aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog32
-rw-r--r--Makefile2
-rw-r--r--TODO561
-rw-r--r--conf/perm.03
-rw-r--r--conf/perm.11
-rw-r--r--conf/perm.21
-rw-r--r--conf/perm.31
-rw-r--r--conf/perm.41
-rw-r--r--conf/perm.53
-rw-r--r--conf/server.41
-rw-r--r--conf/server.51
-rwxr-xr-xcron-sh/security.sh13
-rwxr-xr-xcron-sh/security_check.sh10
-rwxr-xr-xinit-sh/custom.sh1
-rwxr-xr-xinit-sh/level0.sh14
-rwxr-xr-xinit-sh/level1.sh15
-rwxr-xr-xinit-sh/level2.sh17
-rwxr-xr-xinit-sh/level3.sh12
-rwxr-xr-xinit-sh/level4.sh13
-rwxr-xr-xinit-sh/level5.sh13
-rw-r--r--init-sh/lib.sh88
-rw-r--r--init-sh/lib.sh.usermode385
-rw-r--r--msec.spec131
23 files changed, 1221 insertions, 98 deletions
diff --git a/ChangeLog b/ChangeLog
index e507c7c..e3054e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,35 @@
+2000-10-10 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * Applied Warly patch to fix user list problem under kdm.
+ * User list option for gdm to.
+ * Restart init after inittab change
+
+2000-10-09 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * conf/perm.0 : fix a typo
+ * fix for #760 (kdm should not display the list of users for high security
+ levels)
+ * conf/server.[45]: add pcmcia
+
+2000-10-03 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+ * init-sh/*.sh : instead of modifying Xsession,
+ create the /etc/X11/xinit.d/msec file which can contain eventual
+ rules appended by msec.
+
+2000-10-02 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+
+ * init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession
+ nor /etc/X11/xinit/xinitrc anymore, as they all load
+ /etc/X11/Xsession.
+
+2000-07-18 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+
+ * cron-sh/security_check.sh : use -L in ls,
+ to dereference symbolic link Chris Green <cmg@dok.org>
+ * conf/perm.*: /var/log/squid must be owned by squid.squid.
+ * cron-sh/security.sh:
+ * init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>,
+ if no user to mail security report to is availlable, send to root.
+
+
2000-05-03 Yoann Vandoorselaere <yoann@mandrakesoft.com>
LoaderUpdate() make a difference between an empty
variable, and a non existing one.
diff --git a/Makefile b/Makefile
index f870cf7..da996af 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-VERSION = 0.14
+VERSION = 0.15
NAME = msec
all: promisc_check msec_find
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..983327d
--- /dev/null
+++ b/TODO
@@ -0,0 +1,561 @@
+ Some new stuff I thought should be implemented as well... And yes they keep
+on a coming!!!!!!!!! : )
+
+ ######## Begin new stuff ##############
+#!/bin/bash
+
+#Logging
+
+echo "Would you like set to up addtional logging ?"
+echo "Logging will still go to its respected places in /var/log as well."
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+echo "Would you like for auth and warnings to be logged to tty11 ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "authpriv.* /dev/tty11" /etc/syslog.conf
+echo "Would you like kernel logging to go tty10 ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "kern.* /dev/tty10" /etc/syslog.conf
+echo "Would you like mail logging to go tty9 ?"
+echo "This is only useful if you're running a mail server(sendmail)."
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "mail.* /dev/tty9" /etc/syslog.conf
+/etc/rc.d/init.d/syslog restart > /dev/null
+fi
+ fi
+ fi
+#End of logging
+
+Is BSD style process accounting on by default in Mandrake ?
+echo "We can setup your system to log who does what commands and when..."
+echo "May we set up proccess accounting ?"
+echo "The log file will get filled up VERY quickly
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs
+it's own script though
+echo "/var/log/pacct { " >> /etc/logrotate.conf
+echo " postrotate" >> /etc/logrotate.conf
+echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf
+echo >> /etc/logrotate.conf
+echo >> "}" /etc/logrotate.conf
+#Got a be a cleaner way to do this : )
+fi
+#End BSD style process accounting
+
+#PAM stuff
+#default file size limit
+dfsize=40000
+echo "We help prevent certain types of DoS attacks through the use of
+PAM(Pluggable Authentication Modules.)"
+echo "By setting a limit on how big user files may get and how many processes a
+user may run."
+echo "Would you like to set up some PAM configuration ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+AddRules "# Limit user processes" /etc/security/limits.conf
+AddRules "* soft nproc 100" /etc/security/limits.conf
+AddRules "* hard nproc 150" /etc/security/limits.conf
+echo "Would you like to set a maximum file size a user is allowed ?"
