diff options
| -rw-r--r-- | Makefile | 1 | ||||
| -rw-r--r-- | doc/msec.spec | 18 | ||||
| -rwxr-xr-x | init-sh/custom.sh | 110 | ||||
| -rwxr-xr-x | init-sh/init.sh | 1 | ||||
| -rw-r--r-- | init-sh/lib.sh | 19 |
5 files changed, 140 insertions, 9 deletions
@@ -17,6 +17,7 @@ install: (cp init-sh/grpuser /etc/security/msec/init-sh); (cp init-sh/file_perm.sh /etc/security/msec/init-sh); (cp init-sh/*.[1-5] /etc/security/msec/init-sh/) + (cp init-sh/custom.sh /etc/security/msec/init-sh); (cp init-sh/server.* /etc/security/msec/init-sh) (touch /etc/security/msec/security.conf) (cd src/promisc_check; make install) diff --git a/doc/msec.spec b/doc/msec.spec index 45ef518..22f56ee 100644 --- a/doc/msec.spec +++ b/doc/msec.spec @@ -1,7 +1,7 @@ Summary: Security Level & Program for the Linux Mandrake distribution Name: msec -Version: 0.3 -Release: 8mdk +Version: 0.4 +Release: 1mdk Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz Copyright: GPL Group: System Environment/Base @@ -11,8 +11,8 @@ Requires: /bin/bash setup chkconfig %description The Mandrake-Security package is designed to provide generic secure level to the Mandrake-Linux users... -It will permit you to choose between level 1 to 5 for a -less -> more secured distribution. +It will permit you to choose between level 1 to 5 & custom +for a less -> more secured distribution. This packages includes several program that will be run periodically in order to test the security of your system and alert you if needed. @@ -34,6 +34,7 @@ cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh cp init-sh/grpuser $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/custom.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh touch $RPM_BUILD_ROOT/etc/security/msec/security.conf cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin @@ -47,6 +48,15 @@ rm -rf $RPM_BUILD_ROOT /usr/bin/promisc_check %changelog +* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Released 0.4 : +- Now have a custom mode, just answer the question. +- Msec print what it does. +- Bug fix in LiloUpdate(). + +* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> +- Fixed a few bugs in msec. + * Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com> - grpuser was not installed. diff --git a/init-sh/custom.sh b/init-sh/custom.sh index e69de29..eac0cc8 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +fi + + +clear + +### +echo "Do you want your log file to be in append mode only ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + find /var/log/ -type f -exec chattr +a {} \; +fi +### +echo "Do you want all system events to be logged on tty12 ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "*.* /dev/tty12" /etc/syslog.conf +fi +### +echo "Do you want to deny any machine to connect to yours ?" +WaitAnswer +if [ ${answer} == "yes" ]; then + echo "Do you want only localhost to be allowed ?" + WaitAnswer; clear + if [ "${answer}" == "yes" ]; then + AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny + else + AddRules "ALL:ALL:DENY" /etc/hosts.deny + fi +fi +### +echo "Do you want root console login to be allowed ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "tty1" /etc/securetty quiet + AddRules "tty2" /etc/securetty quiet + AddRules "tty3" /etc/securetty quiet + AddRules "tty4" /etc/securetty quiet + AddRules "tty5" /etc/securetty quiet + AddRules "tty6" /etc/securetty +fi +### +echo "Do you want your system to daily check SUID Root file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check SUID Group file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Writable file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to daily check Unowned file change ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf + AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab +fi +### +echo "Do you want your system to verify every minutes if a network interface" +echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?" +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf + AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab +fi +### +LiloUpdate; +/sbin/lilo >& /dev/null +### +echo "Do you want a "." in your PATH variable ?" +echo "This permit you to not use ./progname & to just type progname" +echo "However this is a *high* security risk." +WaitAnswer; clear +if [ ${answer} == "yes" ]; then + AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile +fi +### +AddRules "SECURE_LEVEL=\"custom\"" /etc/profile +export SECURE_LEVEL="custom" +### +AddRules "umask 077" /etc/profile + + + + + + + + + diff --git a/init-sh/init.sh b/init-sh/init.sh index fa8e9b3..361eb1e 100755 --- a/init-sh/init.sh +++ b/init-sh/init.sh @@ -9,6 +9,7 @@ fi if [ "${1}" == "custom" ]; then /etc/security/msec/init-sh/custom.sh + exit 0; fi if [ -f /etc/security/msec/init-sh/level$1.sh ]; then diff --git a/init-sh/lib.sh b/init-sh/lib.sh index 578c4e4..81c62c0 100644 --- a/init-sh/lib.sh +++ b/init-sh/lib.sh @@ -26,6 +26,15 @@ fi USERNAME="blah" COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." +WaitAnswer() { + answer="nothing" + + while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do + echo -n "yes/no : " + read answer + done +} + AddRules () { string=$1 file=$2 @@ -113,9 +122,8 @@ LiloUpdate() { echo "Do you want a password authentication at boot time ?" echo "Be very carefull," echo "this will prevent your server to reboot without an operator to enter password". - echo -n "[yes]/no : " - read answer - if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then + WaitAnswer + if [ "${answer}" == "yes" ]; then echo -n "Please enter the password which will be used at boot time : " read password else @@ -131,9 +139,10 @@ LiloUpdate() { if ! echo "${line}" | grep -q "password"; then echo "${line}" >> /etc/lilo.conf fi - done < /etc/secure.tmp + done < /tmp/secure.tmp - rm -f /etc/secure.tmp + rm -f /tmp/secure.tmp + clear AddRules "password=$PASSWORD" /etc/lilo.conf fi } |