aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh
diff options
context:
space:
mode:
Diffstat (limited to 'init-sh')
-rwxr-xr-xinit-sh/file_perm.sh19
-rwxr-xr-xinit-sh/grpuser152
-rwxr-xr-xinit-sh/init.sh19
-rwxr-xr-xinit-sh/level1.sh49
-rwxr-xr-xinit-sh/level2.sh57
-rwxr-xr-xinit-sh/level3.sh60
-rwxr-xr-xinit-sh/level4.sh67
-rwxr-xr-xinit-sh/level5.sh96
-rw-r--r--init-sh/lib.sh175
-rw-r--r--init-sh/perm.171
-rw-r--r--init-sh/perm.272
-rw-r--r--init-sh/perm.368
-rw-r--r--init-sh/perm.472
-rw-r--r--init-sh/perm.567
-rw-r--r--init-sh/server.46
-rw-r--r--init-sh/server.56
16 files changed, 1056 insertions, 0 deletions
diff --git a/init-sh/file_perm.sh b/init-sh/file_perm.sh
new file mode 100755
index 0000000..9f76791
--- /dev/null
+++ b/init-sh/file_perm.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+IFS="
+"
+
+for line in `cat /$1`; do
+ file=`echo ${line} | awk '{print $1}'`
+ owner=`echo ${line} | awk '{print $2}'`
+ perm=`echo ${line} | awk '{print $3}'`
+
+ if [ -a "${file}" ]; then
+ if [ ${owner} != "current" ]; then
+ chown ${owner} ${file}
+ fi
+ chmod ${perm} ${file}
+ fi
+done
+
+
diff --git a/init-sh/grpuser b/init-sh/grpuser
new file mode 100755
index 0000000..408e384
--- /dev/null
+++ b/init-sh/grpuser
@@ -0,0 +1,152 @@
+#!/bin/sh
+
+#
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+# Thanks to Francis Galiegue.
+#
+
+file="group"
+group_line=""
+new_group_line=""
+group_name=$2
+user_name=$3
+
+Usage() {
+ echo "Usage :"
+ echo " --add [ groupname ] [ username ] ---> Add an user to a group."
+ echo " --del [ groupname ] [ username ] ---> Delete an user from a group."
+}
+
+ModifyFile() {
+ mv /etc/${file} /tmp/${file}.old
+
+ head -$((group_line_number - 1)) /tmp/${file}.old > /etc/${file}
+ echo "${new_group_line}" >> /etc/${file}
+ tail +$((group_line_number + 1)) /tmp/${file}.old >> /etc/${file}
+
+ rm -f /tmp/${file}.old
+}
+
+RemoveUserFromGroup() {
+ new_group_line=${group}`echo ${group_users} |
+ sed -e s/,${user_name}$//g -e s/${user_name},//g -e s/${user_name}$//g`
+}
+
+AppendUserToGroup() {
+ if [ -z "${group_users}" ]; then
+ new_group_line=${group_line}${user_name}
+ else
+ new_group_line=${group_line}",${user_name}"
+ fi
+}
+
+IsUserAlreadyInGroup() {
+ if echo "${group_users}" | grep -qw "${user_name}"; then
+ return 1
+ fi
+
+ return 0
+}
+
+IsGroupExisting() {
+ group_line=""
+ group_line_number=""
+
+ # We get some group infos as well, will be used later
+ tmp=`grep -n "^${group_name}:" /etc/${file} | tr -d " "`
+
+ group_line_number=`echo ${tmp} | awk -F: '{print $1}'`
+ group=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"}'`
+ group_users=`echo ${tmp} | awk -F: '{print $5}'`
+ group_line=`echo ${tmp} | awk -F: '{print $2":"$3":"$4":"$5}'`
+
+ [ -z "${tmp}" ] && return 0
+ return 1
+}
+
+IsUserExisting() {
+ grep -qn "^${user_name}:" /etc/passwd
+ if [ $? == 0 ]; then
+ return 0;
+ fi
+
+ return 1;
+}
+
+Add() {
+ IsGroupExisting;
+ if [ $? == 0 ]; then
+ echo "Sorry, group \"${group_name}\" does not exist."