+WaitAnswer;clear
+if [[ ${answer} == yes ]]; then
+echo "What shall be the maximum file size(default it 40000 = 40MB)"
+echo -n "Size[40000]: "
+read fsize
+if [[ -z ${fsize} ]]; then
+AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+AddRules "* hard $dfsize" /etc/security/limits.conf
+else
+AddRules "# limits size of any one of users' files" /etc/security/limits.conf
+AddRules "* hard $fsize" /etc/security/limits.conf
+fi
+ fi
+ fi
+#End PAM stuff
+
+
+
+**********************************
+
+ ###########Begin modified custom.sh######################
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [[ -f /usr/share/lsec/lib.sh ]]; then
+ . /usr/share/lsec/lib.sh
+else
+ echo "Can't find /usr/share/lsec/lib.sh, exiting."
+ exit 1
+fi
+
+clear
+
+WRITE_CRON="false"
+
+###
+echo "This script allows you to customize the security on your system. "
+echo "If you feel at all you don't know what you're doing abort now!!! "
+echo "'ctrl-c' to abort"
+echo -n "Otherwise, please press [enter] to continue "
+read FOO
+clear
+
+###
+echo "Do you want all system events to be logged on tty12 ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "*.* /dev/tty12" /etc/syslog.conf
+fi
+
+###
+echo "Do you want to be notified by mail of _all_ root logins ?"
+echo "(This is strongle recommended)"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+if [[ -s /root/.bashrc ]]; then
+cp /root/.bashrc /tmp/bashrc
+sed '/root login/d' /tmp/bashrc > /root/.bashrc
+AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s
+"Root Login" root' /root/.bashrc
+rm -f /tmp/bashrc
+echo "Done"
+fi
+fi
+
+
+###
+echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
+echo "( or if a user present in /etc/shutdown.allow is logged locally )"
+WaitAnswer; clear
+tmpfile=`mktemp /tmp/secure.XXXXXX`
+cp /etc/inittab ${tmpfile}
+if [[ ${answer} == yes ]]; then
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r
+now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+else
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r
+now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+fi
+rm -f ${tmpfile}
+
+#Compile tools
+#More needs to be added and this is very sloppy but you get the idea : )
+mgtools()
+{
+mgcon=mgcon1
+echo "Do you want only root to have access to the system compiler(gcc/g++) ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+chmod 0700 /usr/bin/gcc
+chmod 0700 /usr/bin/g++
+fi
+}
+gtools()
+{
+gcon=gcon0
+dgrp=devel
+echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may"
+echo "be used by a certain group ?"
+echo -n "yes/no: "
+read answer
+if [[ ${answer} == yes ]]; then
+gcon=gcon1
+echo
+echo -n "What shall the name of this group be [devel]: "
+read grp
+if [[ -z ${grp} ]]; then
+groupadd ${dgrp}
+.. /etc/security/lsec/perm.ctoolsd
+else
+groupadd ${grp}
+.. /etc/security/lsec/perm.ctools
+fi
+fi
+}
+gtools
+#if [[ ${gcon} = gcon1 ]]; then
+#ntools
+#else
+#mgtools
+#fi
+
+#network tools
+mntools()
+{
+echo "Do you want to disable 'ping' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer} == yes ]]; then
+chmod 0700 /bin/ping
+fi
+
+echo "Do you want to disable 'traceroute' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/sbin/traceroute
+fi
+
+echo "Do you want to disable 'who' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/who
+fi
+
+echo "Do you want to disable 'w' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/w
+fi
+
+echo "Do you want to disable 'finger' to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/finger
+fi
+
+echo "Do you want to disable telnet client to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/telnet
+fi
+
+echo "Do you want to disable ssh client to all users except root ?"
+WaitAnswer; clear
+if [[ $answer == yes ]]; then
+chmod 0700 /usr/bin/ssh
+fi
+}
+ntools()
+{
+ncon=ncon0
+ngrpd=netsys
+echo "Do you want to set up network tools so that they may be used only"
+echo "by users of a certain group ?"
+echo -n "yes/no: "
+read answer
+if [[ ${answer} == yes ]]; then
+ncon=ncon1
+echo
+echo -n "What shall the name of this group be [netsys]: "
+read ngrp
+if [[ -z ${ngrp} ]]; then
+groupadd ${ngrpd}
+.. /etc/security/lsec/perm.netsysd
+else
+groupadd ${ngrp}
+.. /etc/security/lsec/perm.netsysd
+fi
+fi
+}
+if [[ ${gcon} = gcon1 ]]; then
+ntools
+else
+mgtools
+fi
+
+if [[ ${mgcon} = mgcon1 ]]; then
+ntools
+else
+mntools
+fi
+
+if [[ $ncon = ncon1 ]]; then
+echo "Done"
+else
+mntools
+fi
+
+###
+echo "Do you want to deny any machine to connect to yours ?"
