diff options
Diffstat (limited to 'src/msec/man.py')
| -rwxr-xr-x | src/msec/man.py | 294 |
1 files changed, 176 insertions, 118 deletions
diff --git a/src/msec/man.py b/src/msec/man.py index 1eaade0..7efad72 100755 --- a/src/msec/man.py +++ b/src/msec/man.py @@ -16,6 +16,14 @@ import inspect import config from libmsec import MSEC, Log + +# localization +import gettext +try: + gettext.install("msec") +except IOError: + _ = str + try: from version import version except: @@ -23,207 +31,160 @@ except: header = r'''.ds q \N'34' .TH msec 8 msec "Mageia" -.SH NAME -msec \- Mageia Linux security tools -.SH SYNOPSIS +.SH {tit1} +msec \- {p1} +.SH {tit2} .nf -.B msec [options] -.B msecperms [options] -.B msecgui [options] +.B msec [{options}] +.B msecperms [{options}] +.B msecgui [{options}] .fi -.SH DESCRIPTION -.B msec -is responsible to maintain system security in Mageia. It supports different security -configurations, which can be organized into several security levels, stored in -/etc/security/msec/level.LEVELNAME. Currently, three basic preconfigured security levels are -provided with Mageia Linux: +.SH {tit3} +.B {p2} .TP \fBnone\fR -this level disables all msec options. It should be used when you want to manage -all aspects of system security on your own. +{p3} .TP \fBstandard\fR -this is the default security level, which configures a reasonably safe set of security -features. It activates several periodic system checks, and sends the results of their -execution by email (by default, the local 'root' account is used). +{p4} .TP \fBsecure\fR -this level is configured to provide maximum system security, even at the cost of limiting -the remote access to the system, and local user permissions. It also runs a wider set of -periodic checks, enforces the local password settings, and periodically checks if the -system security settings, configured by msec, were modified directly or by some other -application. +{p5} .TP -Besides those levels, different task-oriented security are also provided, -such as the 'fileserver', 'webserver' and 'netbook' levels. Such levels -attempt to pre-configure system security according to the most common use -cases. +{p6} .TP -Note that besides those levels you may create as many levels as necessary. +{p7} .PP -The security settings are stored in \fB/etc/security/msec/security.conf\fR -file, and default settings for each predefined level are stored in -\fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories -that should be enforced or checked for changes are stored in -\fB/etc/security/msec/perms.conf\fR, and default permissions for each -predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note -that user-modified parameters take precedence over default level settings. For -example, when default level configuration forbids direct root logins, this -setting can be overridden by the user. +{p8} .PP -The following options are supported by msec applications: +{p9} .TP \fBmsec\fR: .PP -This is the console version of msec. It is responsible for system security configuration -and checking and transitions between security levels. - -When executed without parameters, msec will read the system configuration file -(/etc/security/msec/security.conf), and enforce the specified security -settings. The operations are logged to \fB/var/log/msec.log\fP file, and also -to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should -by run as root. +{p10} \fB\-h, --help\fR - This option will display the list of supported command line options. + {p11} \fB\-l, --level <level>\fR - List the default configuration for given security level. + {p12} \fB\-f, --force <level>\fR - Apply the specified security level to the system, overwritting all local -changes in /etc/security/msec/security.conf. This usually should be performed -either on first install, on when a transition to a different level is required. + {p13} \fB\-d\fR - Enable debugging messages. + {p14} \fB\-p, --pretend\fR - Verify the actions that will be performed by msec, without actually -doing anything to the system. In this mode of operation, msec performs all the -required tasks, except effectively writting data back to disk. + {p15} \fB\-r, --root <path>\fR - Use path as root. Can be used to perform msec actions in chroot. + {p16} \fB\-q\fR - Run quietly + {p17} \fB\-s, --save <level>\fR - Save current settings as a new security level. + {p18} .TP \fBmsecperms\fR: .PP -This application is responsible for system permission checking and enforcements. - -When executed without parameters, msecperms will read the permissions -configuration file (/etc/security/msec/perms.conf), and enforce the specified -security settings. The operations are logged to \fB/var/log/msec.log\fP file, -and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms -should by run as root. +{p19} \fB\-h, --help\fR - This option will display the list of supported command line options. + {p20} \fB\-l, --level <level>\fR - List the default configuration for given security level. + {p21} \fB\-e, --enforce\fR - Enforce the default permissions on all files. + {p22} \fB\-d\fR - Enable debugging messages. + {p14} \fB\-p, --pretend\fR - Verify the actions that will be performed by msec, without actually -doing anything to the system. In this mode of operation, msec performs all the -required