+ echo "Please create it using the \"groupadd\" command."
+ exit 1
+ fi
+
+ IsUserExisting;
+ if [ $? == 1 ]; then
+ echo "Sorry, user \"${user_name}\" does not exist."
+ exit 1
+ fi
+
+ IsUserAlreadyInGroup;
+ if [ $? == 1 ]; then
+ echo "Sorry, user \"${user_name}\" is already in group \"${group_name}\"."
+ exit 1
+ fi
+
+ AppendUserToGroup;
+ ModifyFile;
+
+ exit 0
+}
+
+Del() {
+ IsGroupExisting;
+ if [ $? == 0 ]; then
+ echo "Sorry, group \"${group_name}\" does not exist."
+ exit 1
+ fi
+
+ IsUserAlreadyInGroup;
+ if [ $? == 0 ]; then
+ echo "Sorry, user \"${user_name}\" is not in group \"${group_name}\"."
+ exit 1
+ fi
+
+ RemoveUserFromGroup;
+ ModifyFile;
+
+ exit 0
+}
+
+Perm() {
+ if [ ! -w /etc/${file} ]; then
+ echo "You're not allowed to write to /etc/group..."
+ exit 1
+ fi
+}
+
+if [ $# == 3 ]; then
+ case $1 in
+ "--add")
+ Perm;
+ Add;
+ exit 0
+ ;;
+ "--del")
+ Perm;
+ Del;
+ exit 0
+ ;;
+ esac
+ Usage;
+ exit 0
+else
+ Usage;
+fi
+
+
+
+
+
+
+
diff --git a/init-sh/init.sh b/init-sh/init.sh
new file mode 100755
index 0000000..4e89cb9
--- /dev/null
+++ b/init-sh/init.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+if [ -z $1 ]; then
+ echo "Usage : $0 [0-5]"
+ exit 1
+fi
+
+
+if [ -f /etc/security/msec/init-sh/level$1.sh ]; then
+ /etc/security/msec/init-sh/level$1.sh
+ if [ -f /etc/security/msec/init-sh/perm.$1 ]; then
+ /etc/security/msec/init-sh/file_perm.sh /etc/security/msec/init-sh/perm.$1
+ else
+ echo "Couldn't find the default permissions for level $1."
+ fi
+else
+ echo "Security level $1 not availlable..."
+fi
+
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
new file mode 100755
index 0000000..acd0622
--- /dev/null
+++ b/init-sh/level1.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# login as root on console granted...
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID=no" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# umask
+AddRules "umask 022" /etc/profile
+
+# Group
+usermod -G audio "${USERNAME}"
+
+# For X auth :
+xhost + localhost 2>&1 >& /dev/null
+
+# lilo update
+lilo
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin:." /etc/profile
+else
+ AddRUles "PATH=$PATH:." /etc/profile
+fi
+
+
+
+
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
new file mode 100755
index 0000000..8d20ea1
--- /dev/null
+++ b/init-sh/level2.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# login as root on console granted...