+WaitAnswer
+if [[ ${answer} == yes ]]; then
+ echo "Do you want only localhost to be allowed ?"
+ WaitAnswer; clear
+ if [[ ${answer} == yes ]]; then
+ AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+ else
+ AddRules "ALL:ALL:DENY" /etc/hosts.deny
+ fi
+fi
+
+###
+echo "Do you want root console login to be allowed ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "tty1" /etc/securetty quiet
+ AddRules "tty2" /etc/securetty quiet
+ AddRules "tty3" /etc/securetty quiet
+ AddRules "tty4" /etc/securetty quiet
+ AddRules "tty5" /etc/securetty quiet
+ AddRules "tty6" /etc/securetty
+fi
+###
+
+if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
+echo "Do you want to enable the libsafe stack overflow protection ?"
+echo "This stack overflow protection work by catching dangerous function call"
+echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
+echo "and verify the address & the size of the destination buffer in the stack"
+echo "this is done by searching in the stack frame the one which contain the"
+echo "destination address, and by substracting the frame address to the
+destination buffer one"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
+fi
+fi
+
+###
+echo "Do you want your system to daily check important security problem ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check new open port listening ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to check for grave permission problem on
+sensibles files ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check SUID Root file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check suid files md5 checksum changes ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check SUID Group file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check Writeable file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to daily check Unowned file change ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf
+ WRITE_CRON="true"
+fi
+
+###
+echo "Do you want your system to verify every minutes if a network interface"
+echo "is in promiscuous state (which mean someone is probably running a sniffer
+on your machine ) ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf
+ AddRules "*/1 * * * * root nice --adjustment=+19
+/usr/share/lsec/promisc_check.sh" /etc/crontab
+fi
+###
+
+###
+echo "Do you want security report to be done in syslog ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf
+else
+ AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf
+fi
+###
+
+echo "Do you want security report to be done by mail ?"
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf
+else
+ AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf
+fi
+###
+
+if [[ ${WRITE_CRON} == "true" ]]; then
+ AddRules "0 0-23 * * * root nice --adjustment=+19
+/usr/share/lsec/security.sh" /etc/crontab
+fi
+
+LiloUpdate;
+/sbin/lilo >& /dev/null
+
+###
+echo "Do you want to disable all services except(gpm,xfs,keytable,"
+echo "network,crond, and syslogd ?"
+echo "This is _highly_ recommended if you have not configured other"
+echo "said services."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ echo -n "Disabling all service, except : {"
+ chkconfig --list | awk '{print $1}' | while read service; do
+ if grep -qx ${service} /etc/security/lsec/server.4; then
+ echo -n " ${service}"
+ fi
+ done
+ echo " } : "
+
+ chkconfig --list | awk '{print $1}' | while read service; do
+ chkconfig --del "${service}"
+ if ! chkconfig --add "${service}"; then
+ echo -e "\t- Services ${service} is now disabled."
+ fi
+ done
+ chkconfig --add gpm
+ chkconfig --add xfs
+ chkconfig --add network
+ chkconfig --add keytable
+ chkconfig --add syslog
+ chkconfig --add crond
+ echo -e "done.\n";
+fi
+
+###
+echo "Do you want an easy, normal, restricted, or paranoid umask ?"
+echo "easy ( 002 ) = user = rwx, group = rwx, other = rx"
+echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
+echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
+echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx"
+echo "paranoid ( 077 ) = user = rwx, group = , other ="
+answer="nothing"
+while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" !=
+"restricted" && "${answer}" != "paranoid" ]]; do
+ echo -n "easy/normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "easy")
+ AddRules "umask 002" /etc/profile
+ ;;
+ "normal")
+ AddRules "umask 022" /etc/profile
+ ;;
+ "restricted")
+ AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi"
+/etc/profile
+ ;;
+ "paranoid")
+ AddRules "umask 077" /etc/profile
+ ;;
+esac
+
+###
+echo "Do you want a "." in your PATH variable ?"
+echo "This permit you to not use ./progname & to just type progname"
+echo "However this is a *high* security risk."
+WaitAnswer; clear
+if [[ ${answer} == yes ]]; then
+ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet
+else
+ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
+fi
+
+AddRules "export PATH SECURE_LEVEL" /etc/profile
+
+echo "Do you want normal, restricted, or paranoid file permissions ?"