tasks, except effectively writting data back to disk. + {p15} \fB\-r, --root <path>\fR - Use path as root. Can be used to perform msec actions in chroot. + {p16} \fB\-q\fR - Run quietly + {p17} .TP \fBmsecgui\fR: .PP -This is the GTK version of msec. It acts as frontend to all msec functionalities. +{p24} \fB\-h, --help\fR - This option will display the list of supported command line options. + {p20} \fB\-d\fR - Enable debugging messages. + {p14} -.SH EXAMPLES +.SH {tit4} -\fBEnforce system configuration according to /etc/security/msec/security.conf file:\fP +\fB{p25}\fP msec -\fBDisplay system configuration changes without enforcing anything:\fP +\fB{p26}\fP msec -p -\fBInstall predefined security level 'standard':\fP +\fB{p27}\fP msec -f standard -\fBPreview changes inflicted by change to 'standard' level:\fP +\fB{p28}\fP msec -p -f standard -\fBCreate a custom security level based on 'standard':\fP +\fB{p29}\fP cp /etc/security/msec/level.standard /etc/security/msec/level.my edit /etc/security/msec/level.my msec -f my -\fBExport current security settings to create a new security level named 'office':\fP +\fB{p30}\fP msec -s office -\fBEnforce system permissions according to /etc/security/msec/perms.conf file:\fP +\fB{p31}\fP msecperms -\fBDisplay permissions changes without enforcing anything:\fP +\fB{p32}\fP msecperms -p -\fBInstall predefined permissions for level 'standard':\fP +\fB{p33}\fP msecperms -f standard -\fBPreview changes inflicted by change to 'standard' level:\fP +\fB{p34}\fP msecperms -p -f standard -\fBCreate a custom permissions level based on 'secure':\fP +\fB{p35}\fP cp /etc/security/msec/perm.secure /etc/security/msec/perm.my edit /etc/security/msec/level.my msecperms -f my -\fBExport current security settings to create a new security level named 'office':\fP +\fB{p36}\fP msecperms -s office -.SH "DEFINING EXCEPTIONS FOR PERIODIC CHECKS" -.B msec -is capable of excluding certain patterns from periodic check reports. For -this, it is possible to define the exceptions in -\fB/etc/security/msec/exceptions\fP file, for each supported check. +.SH "{tit6}" +.B {p37} .PP -For example, to exclude all items that match \fB/mnt\fP, Mageia-based -chrooted installations in \fB/chroot\fP and all backup files from the -results of of check for unowned files on the system, it is sufficient to -define the following entry in the exceptions file: +{p38} .TP CHECK_UNOWNED /mnt @@ -233,51 +194,148 @@ define the following entry in the exceptions file: CHECK_UNOWNED .*~ .PP -In a similar way, it is possible to exclude the results for the -\fBdeluge\fP application from the list of open ports as follows: +{p39} .TP CHECK_OPEN_PORT /deluge .PP -Each exception entry is a regular exception, and you might define as many -exceptions as necessary. +{p40} .PP -In order to exclude a path from all msec checks, you may use * for the check -name. For example, the following would exclude /media/ from all msec checks: +{p41} .TP * /media/ .PP -See below for all msec options that support this feature. +{p42} -.SH "SECURITY OPTIONS" +.SH "{tit5}" -The following security options are supported by msec: +{p43} -''' +'''.format(\ +tit1=_('NAME'), +tit2=_('SYNOPSIS'), +tit3=_('DESCRIPTION'), +options=_('options'), +p1=_( "Mageia Linux security tools"), +p2 =_( '''msec +is responsible to maintain system security in Mageia. It supports different security +configurations, which can be organized into several security levels, stored in +/etc/security/msec/level.LEVELNAME. Currently, three basic preconfigured security levels are +provided with Mageia Linux:'''), + +p3 =_( '''this level disables all msec options. It should be used when you want to manage +all aspects of system security on your own.'''), +p4 =_( '''this is the default security level, which configures a reasonably safe set of security +features. It activates several periodic system checks, and sends the results of their +execution by email (by default, the local 'root' account is used).'''), +p5 = ('''this level is configured to provide maximum system security, even at the cost of limiting +the remote access to the system, and local user permissions. It also runs a wider set of +periodic checks, enforces the local password settings, and periodically checks if the +system security settings, configured by msec, were modified directly or by some other +application.'''), +p6=_( '''Besides those levels, different task-oriented security are also provided, +such as the 'fileserver', 'webserver' and 'netbook' levels. Such levels +attempt to pre-configure system security according to the most common use +cases.'''), +p7=_('''Note that besides those levels you may create as many levels as necessary.'''), +p8=_('''The security settings are stored in \\fB/etc/security/msec/security.conf\\fR +file, and default settings for each predefined level are stored in +\\fB/etc/security/msec/level.LEVEL\\fR. Permissions for files and directories +that should be enforced or checked for changes are stored in +\\fB/etc/security/msec/perms.conf\\fR, and default permissions for each +predefined level are stored in \\fB/etc/security/msec/perm.LEVEL\\fR. Note +that user-modified parameters take precedence over default level settings. For +example, when default level configuration forbids direct root logins, this +setting can be overridden by the user.'''), +p9=_("The following options are supported by msec applications:"), + +p10=_('''This is the console version of msec. It is responsible for system security configuration +and checking and transitions between security levels. + +When executed without parameters, msec will read the system configuration file +(/etc/security/msec/security.conf), and enforce the specified security +settings. The operations are logged to \\fB/var/log/msec.log\\fP file, and also +to syslog, using \\fBLOG_AUTHPRIV\\fR facility. Please note that msec should +by run as root.'''), +p11=_("This option will display the list of supported command line options."), +p12=_("List the default configuration for given security level."), +p13=_('''Apply the specified security level to the system, overwritting all local +changes in /etc/security/msec/security.conf. This usually should be performed +either on first install, on when a transition to a different level is required.'''), +p14=_("Enable debugging messages."), +p15=_('''Verify the actions that will be performed by msec, without actually +doing anything to the system. In this mode of operation, msec performs all the +required tasks, except effectively writting data back to disk.'''), +p16=_("Use path as root. Can be used to perform msec actions in chroot."), +p17=_("Run quietly"), +p18=_( "Save current settings as a new security level."), +p19=_('''This application is responsible for system permission checking and enforcements. + +When executed without parameters, msecperms will read the permissions +configuration file (/etc/security/msec/perms.conf), and enforce the specified +security settings. The operations are logged to \\fB/var/log/msec.log\\fP file, +and also to syslog, using \\fBLOG_AUTHPRIV\\fR facility. Please note that msecperms +should by run as root.'''), +p20=_("This option will display the list of supported command line options."), +p21=_("List the default configuration for given security level."), +p22=_("Enforce the default permissions on all files."), +p24=_("This is the GTK version of msec. It acts as frontend to all msec functionalities."), +tit4=_("EXAMPLES"), +p25=_("Enforce system configuration according to /etc/security/msec/security.conf file:"), +p26=_("Display system configuration changes without enforcing anything:"), +p27=_("Install predefined security level 'standard':"), +p28=_("Preview changes inflicted by change to 'standard' level:"), +p29=_("Create a custom security level based on 'standard':"), +p30=_("Export current security settings to create a new security level named 'office':"), +tit6=_("DEFINING EXCEPTIONS FOR PERIODIC CHECKS"), +p31=_("Enforce system permissions according to /etc/security/msec/perms.conf file:"), +p32=_("Display permissions changes without enforcing anything:"), +p33=_("Install predefined permissions for level 'standard':"), +p34=_("Preview changes inflicted by change to 'standard' level:"), +p35=_("Create a custom permissions level based on 'secure':"), +p36=_("Export current security settings to create a new security level named 'office':"), +p37=_('''msec +is capable of excluding certain patterns from periodic check reports. For +this, it is possible to define the exceptions in +\\fB/etc/security/msec/exceptions\\fP file, for each supported check.'''), +p38=_('''For example, to exclude all items that match \\fB/mnt\\fP, Mageia-based +chrooted installations in \\fB/chroot\\fP and all backup files from the +results of of check for unowned files on the system, it is sufficient to +define the following entry in the exceptions file:'''), +p39=_("In a similar way, it is possible to exclude the results for the \\fBdeluge\\fP application from the list of open ports as follows:"), +p40=_("Each exception entry is a regular exception, and you might define as many exceptions as necessary."), +p41=_("In order to exclude a path from all msec checks, you may use * for the check name. For example, the following would exclude /media/ from all msec checks:"), +p42=_("See below for all msec options that support this feature."), +tit5=_("SECURITY OPTIONS"), +p43=_("The following security options are supported by msec:") +) footer = '''.RE -.SH NOTES -Msec applications must be run by root. -.SH AUTHORS +.SH {tit6} +{p45} +.SH {tit7} Frederic Lepied Eugeni Dodonov -''' +'''.format( +tit6=_("NOTES"), +p45=_("Msec applications must be run by root."), +tit7=_("AUTHORS")) ### strings used in the rewritting function_str = ''' .TP 4 -.B \\fI%s\\fP -%s +.B \\fI{callback}\\fP +{f} -MSEC parameter: \\fI%s\\fP +{label1} \\fI{v}\\fP -Accepted values: \\fI%s\\fP +{label2} \\fI{params}\\fP ''' ### code @@ -304,10 +362,10 @@ for callback in callbacks: variable, params = settings_rev[callback] func = msec.get_action(callback) if func: - print(function_str % (callback, func.__doc__.strip(), variable, ", ".join(params))) + print(function_str.format(callback=callback, f=func.__doc__.strip(), v=variable, params=", ".join(params), label1=_('MSEC parameter:'), label2=_("Accepted values:"))) if variable in config.CHECKS_WITH_EXCEPTIONS: # this check supports exceptions - print("""(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)""" % variable) + print(_("(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)") % variable) print(footer) |