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Permissions
+AddRules "umask 002" /etc/profile
+
+# Group
+usermod -G audio ${USERNAME} >& /dev/null
+
+# For X auth :
+xhost + localhost 2>&1 >& /dev/null
+
+# lilo update
+/sbin/lilo
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+else
+ AddRules "PATH=$PATH" /etc/profile
+fi
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
new file mode 100755
index 0000000..400305a
--- /dev/null
+++ b/init-sh/level3.sh
@@ -0,0 +1,60 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# login as root from the console allowed
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid Check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf
+AddRules "TTY_WARN=no" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+
+# Permissions
+AddRules "umask 022" /etc/profile
+
+/sbin/lilo
+
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin"
+fi
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
new file mode 100755
index 0000000..283817a
--- /dev/null
+++ b/init-sh/level4.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+else
+ exit 1
+fi
+
+# Log in append only mode
+chattr +a /var/log/*
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# Prevent all kind of connection except from localhost
+AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+
+# Login as root on the console allowed :
+AddRules "tty1" /etc/securetty
+AddRules "tty2" /etc/securetty
+AddRules "tty3" /etc/securetty
+AddRules "tty4" /etc/securetty
+AddRules "tty5" /etc/securetty
+AddRules "tty6" /etc/securetty
+
+# Suid check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Check every 1 minutes for promisc problem
+AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+# Do you want a password ?
+LiloUpdate;
+/sbin/lilo
+
+# Permissions
+AddRules "umask 022" /etc/profile
+
+# Path
+
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+fi
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
new file mode 100755
index 0000000..f2b7a55
--- /dev/null
+++ b/init-sh/level5.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+ . /etc/security/msec/init-sh/lib.sh
+fi
+
+chattr +a /var/log/*
+
+# All events logged on tty12
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# Prevent all kind of connection
+AddRules "ALL:ALL:DENY" /etc/hosts.deny
+
+# No login as root
+AddRules "" /etc/securetty
+
+# Suid check
+AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
+AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
+
+# Check every 1 minutes for promisc problem
+AddRules "*/1 * * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+AddRules "0 0-23 * * * root nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+
+
+# Wanna a password ?
+LiloUpdate;
+/sbin/lilo
+
+# Disable all server :
+IFS="
+"
+
+for service in `chkconfig --list | awk '{print $1}'`; do
+ if [ "${service}" == "xfs" ]; then
+ if [ ${HAVE_X}==1 ]; then
+ continue;
+ fi
+ fi
+
+ if [ "${service}" == "network" ]; then continue; fi
+ if [ "${service}" == "keytable" ]; then continue; fi
+ if [ "${service}" == "crond" ]; then continue; fi
+ if [ "${service}" == "gpm" ]; then continue; fi
+ if [ "${service}" == "syslog" ]; then continue; fi
+
+
+ chkconfig --del "${service}"
+done
+
+# Permissions
+AddRules "umask 077" /etc/profile
+
+# Path
+if [ ${HAVE_X}==1 ]; then
+ AddRules "PATH=$PATH:/usr/X11R6/bin" /etc/profile
+fi
+
+echo
+echo "You are now running your system in security level 5,"
+echo "All services are disabled : try the chkconfig to enable one..."
+echo "If you're on a senssible machine, ( which is probably the case )"
+echo "you should compile the server from the sources".
+echo
+echo "Good luck. :-)"
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
new file mode 100644
index 0000000..a48c945
--- /dev/null
+++ b/init-sh/lib.sh
@@ -0,0 +1,175 @@
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+# Need root access
+if [ $UID != 0 ]; then
+ echo "You need to be root in order to change secure level."
+ exit 1
+fi
+
+# To avoid error, while new initscript package isn't released...
+touch /etc/rc.d/rc.firewall
+
+# If we are currently installing our
+# system with DrakX, we don't ask anything to the user...
+# Instead, DrakX do it and give us a file with some variable.
