aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/msec/man.py294
1 files changed, 176 insertions, 118 deletions
diff --git a/src/msec/man.py b/src/msec/man.py
index 1eaade0..7efad72 100755
--- a/src/msec/man.py
+++ b/src/msec/man.py
@@ -16,6 +16,14 @@ import inspect
import config
from libmsec import MSEC, Log
+
+# localization
+import gettext
+try:
+ gettext.install("msec")
+except IOError:
+ _ = str
+
try:
from version import version
except:
@@ -23,207 +31,160 @@ except:
header = r'''.ds q \N'34'
.TH msec 8 msec "Mageia"
-.SH NAME
-msec \- Mageia Linux security tools
-.SH SYNOPSIS
+.SH {tit1}
+msec \- {p1}
+.SH {tit2}
.nf
-.B msec [options]
-.B msecperms [options]
-.B msecgui [options]
+.B msec [{options}]
+.B msecperms [{options}]
+.B msecgui [{options}]
.fi
-.SH DESCRIPTION
-.B msec
-is responsible to maintain system security in Mageia. It supports different security
-configurations, which can be organized into several security levels, stored in
-/etc/security/msec/level.LEVELNAME. Currently, three basic preconfigured security levels are
-provided with Mageia Linux:
+.SH {tit3}
+.B {p2}
.TP
\fBnone\fR
-this level disables all msec options. It should be used when you want to manage
-all aspects of system security on your own.
+{p3}
.TP
\fBstandard\fR
-this is the default security level, which configures a reasonably safe set of security
-features. It activates several periodic system checks, and sends the results of their
-execution by email (by default, the local 'root' account is used).
+{p4}
.TP
\fBsecure\fR
-this level is configured to provide maximum system security, even at the cost of limiting
-the remote access to the system, and local user permissions. It also runs a wider set of
-periodic checks, enforces the local password settings, and periodically checks if the
-system security settings, configured by msec, were modified directly or by some other
-application.
+{p5}
.TP
-Besides those levels, different task-oriented security are also provided,
-such as the 'fileserver', 'webserver' and 'netbook' levels. Such levels
-attempt to pre-configure system security according to the most common use
-cases.
+{p6}
.TP
-Note that besides those levels you may create as many levels as necessary.
+{p7}
.PP
-The security settings are stored in \fB/etc/security/msec/security.conf\fR
-file, and default settings for each predefined level are stored in
-\fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories
-that should be enforced or checked for changes are stored in
-\fB/etc/security/msec/perms.conf\fR, and default permissions for each
-predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note
-that user-modified parameters take precedence over default level settings. For
-example, when default level configuration forbids direct root logins, this
-setting can be overridden by the user.
+{p8}
.PP
-The following options are supported by msec applications:
+{p9}
.TP
\fBmsec\fR:
.PP
-This is the console version of msec. It is responsible for system security configuration
-and checking and transitions between security levels.
-
-When executed without parameters, msec will read the system configuration file
-(/etc/security/msec/security.conf), and enforce the specified security
-settings. The operations are logged to \fB/var/log/msec.log\fP file, and also
-to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should
-by run as root.
+{p10}
\fB\-h, --help\fR
- This option will display the list of supported command line options.
+ {p11}
\fB\-l, --level <level>\fR
- List the default configuration for given security level.
+ {p12}
\fB\-f, --force <level>\fR
- Apply the specified security level to the system, overwritting all local
-changes in /etc/security/msec/security.conf. This usually should be performed
-either on first install, on when a transition to a different level is required.
+ {p13}
\fB\-d\fR
- Enable debugging messages.
+ {p14}
\fB\-p, --pretend\fR
- Verify the actions that will be performed by msec, without actually
-doing anything to the system. In this mode of operation, msec performs all the
-required tasks, except effectively writting data back to disk.
+ {p15}
\fB\-r, --root <path>\fR
- Use path as root. Can be used to perform msec actions in chroot.
+ {p16}
\fB\-q\fR
- Run quietly
+ {p17}
\fB\-s, --save <level>\fR
- Save current settings as a new security level.
+ {p18}
.TP
\fBmsecperms\fR:
.PP
-This application is responsible for system permission checking and enforcements.
-
-When executed without parameters, msecperms will read the permissions
-configuration file (/etc/security/msec/perms.conf), and enforce the specified
-security settings. The operations are logged to \fB/var/log/msec.log\fP file,
-and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms
-should by run as root.
+{p19}
\fB\-h, --help\fR
- This option will display the list of supported command line options.
+ {p20}
\fB\-l, --level <level>\fR
- List the default configuration for given security level.
