diff options
Diffstat (limited to 'init-sh')
-rwxr-xr-x | init-sh/level0.sh | 80 | ||||
-rw-r--r-- | init-sh/perm.0 | 65 |
2 files changed, 145 insertions, 0 deletions
diff --git a/init-sh/level0.sh b/init-sh/level0.sh new file mode 100755 index 0000000..a0cd43c --- /dev/null +++ b/init-sh/level0.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +if [ -f /etc/security/msec/init-sh/lib.sh ]; then + . /etc/security/msec/init-sh/lib.sh +else + exit 1 +fi + +# login as root on console granted... +echo "Login as root is granted :" +AddRules "tty1" /etc/securetty quiet +AddRules "tty2" /etc/securetty quiet +AddRules "tty3" /etc/securetty quiet +AddRules "tty4" /etc/securetty quiet +AddRules "tty5" /etc/securetty quiet +AddRules "tty6" /etc/securetty + +# Security check +echo "Updating file check variable : " +echo -e "\t- Check security : yes." + AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet +echo -e "\t- Check important permissions : no." + AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check suid root file : no." + AddRules "CHECK_SUID_ROOT=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check suid root file integrity (backdoor check) : no." + AddRules "CHECK_SUID_MD5=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check suid group file : no." + AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check world writable file : no." + AddRules "CHECK_WRITEABLE=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check unowned file : no." + AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check promiscuous mode : no." + AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check listening port : no." + AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check passwd file integrity : no." + AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet +echo -e "\t- Check shadow file integrity : no." + AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet +echo -e "\t- Security warning on tty : \"no\" :" + AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet +echo -e "\t- Security warning in syslog : \"no\" :" + AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf +# end security check + +# lilo update +echo -n "Running lilo to record new config : " +/sbin/lilo >& /dev/null +echo -e "done.\n" + +# /etc/profile +export SECURE_LEVEL=1 +echo "Setting secure level variable to 1 :" +AddRules "SECURE_LEVEL=1" /etc/profile +echo "Setting umask to 002 (u=rw,g=rw,o=r) :" +AddRules "umask 002" /etc/profile +echo "Adding \"non secure\" PATH variable :" +AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet +AddRules "export PATH SECURE_LEVEL" /etc/profile + +# Group +echo -n "Adding \"${DRAKX_USERS}\" to audio group :" +for user in ${DRAKX_USERS}; do + usermod -G audio "${user}" +done +echo "done." + + + + + + + diff --git a/init-sh/perm.0 b/init-sh/perm.0 new file mode 100644 index 0000000..0cae0d7 --- /dev/null +++ b/init-sh/perm.0 @@ -0,0 +1,65 @@ +# Welcome in Level 1 +### +/bin root.root 755 +/boot root.root 755 +/dev root.root 755 +/dev/audio* root.audio 660 +/dev/dsp* root.audio 660 +/etc/ root.root 755 +/etc/conf.modules root.root 644 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 +/etc/esd.conf root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/inetd.conf root.root 644 +/etc/init.d/ root.root 755 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/lilo.conf root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/profile root.root 644 +/etc/rc.d/ root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.root 644 +/etc/ssh_config root.root 644 +/etc/ssh_host_key root.root 644 +/etc/ssh_host_key.pub root.root 644 +/etc/sshd_config root.root 644 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 +/home/ root.root 755 +/home/* current 755 +/lib root.root 755 +/mnt root.root 755 +/root root.root 755 +/sbin root.root 755 +/tmp root.root 1777 +/usr root.root 755 +/usr/* root.root 755 +/usr/X11R6/ root.root 755 +/usr/bin/ root.root 755 +/usr/bin/* root.root 755 +/usr/sbin/ root.root 755 +/var root.root 755 +/var/log root.root 755 +/var/log/* root.adm 644 +/var/log/security/ root.root 700 +/var/log/security/* root.root 600 + + + + |