+if [ -f /tmp/secure.DrakX ]; then
+ . /tmp/secure.DrakX
+fi
+
+if [ -f /etc/security/msec/security.conf ]; then
+ . /etc/security/msec/security.conf
+fi
+
+if rpm -q XFree86 2>&1 > /dev/null; then
+ HAVE_X=1
+else
+ HAVE_X=0
+fi
+
+USERNAME="blah"
+COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+
+AddRules () {
+ string=$1
+ file=$2
+
+ if [ -z "${string}" ]; then
+ return;
+ fi
+
+ if ! grep -qx "${string}" ${file}; then
+ echo "${COMMENT}" >> ${file};
+ echo "${string}" >> ${file};
+ fi
+}
+
+CleanRules() {
+ file=$1
+ ctrl=0
+
+ mv -f ${file} /tmp/secure.tmp
+ touch ${file}
+
+ while read line; do
+ if [ ${ctrl} == 1 ]; then
+ ctrl=0
+ continue;
+ fi
+
+ if echo "${line}" | grep -qx "${COMMENT}"; then
+ ctrl=1
+ fi
+
+ if [ ${ctrl} == 0 ]; then
+ echo "${line}" >> ${file}
+ fi
+ done < /tmp/secure.tmp
+
+ rm -f /tmp/secure.tmp
+
+}
+
+CommentUserRules() {
+ file=$1
+
+ mv -f ${file} /tmp/secure.tmp
+ touch ${file}
+
+ while read line; do
+ if ! echo "${line}" | grep -qE "^#"; then
+ echo "# ${line}" >> ${file}
+ fi
+ done < /tmp/secure.tmp
+
+ rm -f /tmp/secure.tmp
+}
+
+Syslog() {
+ if [ "${SYS_LOG}" == "yes" ]; then
+ /sbin/initlog --string=${1}
+ fi
+}
+
+Ttylog() {
+ if [ "${TTY_LOG}" == "yes" ]; then
+ for i in `w | grep -v "load\|TTY" | awk '{print $2}'` ; do
+ echo -e ${1} > /dev/$i
+ done
+ fi
+}
+
+
+LiloUpdate() {
+ if [ ! -f /tmp/secure.DrakX ]; then
+ echo "Do you want a password authentication at boot time ?"
+ echo "Be very carefull,"
+ echo "this will prevent your server to reboot without an operator to enter password".
+ echo -n "[yes]/no : "
+ read answer
+ if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then
+ echo -n "Please enter the password which will be used at boot time : "
+ read password
+ else
+ password=""
+ fi
+ else
+ password=${DRAKX_PASSWORD}
+ fi
+
+ if [ ! -z "${password}" ]; then
+ mv /etc/lilo.conf /tmp/secure.tmp
+ while read line; do
+ if ! echo "${line}" | grep -q "password"; then
+ echo "${line}" >> /etc/lilo.conf
+ fi
+ done < /etc/secure.tmp
+
+ rm -f /etc/secure.tmp
+ AddRules "password=$PASSWORD" /etc/lilo.conf
+ fi
+}
+
+
+CleanRules /etc/syslog.conf
+
+CleanRules /etc/hosts.deny
+CommentUserRules /etc/hosts.deny
+
+CleanRules /etc/hosts.allow
+CommentUserRules /etc/hosts.allow
+
+CleanRules /etc/securetty
+CommentUserRules /etc/securetty
+
+CleanRules /etc/security/msec/security.conf
+CommentUserRules /etc/security/msec/security.conf
+
+CleanRules /etc/profile
+CleanRules /etc/lilo.conf
+CleanRules /etc/rc.d/rc.firewall
+CleanRules /etc/crontab
+
+
+# For all secure level
+AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
+
+# default group which must exist on the system
+groupadd audio >& /dev/null
+groupadd xgrp >& /dev/null
+usermod -G xgrp xfs
+
+if ! /etc/security/msec/init-sh/grpuser --del audio "${USERNAME}"; then
+ echo "Problem removing user \"${USERNAME}\" from group audio."