+while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" !=
+"paranoid" ]]; do
+echo -n "normal/restricted/paranoid : "
+ read answer
+done
+case "${answer}" in
+ "normal")
+ /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3
+ ;;
+ "strict")
+ /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4
+ ;;
+ "paranoid")#!/bin/bash
+/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5
+ ;;
+esac
+#EOF
+# /etc/security/msec/perm.ctools
+chown root.$grp /usr/bin/gcc
+chmod 750 /usr/bin/gcc
+chown root.$grp /usr/bin/cc
+chmod 750 /usr/bin/cc
+chown root.$grp /usr/bin/g++
+chmod 750 /usr/bin/g++
+
+# /etc/security/msec/perm.ctoolsd
+chown root.$dgrp /usr/bin/gcc
+chmod 750 /usr/bin/gcc
+chown root.$dgrp /usr/bin/cc
+chmod 750 /usr/bin/cc
+chown root.$dgrp /usr/bin/g++
+chmod 750 /usr/bin/g++
+
+
+# /etc/security/msec/perm.netsys
+chown root.$ngrp /usr/bin/ping
+chmod 750 /usr/bin/gcc
+chown root.$ngrp /usr/bin/w
+chmod 750 /usr/bin/w
+chown root.$ngrp /usr/bin/w
+chmod 750 /usr/bin/who
+chown root.$ngrp /usr/bin/telnet
+chmod 750 /usr/bin/telnet
+chown root.$ngrp /usr/bin/ssh
+chmod 750 /usr/bin/ssh
+chown root.$ngrp /usr/sbin/traceroute
+chmod 750 /usr/sbin/traceoute
+chown root.$ngrp /usr/bin/finger
+chmod 750 /usr/bin/finger
+
+# /etc/security/msec/perm.netsys.d
+chown root.$ngrpd /bin/ping
+chmod 750 /usr/bin/gcc
+chown root.$ngrpd /usr/bin/w
+chmod 750 /usr/bin/w
+chown root.$ngrpd /usr/bin/w
+chmod 750 /usr/bin/who
+chown root.$ngrpd /usr/bin/telnet
+chmod 750 /usr/bin/telnet
+chown root.$ngrpd /usr/bin/ssh
+chmod 750 /usr/bin/ssh
+chown root.$ngrpd /usr/sbin/traceroute
+chmod 750 /usr/sbin/traceroute
+chown root.$ngrpd /usr/bin/finger
+chmod 750 /usr/bin/finger
+
+######## END
+
+
diff --git a/conf/perm.0 b/conf/perm.0
index 1be6dce..88deeda 100644
--- a/conf/perm.0
+++ b/conf/perm.0
@@ -57,9 +57,10 @@
/usr/bin/ root.root 755
/usr/sbin/ root.root 755
/var/ root.root 755
-/var/tmp root.roo 1777
+/var/tmp root.root 1777
/var/log/ root.root 755
/var/log/* root.adm 644
+/var/log/squid squid.squid 755
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 771
diff --git a/conf/perm.1 b/conf/perm.1
index f0f4acb..b397e99 100644
--- a/conf/perm.1
+++ b/conf/perm.1
@@ -58,6 +58,7 @@
/var/ root.root 755
/var/log/ root.root 755
/var/log/* root.adm 644
+/var/log/squid squid.squid 755
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 2775
diff --git a/conf/perm.2 b/conf/perm.2
index 634a096..4f6f355 100644
--- a/conf/perm.2
+++ b/conf/perm.2
@@ -59,6 +59,7 @@
/var/ root.root 755
/var/log/ root.root 755
/var/log/* root.adm 640
+/var/log/squid squid.squid 755
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 2775
diff --git a/conf/perm.3 b/conf/perm.3
index a4a6e12..8fb5e41 100644
--- a/conf/perm.3
+++ b/conf/perm.3
@@ -59,6 +59,7 @@
/var/ root.root 755
/var/log/ root.root 755
/var/log/* root.root 600
+/var/log/squid squid.squid 755
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 2775
diff --git a/conf/perm.4 b/conf/perm.4
index 1ae8811..d34b49f 100644
--- a/conf/perm.4
+++ b/conf/perm.4
@@ -59,6 +59,7 @@
/var/ root.root 755
/var/log/ root.root 711
/var/log/* root.root 600
+/var/log/squid squid.squid 711
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 771
diff --git a/conf/perm.5 b/conf/perm.5
index b3b2b24..3cc42b5 100644
--- a/conf/perm.5
+++ b/conf/perm.5
@@ -55,7 +55,6 @@
/usr/* root.root 711
/usr/X11R6/ root.xgrp 710
/usr/bin/ root.root 711
-/usr/bin/* root.root 755
/usr/bin/cc root.ctools 750
/usr/bin/finger root.ntools 750
/usr/bin/gcc root.ctools 750
@@ -66,12 +65,12 @@
/usr/bin/who root.ntools 750
/usr/bin/ssh root.ntools 750
/usr/sbin/ root.root 711
-/usr/sbin/* root.root 700
/usr/sbin/sendmail root.root 755
/usr/sbin/traceroute root.ntools 750
/var/ root.root 755
/var/log/ root.root 711
/var/log/* root.root 600
+/var/log/squid squid.squid 711
/var/log/security/ root.root 700
/var/log/security/* root.root 600
/var/spool/mail/ root.mail 771
diff --git a/conf/server.4 b/conf/server.4
index 044f0bf..b275405 100644
--- a/conf/server.4
+++ b/conf/server.4
@@ -4,3 +4,4 @@ keytable
network
gpm
xfs
+pcmcia
diff --git a/conf/server.5 b/conf/server.5
index 044f0bf..b275405 100644
--- a/conf/server.5
+++ b/conf/server.5
@@ -4,3 +4,4 @@ keytable
