aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog1
-rw-r--r--doc/security.txt4
-rwxr-xr-xinit-sh/custom.sh46
3 files changed, 48 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 24c3821..542b4bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
2000-01-04 Yoann Vandoorselaere <yoann@mandrakesoft.com>
* shutdown.allow is 600 in level 4/5; 644 else.
+ * updated doc/security.txt
2000-01-03 Yoann Vandoorselaere <yoann@mandrakesoft.com>
* level 0-3 -> ctrl-alt-del allowed.
diff --git a/doc/security.txt b/doc/security.txt
index 86c101c..ff1280b 100644
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -74,6 +74,7 @@ Security level 4 ( Aka Secured system ) :
chkconfig ).
- Ask for a boot password ( if the user want ).
- Connection to the system denyied for all except localhost.
+- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
*******************************
Security level 5 ( Aka Paranoid system ) :
@@ -97,11 +98,12 @@ Security level 5 ( Aka Paranoid system ) :
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
-* - Services not contained in /etc/security/msec/init-sh/server.5 are disabled (
+- Services not contained in /etc/security/msec/init-sh/server.5 are disabled (
considered as not really secure ) ( but the user can reenable it with
chkconfig ).
- Ask for a boot password ( if the user want ).
- Connection to the system denyied for all.
+- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .
******************
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index 99154f9..057a288 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -9,7 +9,6 @@ if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then
. /etc/security/msec/init-sh/lib.sh
fi
-
clear
###
@@ -20,6 +19,21 @@ if [[ ${answer} == yes ]]; then
fi
###
+echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
+echo "( or if an user present in /etc/shutdown.allow is logged locally )"
+WaitAnswer; clear
+tmpfile=`mktemp tmp/secure.XXXXXX`
+cp /etc/inittab ${tmpfile}
+if [[ ${answer} == yes ]]; then
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+else
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+fi
+rm -f ${tmpfile}
+
+###
echo "Do you want to deny any machine to connect to yours ?"
WaitAnswer
if [[ ${answer} == yes ]]; then
@@ -36,7 +50,7 @@ fi
echo "Do you want root console login to be allowed ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
- AddRules "tty1" /etc/securetty quiet
+g AddRules "tty1" /etc/securetty quiet
AddRules "tty2" /etc/securetty quiet
AddRules "tty3" /etc/securetty quiet
AddRules "tty4" /etc/securetty quiet
@@ -117,6 +131,34 @@ if [[ ${answer} == yes ]]; then
fi
###
+echo "Do you want security report to be done directly on the console ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
+else
+ AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+fi
+###
+
+echo "Do you want security report to be done in syslog ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+else
+ AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf
+fi
+###
+
+echo "Do you want security report to be done by mail ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf
+else
+ AddRules "MAIL_WARN=no" /etc/security/msec/security.conf
+fi
+###
+
+
LiloUpdate;
/sbin/lilo >& /dev/null