+fi
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/perm.1 b/init-sh/perm.1
new file mode 100644
index 0000000..c63483a
--- /dev/null
+++ b/init-sh/perm.1
@@ -0,0 +1,71 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 1
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 755
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
+
+
+
diff --git a/init-sh/perm.2 b/init-sh/perm.2
new file mode 100644
index 0000000..dcaf293
--- /dev/null
+++ b/init-sh/perm.2
@@ -0,0 +1,72 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 2
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 755
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
+
+
+
+
diff --git a/init-sh/perm.3 b/init-sh/perm.3
new file mode 100644
index 0000000..94d12e7
--- /dev/null
+++ b/init-sh/perm.3
@@ -0,0 +1,68 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Directories /
+# Welcome in Level 3
+###
+
+/bin root.root 755
+/boot root.root 755
+/dev root.root 755
+/dev/audio* root.audio 660
+/dev/dsp* root.audio 660
+/etc/ root.root 755
+/etc/cron.daily/ root.root 755
+/etc/cron.hourly/ root.root 755
+/etc/cron.monthly/ root.root 755
+/etc/cron.weekly/ root.root 755
+/etc/dhcpcd/ root.root 755
+/etc/init.d/ root.root 755
+/etc/profile root.root 644
+/home/ root.root 755
+/home/* current 700
+/lib root.root 755
+/mnt root.root 755
+/root root.root 700
+/sbin root.root 755
+/tmp root.root 1777
+/usr root.root 755
+/usr/* root.root 755
+/usr/X11R6/ root.root 755
+/usr/bin/ root.root 755
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 755
+/var root.root 755
+
+/etc/conf.modules root.root 644
+/etc/crontab root.root 644
+/etc/esd.conf root.root 644
+/etc/ftpaccess root.root 644
+/etc/ftpconversions root.root 644
+/etc/ftpgroups root.root 644
+/etc/ftphosts root.root 644
+/etc/ftpusers root.root 644
+/etc/gettydefs root.root 644
+/etc/hosts.allow root.root 644
+/etc/hosts.deny root.root 644
+/etc/hosts.equiv root.root 644
+/etc/inetd.conf root.root 644
+/etc/inittab root.root 644
+/etc/ld.so.conf root.root 644
+/etc/lilo.conf root.root 644
+/etc/modules.conf root.root 644
+/etc/motd root.root 644
+/etc/printcap root.root 644
+/etc/rc.d/ root.root 755
+/etc/securetty root.root 644
+/etc/sendmail.cf root.root 644
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 644
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 644
+/etc/syslog.conf root.root 644
+/etc/updatedb.conf root.root 644
+
+
diff --git a/init-sh/perm.4 b/init-sh/perm.4
new file mode 100644
index 0000000..8e422df
--- /dev/null
+++ b/init-sh/perm.4
@@ -0,0 +1,72 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Welcome in Level 4, aka secure & usable.
+
+/bin root.root 711
+/boot root.root 700
+/dev root.root 711
+/dev/audio* root.audio 600
+/dev/dsp* root.audio 600
+/etc/ root.adm 711
+/etc/conf.modules root.adm 640
+/etc/cron.daily/ root.adm 750
+/etc/cron.hourly/ root.adm 750
+/etc/cron.monthly/ root.adm 750
+/etc/cron.weekly/ root.adm 750
+/etc/crontab root.adm 640
+/etc/dhcpcd/ root.adm 750
+/etc/dhcpcd/* root.adm 640
+/etc/esd.conf root.audio 640
+/etc/ftpaccess root.adm 640
+/etc/ftpconversions root.adm 640
+/etc/ftpgroups root.adm 640
+/etc/ftphosts root.adm 640
+/etc/ftpusers root.adm 640
+/etc/gettydefs root.adm 640
+/etc/hosts.allow root.adm 640
+/etc/hosts.deny root.adm 640
+/etc/hosts.equiv root.adm 640
+/etc/inetd.conf root.adm 640
+/etc/inittab root.adm 640
+/etc/ld.so.conf root.adm 640
+/etc/lilo.conf root.adm 640
+/etc/modules.conf root.adm 640
+/etc/motd root.adm 644
+/etc/printcap root.adm 640
+/etc/profile root.root 644
+/etc/rc.d/ root.adm 640
+/etc/securetty root.adm 640
+/etc/sendmail.cf root.adm 640
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.adm 640
+/etc/ssh_host_key.pub root.adm 644
+/etc/sshd_config root.adm 640
+/etc/syslog.conf root.adm 640
+/etc/updatedb.conf root.adm 640
+
+/home/ root.adm 751
+/home/* current 700
+/lib root.adm 751
+/mnt root.adm 750
+/root root.root 700
+/sbin root.adm 751
+/tmp root.root 1777
+/usr root.adm 751
+/usr/* root.adm 751
+/usr/X11R6/ root.xgrp 751
+/usr/bin/ root.adm 751
+/usr/bin/* root.root 755
+/usr/sbin/ root.adm 751
+/usr/sbin/* root.root 755
+/var root.root 755
+
+
+
+
+
+
+
diff --git a/init-sh/perm.5 b/init-sh/perm.5
new file mode 100644
index 0000000..1965860
--- /dev/null
+++ b/init-sh/perm.5
@@ -0,0 +1,67 @@
+#
+#
+# - Group for X user
+# - Group for audio user
+# - Group for dialout user
+# - Group for video user
+# Welcome in Level 5, aka paranoid.