network
gpm
xfs
+pcmcia
diff --git a/cron-sh/security.sh b/cron-sh/security.sh
index b6636b5..01d3e4c 100755
--- a/cron-sh/security.sh
+++ b/cron-sh/security.sh
@@ -7,6 +7,8 @@ fi
. /etc/security/msec/security.conf
+[[ ${MAIL_WARN} == yes ]] && [ -z ${MAIL_USER} ] && MAIL_USER="root"
+
export SUID_ROOT_TODAY="/var/log/security/suid_root.today"
SUID_ROOT_YESTERDAY="/var/log/security/suid_root.yesterday"
SUID_ROOT_DIFF="/var/log/security/suid_root.diff"
@@ -130,12 +132,13 @@ Maillog() {
text=${2}
if [[ ${MAIL_WARN} == yes ]]; then
- if [[ ! -z ${MAIL_USER} ]]; then
- if [[ -x /bin/mail ]]; then
- cat ${text} | /bin/mail -s "${subject}" "${MAIL_USER}"
- fi
- fi
+ if [[ -z ${MAIL_USER} ]]; then
+ MAIL_USER="root"
+ fi
+ if [[ -x /bin/mail ]]; then
+ cat ${text} | /bin/mail -s "${subject}" "${MAIL_USER}"
fi
+ fi
}
##################
diff --git a/cron-sh/security_check.sh b/cron-sh/security_check.sh
index a5ad71c..5055b52 100755
--- a/cron-sh/security_check.sh
+++ b/cron-sh/security_check.sh
@@ -62,7 +62,7 @@ while read username uid homedir; do
for f in ${list} ; do
file="${homedir}/${f}"
if [[ -f ${file} ]] ; then
- printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
+ printf "${uid} ${username} ${file} `ls -Lldcgn ${file}`\n"
fi
done
done | awk '$1 != $6 && $6 != "0" \
@@ -91,7 +91,7 @@ while read username uid homedir; do
for f in ${list} ; do
file=${homedir}/${f}
if [[ -f ${file} ]] ; then
- printf "${uid} ${username} ${file} `ls -ldcgn ${file}`\n"
+ printf "${uid} ${username} ${file} `ls -Lldcgn ${file}`\n"
fi
done
done | awk '$1 != $6 && $6 != "0" \
@@ -110,9 +110,9 @@ fi
awk -F: '/^[^+-]/ { print $1 " " $3 " " $6 }' /etc/passwd | \
while read username uid homedir; do
if [[ -d ${homedir} ]] ; then
- realuid=`ls -ldgn ${homedir}| awk '{ print $3 }'`
- realuser=`ls -ldg ${homedir}| awk '{ print $3 }'`
- permissions=`ls -ldg ${homedir}| awk '{ print $1 }'`
+ realuid=`ls -Lldgn ${homedir}| awk '{ print $3 }'`
+ realuser=`ls -Lldg ${homedir}| awk '{ print $3 }'`
+ permissions=`ls -Lldg ${homedir}| awk '{ print $1 }'`
printf "${permissions} ${username} (${uid}) ${realuser} (${realuid})\n"
fi
done | awk '$3 != $5 && $5 != "(0)" \
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index d597255..aed9d57 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -184,6 +184,7 @@ echo "Do you want security report to be done by mail ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf
+ AddRules "MAIL_USER=root" /etc/security/msec/security.conf
else
AddRules "MAIL_WARN=no" /etc/security/msec/security.conf
fi
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
index 9f4f4ee..4329773 100755
--- a/init-sh/level0.sh
+++ b/init-sh/level0.sh
@@ -72,19 +72,15 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from everywhere :"
-AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet
-AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet
# Group
echo "Adding system users to specific groups :"
/usr/share/msec/grpuser.sh --refresh
echo -e "done.\n"
+AllowAutologin
+
# Boot on a shell / authorize ctrl-alt-del
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+AllowUserList
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 172c29b..ac72a91 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -72,8 +72,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
# Group
echo "Adding system users to specific groups :"
@@ -81,12 +80,8 @@ echo "Adding system users to specific groups :"
grpconv
echo -e "done.\n"
+AllowAutologin
+
# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+AllowUserList
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index eb2641a..3ffe407 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -73,8 +73,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
# group
echo "Adding system users to specifics groups :"
@@ -82,14 +81,8 @@ echo "Adding system users to specifics groups :"
grpconv
echo -e "done.\n"
-# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
-
+AllowAutologin
+# Do not boot on a shell
+AllowReboot
+AllowUserList
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
index 74f72a6..e2808f9 100755
--- a/init-sh/level3.sh
+++ b/init-sh/level3.sh
@@ -79,15 +79,11 @@ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/zprofile quiet
AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+ForbidAutologin
# Group were modified in lib.sh...
grpconv
+
+AllowUserList
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index c23d576..b0dded8 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -115,14 +115,9 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then
fi
# Do not boot on a shell
-echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+ForbidReboot
+
+ForbidAutologin
# Group were modified in lib.sh...
grpconv
@@ -132,3 +127,5 @@ grpconv
+
+ForbidUserList
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index a58f2df..13b02bb 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -132,15 +132,8 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then
fi
# Do not boot on a shell
-echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
-
+ForbidReboot
+ForbidAutologin
echo
echo "You are now running your system in security level 5,"
@@ -171,3 +164,5 @@ grpconv
+
+ForbidUserList
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 2c7009c..1be738a 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -222,6 +222,81 @@ CleanLoaderRules() {
fi
}
+AllowAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ grep -v AUTOLOGIN < ${file} > ${file}.new
+ echo "AUTOLOGIN=yes" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ cat ${file} | grep -v AUTOLOGIN > ${file}.new
+ echo "AUTOLOGIN=no" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
+ fi
+}
+
+AllowUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
+ fi
+}
+
+ForbidReboot() {
+ echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+ echo -n "Forbid console users to reboot/shutdown : "
+ for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
+ rm -f ${pamfile} 2>&1 > /dev/null
+ done
+ echo "done."
+}
+
+AllowReboot() {
+ echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+ echo -n "Allow console users to reboot/shutdown : "
+ for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
+ touch -f ${pamfile}
+ done
+ echo "done."
+}
+
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX do it and give us a file with some variable.
@@ -250,8 +325,13 @@ CleanRules /etc/logrotate.conf
CleanRules /etc/rc.d/rc.local
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
-CleanRules /etc/X11/xdm/Xsession
-CleanRules /etc/X11/xinit/xinitrc
+
+if [[ -f /etc/X11/xinit.d/msec ]]; then
+ CleanRules /etc/X11/xinit.d/msec
+else
+ touch /etc/X11/xinit.d/msec
+ chmod 755 /etc/X11/xinit.d/msec
+fi
echo -e "\nStarting to reconfigure the system : "
# For all secure level
@@ -266,10 +346,6 @@ groupadd xgrp >& /dev/null
groupadd ntools >& /dev/null
groupadd ctools >& /dev/null
-#Fix the big security hole introduced in cooker
-userdel mandrake >& /dev/null
-groupdel mandrake >& /dev/null
-
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean
diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode
new file mode 100644
index 0000000..6f1f65e
--- /dev/null
+++ b/init-sh/lib.sh.usermode
@@ -0,0 +1,385 @@
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+# Need root access
+if [[ ${UID} != 0 ]]; then
+ echo "You need to be root in order to change secure level."
+ exit 1
+fi
+
+export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+
+WaitAnswer() {
+ answer="nothing"
+
+ while [[ ${answer} != yes && ${answer} != no ]]; do
+ echo -n "yes/no : "
+ read answer
+ done
+}
+
+AddRules() {
+ string=$1
+ file=$2
+ quiet=$3
+
+ if [[ -z ${string} ]]; then
+ return;
+ fi
+
+ if [[ -z ${quiet} ]]; then
+ echo "Modifying config in ${file}..."
+ fi
+
+ if ! grep -Eqx "^${string}" ${file}; then
+ echo -e "${COMMENT}" >> ${file};
+ echo -e "${string}" >> ${file};
+ fi
+
+ if [[ -z ${3} ]]; then
+ echo -e "done.\n"
+ fi
+}
+
+AddBegRules() {
+ echo "Modifying config in ${2}..."
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ export VAL=$1
+ perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
+
+ echo -e "done.\n"
+}
+
+
+OLD_CleanRules() {
+ file=$1
+ ctrl=0
+
+ if [[ ! -f ${file} ]]; then
+ echo "${file} do not exist... can not clean."
+ return;
+ fi
+
+ echo -en "\t- Cleaning msec appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp ${file} ${tmpfile}
+
+ while read line; do
+ if [[ ${ctrl} == 1 ]]; then
+ ctrl=0
+ continue;
+ fi
+
+ if echo "${line}" | grep -qx "${COMMENT}"; then
+ ctrl=1
+ fi
+
+ if [[ ${ctrl} == 0 ]]; then
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+CleanRules() {
+ echo -en "\t- Cleaning msec appended line in $1 : "
+
+ perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
+
+ echo "done."