+ {p21}
\fB\-e, --enforce\fR
- Enforce the default permissions on all files.
+ {p22}
\fB\-d\fR
- Enable debugging messages.
+ {p14}
\fB\-p, --pretend\fR
- Verify the actions that will be performed by msec, without actually
-doing anything to the system. In this mode of operation, msec performs all the
-required tasks, except effectively writting data back to disk.
+ {p15}
\fB\-r, --root <path>\fR
- Use path as root. Can be used to perform msec actions in chroot.
+ {p16}
\fB\-q\fR
- Run quietly
+ {p17}
.TP
\fBmsecgui\fR:
.PP
-This is the GTK version of msec. It acts as frontend to all msec functionalities.
+{p24}
\fB\-h, --help\fR
- This option will display the list of supported command line options.
+ {p20}
\fB\-d\fR
- Enable debugging messages.
+ {p14}
-.SH EXAMPLES
+.SH {tit4}
-\fBEnforce system configuration according to /etc/security/msec/security.conf file:\fP
+\fB{p25}\fP
msec
-\fBDisplay system configuration changes without enforcing anything:\fP
+\fB{p26}\fP
msec -p
-\fBInstall predefined security level 'standard':\fP
+\fB{p27}\fP
msec -f standard
-\fBPreview changes inflicted by change to 'standard' level:\fP
+\fB{p28}\fP
msec -p -f standard
-\fBCreate a custom security level based on 'standard':\fP
+\fB{p29}\fP
cp /etc/security/msec/level.standard /etc/security/msec/level.my
edit /etc/security/msec/level.my
msec -f my
-\fBExport current security settings to create a new security level named 'office':\fP
+\fB{p30}\fP
msec -s office
-\fBEnforce system permissions according to /etc/security/msec/perms.conf file:\fP
+\fB{p31}\fP
msecperms
-\fBDisplay permissions changes without enforcing anything:\fP
+\fB{p32}\fP
msecperms -p
-\fBInstall predefined permissions for level 'standard':\fP
+\fB{p33}\fP
msecperms -f standard
-\fBPreview changes inflicted by change to 'standard' level:\fP
+\fB{p34}\fP
msecperms -p -f standard
-\fBCreate a custom permissions level based on 'secure':\fP
+\fB{p35}\fP
cp /etc/security/msec/perm.secure /etc/security/msec/perm.my
edit /etc/security/msec/level.my
msecperms -f my
-\fBExport current security settings to create a new security level named 'office':\fP
+\fB{p36}\fP
msecperms -s office
-.SH "DEFINING EXCEPTIONS FOR PERIODIC CHECKS"
-.B msec
-is capable of excluding certain patterns from periodic check reports. For
-this, it is possible to define the exceptions in
-\fB/etc/security/msec/exceptions\fP file, for each supported check.
+.SH "{tit6}"
+.B {p37}
.PP
-For example, to exclude all items that match \fB/mnt\fP, Mageia-based
-chrooted installations in \fB/chroot\fP and all backup files from the
-results of of check for unowned files on the system, it is sufficient to
-define the following entry in the exceptions file:
+{p38}
.TP
CHECK_UNOWNED /mnt
@@ -233,51 +194,148 @@ define the following entry in the exceptions file:
CHECK_UNOWNED .*~
.PP
-In a similar way, it is possible to exclude the results for the
-\fBdeluge\fP application from the list of open ports as follows:
+{p39}
.TP
CHECK_OPEN_PORT /deluge
.PP
-Each exception entry is a regular exception, and you might define as many
-exceptions as necessary.
+{p40}
.PP
-In order to exclude a path from all msec checks, you may use * for the check
-name. For example, the following would exclude /media/ from all msec checks:
+{p41}
.TP
* /media/
.PP
-See below for all msec options that support this feature.
