aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--man/C/mseclib.3217
1 files changed, 217 insertions, 0 deletions
diff --git a/man/C/mseclib.3 b/man/C/mseclib.3
new file mode 100644
index 0000000..d86d9fd
--- /dev/null
+++ b/man/C/mseclib.3
@@ -0,0 +1,217 @@
+.ds q \N'34'
+.TH mseclib 3 V0 msec "Mandrakelinux"
+.SH NAME
+mseclib
+.SH SYNOPSIS
+.nf
+.B from mseclib import *
+.B function1(yes)
+.B function2(ignore)
+.fi
+.SH DESCRIPTION
+.B mseclib
+is a python library to access the function used by the msec program. This functions can be used
+in /etc/security/msec/level.local to override the behaviour of the msec program or in standalone
+scripts. The first argument of the functions takes a value of 1 or 0 or -1 (or yes/no/ignore)
+except when specified otherwise.
+
+.TP 4
+.B \fIaccept_bogus_error_responses(arg)\fP
+Accept/Refuse bogus IPv4 error messages.
+
+.TP 4
+.B \fIaccept_broadcasted_icmp_echo(arg)\fP
+ Accept/Refuse broadcasted icmp echo.
+
+.TP 4
+.B \fIaccept_icmp_echo(arg)\fP
+ Accept/Refuse icmp echo.
+
+.TP 4
+.B \fIallow_autologin(arg)\fP
+Allow/Forbid autologin.
+
+.TP 4
+.B \fIallow_issues(arg)\fP
+If \fIarg\fP = ALL allow /etc/issue and /etc/issue.net to exist. If \fIarg\fP = NONE no issues are
+allowed else only /etc/issue is allowed.
+
+.TP 4
+.B \fIallow_reboot(arg)\fP
+Allow/Forbid reboot by the console user.
+
+.TP 4
+.B \fIallow_remote_root_login(arg)\fP
+Allow/Forbid remote root login.
+
+.TP 4
+.B \fIallow_root_login(arg)\fP
+Allow/Forbid direct root login.
+
+.TP 4
+.B \fIallow_user_list(arg)\fP
+Allow/Forbid the list of users on the system on display managers (kdm and gdm).
+
+.TP 4
+.B \fIallow_x_connections(arg, listen_tcp=None)\fP
+Allow/Forbid X connections. First arg specifies what is done
+on the client side: ALL (all connections are allowed), LOCAL (only
+local connection) and NONE (no connection).
+
+.TP 4
+.B \fIallow_xauth_from_root(arg)\fP
+llow/forbid to export display when passing from the root account
+to the other users. See pam_xauth(8) for more details.
+
+.TP 4
+.B \fIallow_xserver_to_listen(arg)\fP
+The argument specifies if clients are authorized to connect
+to the X server on the tcp port 6000 or not.
+
+.TP 4
+.B \fIauthorize_services(arg)\fP
+Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if \fIarg\fP = ALL. Only local ones
+if \fIarg\fP = LOCAL and none if \fIarg\fP = NONE. To authorize the services you need, use /etc/hosts.allow
+(see hosts.allow(5)).
+
+.TP 4
+.B \fIcreate_server_link()\fP
+If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3
+in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server
+to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server
+is used by chkconfig --add to decide to add a service if it is present in the file
+during the installation of packages.
+
+.TP 4
+.B \fIenable_at_crontab(arg)\fP
+Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow
+(see man at(1) and crontab(1)).
+
+.TP 4
+.B \fIenable_console_log(arg, expr='*.*', dev='tty12')\fP
+Enable/Disable syslog reports to console 12. \fIexpr\fP is the
+expression describing what to log (see syslog.conf(5) for more details) and
+dev the device to report the log.
+
+.TP 4
+.B \fIenable_dns_spoofing_protection(arg, alert=1)\fP
+Enable/Disable name resolution spoofing protection. If
+\fIalert\fP is true, also reports to syslog.