+}
+
+CommentUserRules() {
+ file=$1
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ echo -en "\t- Cleaning user appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp -f ${file} ${tmpfile}
+
+ while read line; do
+ if ! echo "${line}" | grep -qE "^#"; then
+ echo "# ${line}"
+ else
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+Syslog() {
+ if [[ ${SYSLOG_WARN} == yes ]]; then
+ /sbin/initlog --string=${1}
+ fi
+}
+
+Ttylog() {
+ if [[ ${TTY_WARN} == yes ]]; then
+ w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
+ echo -e ${1} > /dev/$i
+ done
+ fi
+}
+
+
+LoaderUpdate() {
+
+ # Ask only if we're not inside DrakX.
+ if [[ ! ${DRAKX_PASSWORD+set} ]]; then
+ echo "Do you want a password authentication at boot time ?"
+ echo "Be very carefull,"
+ echo "this will prevent your server to reboot without an operator to enter password".
+ WaitAnswer;
+ if [[ ${answer} == yes ]]; then
+ echo -n "Please enter the password which will be used at boot time : "
+ read password
+ else
+ password=""
+ fi
+
+ if [[ ! -z ${password} ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$password" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $password" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+ fi
+}
+
+# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
+LoaderDrakX() {
+ if [[ -n "${DRAKX_PASSWORD}" ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+
+CleanLoaderRules() {
+ if [[ -f /etc/lilo.conf ]]; then
+ CleanRules /etc/lilo.conf
+ chmod 644 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ CleanRules /boot/grub/menu.lst
+ chmod 644 /boot/grub/menu.lst
+ fi
+
+ if [[ -z ${DRAKX_PASSWORD} ]]; then
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+AllowAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ grep -v AUTOLOGIN < ${file} > ${file}.new
+ echo "AUTOLOGIN=yes" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ cat ${file} | grep -v AUTOLOGIN > ${file}.new
+ echo "AUTOLOGIN=no" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
+ fi
+}
+
+AllowUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
+ fi
+}
+
+ForbidReboot() {
+ echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+AllowReboot() {
+ echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+# If we are currently installing our
+# system with DrakX, we don't ask anything to the user...
+# Instead, DrakX do it and give us a file with some variable.
+if [[ -f /etc/security/msec/security.conf ]]; then
+ . /etc/security/msec/security.conf
+fi
+
+clear
+echo "Preparing to run security script : "
+CleanRules /etc/syslog.conf
+CleanRules /etc/hosts.deny
+CommentUserRules /etc/hosts.deny
+CleanRules /etc/hosts.allow
+CommentUserRules /etc/hosts.allow
+CleanRules /etc/securetty
+CommentUserRules /etc/securetty
+CleanRules /etc/security/msec/security.conf
+CommentUserRules /etc/security/msec/security.conf
+CleanRules /etc/profile
+CleanRules /etc/ld.so.preload
+
+CleanLoaderRules
+LoaderDrakX
+
+CleanRules /etc/logrotate.conf
+CleanRules /etc/rc.d/rc.local
+CleanRules /etc/rc.d/rc.firewall
+CleanRules /etc/crontab
+
+if [[ -f /etc/X11/xinit.d/msec ]]; then
+ CleanRules /etc/X11/xinit.d/msec
+else
+ touch /etc/X11/xinit.d/msec
+ chmod 755 /etc/X11/xinit.d/msec
+fi
+
+echo -e "\nStarting to reconfigure the system : "
+# For all secure level
+echo "Setting spoofing protection : "
+AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
+
+# default group which must exist on the system
+# groupadd already check for their existance...
+groupadd nogroup >& /dev/null
+groupadd audio >& /dev/null
+groupadd xgrp >& /dev/null
+groupadd ntools >& /dev/null
+groupadd ctools >& /dev/null
+
+usermod -G xgrp xfs
+
+/usr/share/msec/grpuser.sh --clean
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/msec.spec b/msec.spec
index 71da60a..707cb51 100644
--- a/msec.spec
+++ b/msec.spec
@@ -1,15 +1,15 @@
-%define version 0.14
-%define release 4mdk
-
-Summary: Security Level & Program for the Linux Mandrake distribution
-Name: msec
-Version: %{version}
-Release: %{release}
-Source: %{name}-%{version}.tar.bz2
-Copyright: GPL
-Group: System/Base
-BuildRoot: /var/tmp/msec
-Requires: /bin/bash setup chkconfig >= 0.9-6
+Summary: Security Level & Program for the Linux Mandrake distribution
+Name: msec
+Version: 0.15
+Release: 17mdk
+
+Source: %{name}-%{version}.tar.bz2
+Patch0: msec-0.15-usermode.patch.bz2
+
+License: GPL
+Group: System/Base
+BuildRoot: %_tmppath/%name-%version-%release-root
+Requires: /bin/bash setup chkconfig >= 0.9-6
%description
The Mandrake-Security package is designed to provide generic
@@ -20,13 +20,29 @@ This packages includes several program that will be run periodically
in order to test the security of your system and alert you if needed.
