diff options
Diffstat (limited to 'man/C/msec.8')
| -rw-r--r-- | man/C/msec.8 | 635 |
1 files changed, 579 insertions, 56 deletions
diff --git a/man/C/msec.8 b/man/C/msec.8 index 16768ad..8a0c098 100644 --- a/man/C/msec.8 +++ b/man/C/msec.8 @@ -1,69 +1,592 @@ -.TH msec 8 "29 Sep 2001" "Mandriva" "Mandriva Linux" -.IX msec +.ds q \N'34' +.TH msec 0.60.1 msec "Mandriva Linux" .SH NAME msec \- Mandriva Linux security tools .SH SYNOPSIS -.B msec -([-o <option>=<value>...]) ([0-5]) +.nf +.B msec [options] +.B msecperms [options] +.B msecgui [options] +.fi .SH DESCRIPTION -\fPmsec\fP is the main script of the msec package. It enables the -system administrator to change the security level for that system. -msec is provided with six preconfigured security levels. These levels -range from poor security and ease of use, to paranoid config, suitable -for very sensitive server applications. -.PP -You must be root to run \fPmsec\fP. -.br -Launch "msec x" to set you security level to x (x=[0-5]). It'll modify -your system according to security level x features. Called without -argument, it will enforce the current security level without lowering -security. -.br -All the changes are logged to syslog(8) at the AUTH facility when called -non interactivelly (by cron for example) or at the LOCAL1 facility -when called interactivelly (on the command line or from Mandriva Linux -Control Center for example). -.br -For a fine description of each security level, consult the -documentation under /usr/share/doc/msec-*/security.txt. -.PP -If you want to make changes to the current level, use -/etc/security/msec/perm.local to override the -permissions/owners/groups (use the same syntax as /usr/share/msec/perm.* -or use the drakperm graphical utility) and /etc/security/msec/level.local to -override the rules (see mseclib(3) for details or use the draksec graphical utility). -.PP -Available options: +.B msec +is responsible to maintain system security in Mandriva. It supports different security +configurations, which can be organized into several security levels. Currently, three +preconfigured security levels are provided: + .TP -\fB\-o all-local-files=<value>\fR -if <value> is 1, consider that all the files are local. +\fBnone\fR +this level aims to provide the most basic security. It should be used when you want to +manage all aspects of system security on your own. + .TP -\fB\-o log=<value>\fR -if <value> is different of syslog do not log to syslog but to the standard error output. +\fBdefault\fR +this is the default security level, which configures a reasonably safe set of security +features. It activates several periodic system checks, and sends the results of their +execution by email (by default, the local 'root' account is used). + .TP -\fB\-o nolocal=<path>\fR -do not load the /etc/security/msec/level.local rules. +\fBsecure\fR +this level is configured to provide maximum system security, even at the cost of limiting +the remote access to the system, and local user permissions. It also runs a wider set of +periodic checks, enforces the local password settings, and periodically checks if the +system security settings, configured by msec, were modified directly or by some other +application. + +.PP + +The security settings are stored in \fB/etc/security/msec/security.conf\fR +file, and default settings for each predefined level are stored in +\fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories +that should be enforced or checked for changes are stored in +\fB/etc/security/msec/perms.conf\fR, and default permissions for each +predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note +that user-modified parameters take precedence over default level settings. For +example, when default level configuration forbids direct root logins, this +setting can be overridden by the user. + +.PP + +The following options are supported by msec applications: + .TP -\fB\-o non-local-fstypes=<value>\fR -<value> is a list of non local file system types separated by spaces. +\fBmsec\fR: +.PP + +This is the console version of msec. It is responsible for system security configuration +and checking and transitions between security levels. + +When executed without parameters, msec will read the system configuration file +(/etc/security/msec/security.conf), and enforce the specified security +settings. The operations are logged to \fB/var/log/msec.log\fP file, and also +to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should +by run as root. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-l, --level <level>\fR + List the default configuration for given security level. + +\fB\-f, --force <level>\fR + Apply the specified security level to the system, overwritting all +local changes. This is necessary to initialize a security level, either on first +install, on when a change to a different level is required. + +\fB\-d\fR + Enable debugging messages. + +\fB\-p, --pretend\fR + Verify the actions that will be performed by msec, without actually +doing anything to the system. In this mode of operation, msec performs all the +required tasks, except effectively writting data back to disk. + .TP -\fB\-o print=<value>\fR -if <value> is equal to 1, output the default values of the rules. +\fBmsecperms\fR: +.PP + +This application is responsible for system permission checking and enforcements. + +When executed without parameters, msecperms will read the permissions +configuration file (/etc/security/msec/perms.conf), and enforce the specified +security settings. The operations are logged to \fB/var/log/msec.log\fP file, +and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms +should by run as root. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-l, --level <level>\fR + List the default configuration for given security level. + +\fB\-f, --force <level>\fR + Apply the specified security level to the system, overwritting all +local changes. This is necessary to initialize a security level, either on first +install, on when a change to a different level is required. + +\fB\-e, --enforce\fR + Enforce the default permissions on all files. + +\fB\-d\fR + Enable debugging messages. + +\fB\-p, --pretend\fR + Verify the actions that will be performed by msec, without actually +doing anything to the system. In this mode of operation, msec performs all the +required tasks, except effectively writting data back to disk. + .TP -\fB\-o root=<path>\fR -use <path> as the root of the file system. -.SH FILES -/usr/sbin/msec -.br -The \fPmsec\fP executable (sh script) +\fBmsecgui\fR: .PP -/var/lib/msec/security.conf -.br -Contains the configuration of the current active security level. These -settings can be overridden in /etc/security/msec/security.conf. -.SH "SEE ALSO" -mseclib(3), draksec, drakperm +This is the GTK version of msec. It acts as frontend to all msec functionalities. + +\fB\-h, --help\fR + This option will display the list of supported command line options. + +\fB\-d\fR + Enable debugging messages. + +.SH "SECURITY OPTIONS" + +The following security options are supported by msec: + + + +.TP 4 +.B \fIenable_dns_spoofing_protection\fP +Enable/Disable name resolution spoofing protection. If \fIalert\fP is true, also reports to syslog. + +MSEC parameter: \fIENABLE_IP_SPOOFING_PROTECTION\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_empty_content\fP +Enables sending of empty mail reports. + +MSEC parameter: \fIMAIL_EMPTY_CONTENT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIaccept_broadcasted_icmp_echo\fP +Accept/Refuse broadcasted icmp echo. + +MSEC parameter: \fIACCEPT_BROADCASTED_ICMP_ECHO\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_xserver_to_listen\fP +The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. + +MSEC parameter: \fIALLOW_XSERVER_TO_LISTEN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_chkrootkit\fP +Enables checking for known rootkits using chkrootkit. + +MSEC parameter: \fICHECK_CHKROOTKIT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_suid_root\fP +Enables checking for additions/removals of suid root files. + +MSEC parameter: \fICHECK_SUID_ROOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_at_crontab\fP +Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). + +MSEC parameter: \fIENABLE_AT_CRONTAB\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIaccept_bogus_error_responses\fP +Accept/Refuse bogus IPv4 error messages. + +MSEC parameter: \fIACCEPT_BOGUS_ERROR_RESPONSES\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_suid_md5\fP +Enables checksum verification for suid files. + +MSEC parameter: \fICHECK_SUID_MD5\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_user\fP +Defines email to receive security notifications. + +MSEC parameter: \fIMAIL_USER\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIallow_autologin\fP +Allow/Forbid autologin. + +MSEC parameter: \fIALLOW_AUTOLOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_pam_wheel_for_su\fP +Enabling su only from members of the wheel group or allow su from any user. + +MSEC parameter: \fIENABLE_PAM_WHEEL_FOR_SU\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcreate_server_link\fP +Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages. + +MSEC parameter: \fICREATE_SERVER_LINK\fP + +Accepted values: \fIno, default, secure\fP + + +.TP 4 +.B \fIset_shell_timeout\fP +Set the shell timeout. A value of zero means no timeout. + +MSEC parameter: \fISHELL_TIMEOUT\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_user_files\fP +Enables permission checking on users' files that should not be owned by someone else, or writable. + +MSEC parameter: \fICHECK_USER_FILES\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_shadow\fP +Enables checking for empty passwords. + +MSEC parameter: \fICHECK_SHADOW\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_password\fP +Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable. + +MSEC parameter: \fIENABLE_PASSWORD\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_win_parts_umask\fP +Set umask option for mounting vfat and ntfs partitions. A value of None means default umask. + +MSEC parameter: \fIWIN_PARTS_UMASK\fP + +Accepted values: \fIno, *\fP + + +.TP 4 +.B \fIcheck_open_port\fP +Enables checking for open network ports. + +MSEC parameter: \fICHECK_OPEN_PORT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_log_strange_packets\fP +Enable/Disable the logging of IPv4 strange packets. + +MSEC parameter: \fIENABLE_LOG_STRANGE_PACKETS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_rpm\fP +Enables verification of installed packages. + +MSEC parameter: \fICHECK_RPM\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_pam_root_from_wheel\fP +Allow root access without password for the members of the wheel group. + +MSEC parameter: \fIENABLE_PAM_ROOT_FROM_WHEEL\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fImail_warn\fP +Enables security results submission by email. + +MSEC parameter: \fIMAIL_WARN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIpassword_length\fP +Set the password minimum length and minimum number of digit and minimum number of capitalized letters. + +MSEC parameter: \fIPASSWORD_LENGTH\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIset_root_umask\fP +Set the root umask. + +MSEC parameter: \fIROOT_UMASK\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_sgid\fP +Enables checking for additions/removals of sgid files. + +MSEC parameter: \fICHECK_SGID\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_promisc\fP +Activate/Disable ethernet cards promiscuity check. + +MSEC parameter: \fICHECK_PROMISC\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_x_connections\fP +Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection). + +MSEC parameter: \fIALLOW_X_CONNECTIONS\fP + +Accepted values: \fIyes, no, local\fP + + +.TP 4 +.B \fIcheck_writable\fP +Enables checking for files/directories writable by everybody. + +MSEC parameter: \fICHECK_WRITABLE\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_console_log\fP +Enable/Disable syslog reports to console 12. \fIexpr\fP is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log. + +MSEC parameter: \fIENABLE_CONSOLE_LOG\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_ip_spoofing_protection\fP +Enable/Disable IP spoofing protection. + +MSEC parameter: \fIENABLE_DNS_SPOOFING_PROTECTION\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_perms\fP +Enables periodic permission checking for system files. + +MSEC parameter: \fICHECK_PERMS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_shell_history_size\fP +Set shell commands history size. A value of -1 means unlimited. + +MSEC parameter: \fISHELL_HISTORY_SIZE\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIallow_reboot\fP +Allow/Forbid system reboot and shutdown to local users. + +MSEC parameter: \fIALLOW_REBOOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIsyslog_warn\fP +Enables logging to system log. + +MSEC parameter: \fISYSLOG_WARN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_shosts\fP +Enables checking for dangerous options in users' .rhosts/.shosts files. + +MSEC parameter: \fICHECK_SHOSTS\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_passwd\fP +Enables password-related checks, such as empty passwords and strange super-user accounts. + +MSEC parameter: \fICHECK_PASSWD\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIpassword_history\fP +Set the password history length to prevent password reuse. This is not supported by pam_tcb. + +MSEC parameter: \fIPASSWORD_HISTORY\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIcheck_security\fP +Enables daily security checks. + +MSEC parameter: \fICHECK_SECURITY\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_root_login\fP +Allow/Forbid direct root login. + +MSEC parameter: \fIALLOW_ROOT_LOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIcheck_unowned\fP +Enables checking for unowned files. + +MSEC parameter: \fICHECK_UNOWNED\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_user_list\fP +Allow/Forbid the list of users on the system on display managers (kdm and gdm). + +MSEC parameter: \fIALLOW_USER_LIST\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_remote_root_login\fP +Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information. + +MSEC parameter: \fIALLOW_REMOTE_ROOT_LOGIN\fP + +Accepted values: \fIyes, no, without_password\fP + + +.TP 4 +.B \fIenable_msec_cron\fP +Enable/Disable msec hourly security check. + +MSEC parameter: \fIENABLE_MSEC_CRON\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIenable_sulogin\fP +Enable/Disable sulogin(8) in single user level. + +MSEC parameter: \fIENABLE_SULOGIN\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIallow_xauth_from_root\fP +Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details. + +MSEC parameter: \fIALLOW_XAUTH_FROM_ROOT\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIset_user_umask\fP +Set the user umask. + +MSEC parameter: \fIUSER_UMASK\fP + +Accepted values: \fI*\fP + + +.TP 4 +.B \fIaccept_icmp_echo\fP +Accept/Refuse icmp echo. + +MSEC parameter: \fIACCEPT_ICMP_ECHO\fP + +Accepted values: \fIyes, no\fP + + +.TP 4 +.B \fIauthorize_services\fP +Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). + +MSEC parameter: \fIAUTHORIZE_SERVICES\fP + +Accepted values: \fIyes, no, local\fP + + +.TP 4 +.B \fItty_warn\fP +Enables periodic security check results to terminal. + +MSEC parameter: \fITTY_WARN\fP + +Accepted values: \fIyes, no\fP + +.RE +.SH NOTES +Msec applications must be run by root. +.SH AUTHORS +Frederic Lepied <flepied@mandriva.com> + +Eugeni Dodonov <eugeni@mandriva.com> -.SH AUTHOR -Vandoorselaere Yoann, Mandriva |