+
+- Global security check 
+- Permissions check
+- Suid root file check 
+- Suid root file md5sum check
+- Suid group file check
+- Writeable file check
+- Unowned file check 
+- Promiscuous check 
+- Listening port check 
+- Passwd file integrity check 
+- Shadow file integrity check 
+- Warning in syslog
+- Warning in /var/log/security.log
+- Warning directly on tty
+
+- umask 022 ( user = read,write | group = read | other = read ) for root
+- umask 077 ( user = read,write | group =  | other =  ) for normal users
+- restricted file permissions.
+- All system events additionally logged to /dev/tty12
+- System security check every midnight ( crontab ).
+* - Services not contained in /etc/security/msec/init-sh/server.4 are disabled (
+  considered as not really secure ) ( but the user can reenable it with
+  chkconfig ).
+- Ask for a boot password ( if the user want ).
+- Connection to the system denyied for all except localhost.
+
+*******************************
+Security level 5 ( Aka Paranoid system ) :
+
+- Global security check
+- Permissions check 
+- Suid root file check 
+- Suid root file md5sum check
+- Suid group file check 
+- Writeable file check
+- Unowned file check 
+- Promiscuous check 
+- Listening port check 
+- Passwd file integrity check 
+- Shadow file integrity check
+- Warning in syslog
+- Warning in /var/log/security.log
+- Warning directly on tty
+
+- umask 077 ( user = read,write | group =  | other =  )
+- Highly restricted file permission
+- All system events additionally logged to /dev/tty12
+- System security check every midnight ( crontab ).
+* - Services not contained in /etc/security/msec/init-sh/server.5 are disabled (
+  considered as not really secure ) ( but the user can reenable it with
+  chkconfig ).
+- Ask for a boot password ( if the user want ).
+- Connection to the system denyied for all.
+
+******************
+
+* level4/level5 : "services disabled" explanations :
+
+- Some server aren't really considered as secure,
+  these one, should for exemple be compiled from sources.
+  server considered as secure are specified in /etc/security/msec/init-sh/server.4/5
+  
+  When enabling level4/5, all server which aren't considered as secure are
+  disabled ( NOT uninstalled, just disabled ) user can reenable them using the
+  chkconfig utility ( server will be launched at next boot ).
  
-OK - lilo pass -> only if the user want it .
-- kernel patch -> Secure linux 
-OK - Access to the system as a normal user.
-OK - Login as root from the console denied.
+  In these level, we are also denying rpm to enable any server considered as insecure 
+  ( off course rpm can install the server ).
+  The user have the choise : chkconfig --add servername will enable the server.
+  Or add the server in the secured server list
 
-	- High level rules check on password.
-		---> Waiting for Chmouel to verify password...
 
-OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file.
-OK - Device only accessible by root as a default.
-OK - No server installed by default. ( except maybe the crontab )
-OK - Deny all kind of connection ( hosts.deny -> ALL:ALL:DENY )
-OK - Permission for /dev & /etc directories = 711
-OK - Permission for /home = 711
-OK - Permission for /home/* = 700
-OK - Permission for /tmp = 700
-OK - Detection of interface in promiscuous mode ( one time a minute )
 
 
 
@@ -86,6 +129,8 @@ OK - Detection of interface in promiscuous mode ( one time a minute )
 
 *** Future Release : ***
 - Automatic tty locking ( unlock by passwd ) after X time of inactivity.
+- In high security level, only user having access to group "sugrp" can use the su command.
+***
 
 
 
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
index edea66d..2dfbc1e 100755
--- a/init-sh/level0.sh
+++ b/init-sh/level0.sh
@@ -67,8 +67,8 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
 
 # Xserver
 echo "Allowing users to connect X server from everywhere :"
-AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet
-AddRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet
+AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
 
 # Group
 if [[ ! -z ${DRAKX_USERS} ]]; then
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 583c547..b3d4488 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -68,8 +68,8 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
 
 # Xserver
 echo "Allowing users to connect X server from localhost :"
-AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet
-AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
 
 ###
 
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index 09bfca8..7f68980 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -67,8 +67,8 @@ AddRules "export PATH SECURE_LEVEL" /etc/profile
 
 # Xserver
 echo "Allowing users to connect X server from localhost :"
-AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet
-AddRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession quiet
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
 
 # Group
 if [[ ! -z ${DRAKX_USERS} ]]; then
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index ec93c61..ee046a9 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -43,6 +43,35 @@ AddRules () {
 	fi
 }
 
+AddBegRules() {
+    string=$1
+    file=$2
+    quiet=$3
+    ctrl=0
+
+    if [[ -z ${string} ]]; then
+	return;
+    fi
+
+    if [[ -z ${quiet} ]]; then
+	echo "Modifying config in ${file}..."
+    fi
+
+    mv ${file} /tmp/secure.tmp
+
+    if ! grep -Eqx "^${string}" /tmp/secure.tmp; then
+	echo -e "${COMMENT}" >> ${file};
+	echo -e "${string}" >> ${file};
+    fi
+
+    cat /tmp/secure.tmp >> ${file}
+
+    if [[ -z ${3} ]]; then
+	echo -e "done.\n"
+    fi
+}
+
+
 CleanRules() {
     file=$1
     ctrl=0
diff --git a/msec.spec b/msec.spec
index b819dda..a4a31e1 100644
--- a/msec.spec
+++ b/msec.spec
@@ -1,7 +1,7 @@
 Summary: Security Level & Program for the Linux Mandrake distribution
 Name: msec
 Version: 0.7
-Release: 3mdk
+Release: 4mdk
 Source: msec-0.7.tar.bz2
 Copyright: GPL
 Group: System Environment/Base