+
+.TP 4
+.B \fIenable_ip_spoofing_protection(arg, alert=1)\fP
+Enable/Disable IP spoofing protection.
+
+.TP 4
+.B \fIenable_libsafe(arg)\fP
+Enable/Disable libsafe if libsafe is found on the system.
+
+.TP 4
+.B \fIenable_log_strange_packets(arg)\fP
+Enable/Disable the logging of IPv4 strange packets.
+
+.TP 4
+.B \fIenable_msec_cron(arg)\fP
+Enable/Disable msec hourly security check.
+
+.TP 4
+.B \fIenable_pam_wheel_for_su(arg)\fP
+ Enabling su only from members of the wheel group or allow su from any user.
+
+.TP 4
+.B \fIenable_password(arg)\fP
+Use password to authenticate users.
+
+.TP 4
+.B \fIenable_promisc_check(arg)\fP
+Activate/Disable ethernet cards promiscuity check.
+
+.TP 4
+.B \fIenable_security_check(arg)\fP
+ Activate/Disable daily security check.
+
+.TP 4
+.B \fIenable_sulogin(arg)\fP
+ Enable/Disable sulogin(8) in single user level.
+
+.TP 4
+.B \fIno_password_aging_for(name)\fP
+Add the name as an exception to the handling of password aging by msec.
+Name must be put between '. Msec will then no more manage password aging for
+name so you have to use chage(1) to manage it by hand.
+
+.TP 4
+.B \fIpassword_aging(max, inactive=-1)\fP
+Set password aging to \fImax\fP days and delay to change to \fIinactive\fP.
+
+.TP 4
+.B \fIpassword_history(arg)\fP
+Set the password history length to prevent password reuse.
+
+.TP 4
+.B \fIpassword_length(length, ndigits=0, nupper=0)\fP
+Set the password minimum length and minimum number of digit and minimum number of capitalized letters.
+
+.TP 4
+.B \fIset_root_umask(umask)\fP
+Set the root umask.
+
+.TP 4
+.B \fIset_security_conf(var, value)\fP
+Set the variable \fIvar\fP to the value \fIvalue\fP in /var/lib/msec/security.conf.
+The best way to override the default setting is to use create /etc/security/msec/security.conf
+with the value you want. These settings are used to configure the daily check run each night.
+
+The following variables are currentrly recognized by msec:
+
+CHECK_UNOWNED if set to yes, report unowned files.
+
+CHECK_SHADOW if set to yes, check empty password in /etc/shadow.
+
+CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files.
+
+CHECK_SECURITY if set to yes, run the daily security checks.
+
+CHECK_PASSWD if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root.
+
+SYSLOG_WARN if set to yes, report check result to syslog.
+
+CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files.
+
+CHECK_PERMS if set to yes, check permissions of files in the users' home.
+
+CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.
+
+CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode.
+
+RPM_CHECK if set to yes, run some checks against the rpm database.
+
+TTY_WARN if set to yes, reports check result to tty.
+
+CHECK_WRITABLE if set to yes, check files/directories writable by everybody.
+
+MAIL_WARN if set to yes, report check result by mail.
+
+MAIL_USER if set, send the mail report to this email address else send it to root.
+
+CHECK_OPEN_PORT if set to yes, check open ports.
+
+CHECK_SGID if set to yes, check additions/removals of sgid files.
+
+
+.TP 4
+.B \fIset_shell_history_size(size)\fP
+Set shell commands history size. A value of -1 means unlimited.
+
+.TP 4
+.B \fIset_shell_timeout(val)\fP
+Set the shell timeout. A value of zero means no timeout.
+
+.TP 4
+.B \fIset_user_umask(umask)\fP
+Set the user umask.
+.RE
+.SH "SEE ALSO"
+msec(8)
+.SH AUTHORS
+Frederic Lepied <flepied@mandrakesoft.com>