%prep
-%setup
+
+%setup -q
+%patch0 -p1 -b .usermode
%build
make CFLAGS="$RPM_OPT_FLAGS"
%install
-make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT
+#make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT/etc/security/msec
+install -d $RPM_BUILD_ROOT/usr/share/msec
+install -d $RPM_BUILD_ROOT/usr/sbin $RPM_BUILD_ROOT/usr/bin
+install -d $RPM_BUILD_ROOT/var/log/security
+install -d $RPM_BUILD_ROOT%{_mandir}/man8
+
+install -m 755 init-sh/*.sh cron-sh/*.sh $RPM_BUILD_ROOT/usr/share/msec
+install -m 755 init-sh/msec $RPM_BUILD_ROOT/usr/sbin
+install -m 644 conf/perm.* conf/server.* $RPM_BUILD_ROOT/etc/security/msec
+install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find $RPM_BUILD_ROOT/usr/bin
+install -m 644 doc/*8 $RPM_BUILD_ROOT%{_mandir}/man8/
+
+touch $RPM_BUILD_ROOT/etc/security/msec/security.conf $RPM_BUILD_ROOT/var/log/security.log
%clean
rm -rf $RPM_BUILD_ROOT
@@ -35,17 +51,88 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root)
%doc AUTHORS COPYING Makefile README
%doc doc/*txt ChangeLog doc/*ps
-/usr/bin/promisc_check
-/usr/bin/msec_find
-/usr/sbin/msec
-/usr/share/msec
-/var/log/security.log
-/var/log/security
-/usr/man/*/*
+%_bindir/promisc_check
+%_bindir/msec_find
+%_sbindir/msec
+%_datadir/msec
+%_mandir/*/*
-%config /etc/security/msec
+%config(noreplace) /var/log/security.log
+%config(noreplace) /var/log/security
+%config(noreplace) /etc/security/msec
%changelog
+* Mon Jul 9 2001 Frederic Crozat <fcrozat@mandrakesoft.com> 0.15-17mdk
+- Patch 0: add suppport for usermode halt/reboot
+
+* Thu May 10 2001 Stew Benedict <sbendict@mandrakesoft.com> 0.15-16mdk
+- Check for drakx install environment before running "telinit u" - PPC hang
+
+* Tue May 01 2001 David BAUDENS <baudens@mandrakesoft.com> 0.15-15mdk
+- Use %%_tmppath for BuildRoot
+
+* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-14mdk
+- call telinit after modifying inittab
+
+* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-13mdk
+- Applied Warly patch to fix user list problem under kdm.
+- User list option for gdm too.
+
+* Tue Oct 10 2000 Warly <warly@mandrakesoft.com> 0.15-12mdk
+- change the UserList method to not append at the end of kdmrc (in the wrong section)
+
+* Mon Oct 9 2000 Pixel <pixel@mandrakesoft.com> 0.15-11mdk
+- remove the fix for #760 (it needs real fixing!)
+
+* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-10mdk
+- conf/server.[45]: add pcmcia
+
+* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-9mdk
+- fix for #760 (kdm should not display the list of users for high security
+ levels)
+
+* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-8mdk
+- fix a typo in conf/perm.0
+
+* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-7mdk
+- Autologin allowed in level 0, 1, 2.... I'm against this... but...
+
+* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-6mdk
+- fix some entry in perm.*
+- Autologin will only work in level 0
+
+* Tue Oct 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-5mdk
+ * init-sh/*.sh : instead of modifying Xsession,
+ create the /etc/X11/xinit.d/msec file which can contain eventual
+ rules appended by msec.
+
+* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-4mdk
+- some fix.
+
+* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-3mdk
+- init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession
+ nor /etc/X11/xinit/xinitrc anymore, as they all load
+ /etc/X11/Xsession.
+
+* Fri Sep 01 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-2mdk
+- install manually
+- use %{_mandir} macros
+- use %config(noreplace) for /etc/msec and for logfile
+
+* Tue Jul 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-1mdk
+- cron-sh/security_check.sh : use -L in ls,
+ to dereference symbolic link Chris Green <cmg@dok.org>
+- conf/perm.*: /var/log/squid must be owned by squid.squid.
+- cron-sh/security.sh:
+- init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>,
+ if no user to mail security report to is availlable, send to root.
+
+* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-6mdk
+- Handle new libsafe path.
+
+* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-5mdk
+- corrected a wrong path.
+
* Wed May 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-4mdk
- LoaderUpdate() make a difference between an empty
variable, and a non existing one.