+
+/bin root.root 711
+/boot root.root 700
+/dev root.root 711
+/dev/audio* root.audio 600
+/dev/dsp* root.audio 600
+/etc/ root.root 711
+/etc/conf.modules root.root 600
+/etc/cron.daily/ root.root 700
+/etc/cron.hourly/ root.root 700
+/etc/cron.monthly/ root.root 700
+/etc/cron.weekly/ root.root 700
+/etc/crontab root.root 600
+/etc/dhcpcd/ root.root 700
+/etc/dhcpcd/* root.root 600
+/etc/esd.conf root.audio 640
+/etc/ftpaccess root.root 600
+/etc/ftpconversions root.root 600
+/etc/ftpgroups root.root 600
+/etc/ftphosts root.root 600
+/etc/ftpusers root.root 600
+/etc/gettydefs root.root 600
+/etc/hosts.allow root.root 600
+/etc/hosts.deny root.root 600
+/etc/hosts.equiv root.root 600
+/etc/inetd.conf root.root 600
+/etc/inittab root.root 600
+/etc/ld.so.conf root.root 600
+/etc/lilo.conf root.root 600
+/etc/modules.conf root.root 600
+/etc/motd root.root 644
+/etc/printcap root.root 640
+/etc/profile root.root 644
+/etc/rc.d/ root.root 600
+/etc/securetty root.root 600
+/etc/sendmail.cf root.root 600
+/etc/ssh_config root.root 644
+/etc/ssh_host_key root.root 600
+/etc/ssh_host_key.pub root.root 644
+/etc/sshd_config root.root 600
+/etc/syslog.conf root.root 600
+/etc/updatedb.conf root.root 600
+
+/home/ root.root 711
+/home/* current 700
+/lib root.root 711
+/mnt root.root 710
+/root root.root 700
+/sbin root.root 711
+/tmp root.root 1777
+/usr root.root 711
+/usr/* root.root 711
+/usr/X11R6/ root.xgrp 710
+/usr/bin/ root.root 711
+/usr/bin/* root.root 755
+/usr/sbin/ root.root 711
+/usr/sbin/* root.root 700
+/usr/sbin/sendmail root.root 755
+/var root.root 755
+
diff --git a/init-sh/server.4 b/init-sh/server.4
new file mode 100644
index 0000000..044f0bf
--- /dev/null
+++ b/init-sh/server.4
@@ -0,0 +1,6 @@
+crond
+syslog
+keytable
+network
+gpm
+xfs
diff --git a/init-sh/server.5 b/init-sh/server.5
new file mode 100644
index 0000000..044f0bf
--- /dev/null
+++ b/init-sh/server.5
@@ -0,0 +1,6 @@
+crond
+syslog
+keytable
+network
+gpm
+xfs