+{p42}
-.SH "SECURITY OPTIONS"
+.SH "{tit5}"
-The following security options are supported by msec:
+{p43}
-'''
+'''.format(\
+tit1=_('NAME'),
+tit2=_('SYNOPSIS'),
+tit3=_('DESCRIPTION'),
+options=_('options'),
+p1=_( "Mageia Linux security tools"),
+p2 =_( '''msec
+is responsible to maintain system security in Mageia. It supports different security
+configurations, which can be organized into several security levels, stored in
+/etc/security/msec/level.LEVELNAME. Currently, three basic preconfigured security levels are
+provided with Mageia Linux:'''),
+
+p3 =_( '''this level disables all msec options. It should be used when you want to manage
+all aspects of system security on your own.'''),
+p4 =_( '''this is the default security level, which configures a reasonably safe set of security
+features. It activates several periodic system checks, and sends the results of their
+execution by email (by default, the local 'root' account is used).'''),
+p5 = ('''this level is configured to provide maximum system security, even at the cost of limiting
+the remote access to the system, and local user permissions. It also runs a wider set of
+periodic checks, enforces the local password settings, and periodically checks if the
+system security settings, configured by msec, were modified directly or by some other
+application.'''),
+p6=_( '''Besides those levels, different task-oriented security are also provided,
+such as the 'fileserver', 'webserver' and 'netbook' levels. Such levels
+attempt to pre-configure system security according to the most common use
+cases.'''),
+p7=_('''Note that besides those levels you may create as many levels as necessary.'''),
+p8=_('''The security settings are stored in \\fB/etc/security/msec/security.conf\\fR
+file, and default settings for each predefined level are stored in
+\\fB/etc/security/msec/level.LEVEL\\fR. Permissions for files and directories
+that should be enforced or checked for changes are stored in
+\\fB/etc/security/msec/perms.conf\\fR, and default permissions for each
+predefined level are stored in \\fB/etc/security/msec/perm.LEVEL\\fR. Note
+that user-modified parameters take precedence over default level settings. For
+example, when default level configuration forbids direct root logins, this
+setting can be overridden by the user.'''),
+p9=_("The following options are supported by msec applications:"),
+
+p10=_('''This is the console version of msec. It is responsible for system security configuration
+and checking and transitions between security levels.
+
+When executed without parameters, msec will read the system configuration file
+(/etc/security/msec/security.conf), and enforce the specified security
+settings. The operations are logged to \\fB/var/log/msec.log\\fP file, and also
+to syslog, using \\fBLOG_AUTHPRIV\\fR facility. Please note that msec should
+by run as root.'''),
+p11=_("This option will display the list of supported command line options."),
+p12=_("List the default configuration for given security level."),
+p13=_('''Apply the specified security level to the system, overwritting all local
+changes in /etc/security/msec/security.conf. This usually should be performed
+either on first install, on when a transition to a different level is required.'''),
+p14=_("Enable debugging messages."),
+p15=_('''Verify the actions that will be performed by msec, without actually
+doing anything to the system. In this mode of operation, msec performs all the
+required tasks, except effectively writting data back to disk.'''),
+p16=_("Use path as root. Can be used to perform msec actions in chroot."),
+p17=_("Run quietly"),
+p18=_( "Save current settings as a new security level."),
+p19=_('''This application is responsible for system permission checking and enforcements.
+
+When executed without parameters, msecperms will read the permissions
+configuration file (/etc/security/msec/perms.conf), and enforce the specified
+security settings. The operations are logged to \\fB/var/log/msec.log\\fP file,
+and also to syslog, using \\fBLOG_AUTHPRIV\\fR facility. Please note that msecperms
+should by run as root.'''),
+p20=_("This option will display the list of supported command line options."),
+p21=_("List the default configuration for given security level."),
+p22=_("Enforce the default permissions on all files."),
+p24=_("This is the GTK version of msec. It acts as frontend to all msec functionalities."),
+tit4=_("EXAMPLES"),
+p25=_("Enforce system configuration according to /etc/security/msec/security.conf file:"),
+p26=_("Display system configuration changes without enforcing anything:"),
+p27=_("Install predefined security level 'standard':"),
+p28=_("Preview changes inflicted by change to 'standard' level:"),
+p29=_("Create a custom security level based on 'standard':"),
+p30=_("Export current security settings to create a new security level named 'office':"),
+tit6=_("DEFINING EXCEPTIONS FOR PERIODIC CHECKS"),
+p31=_("Enforce system permissions according to /etc/security/msec/perms.conf file:"),
+p32=_("Display permissions changes without enforcing anything:"),
+p33=_("Install predefined permissions for level 'standard':"),
+p34=_("Preview changes inflicted by change to 'standard' level:"),
+p35=_("Create a custom permissions level based on 'secure':"),
+p36=_("Export current security settings to create a new security level named 'office':"),
+p37=_('''msec
+is capable of excluding certain patterns from periodic check reports. For
+this, it is possible to define the exceptions in
+\\fB/etc/security/msec/exceptions\\fP file, for each supported check.'''),
+p38=_('''For example, to exclude all items that match \\fB/mnt\\fP, Mageia-based
+chrooted installations in \\fB/chroot\\fP and all backup files from the
+results of of check for unowned files on the system, it is sufficient to
+define the following entry in the exceptions file:'''),
+p39=_("In a similar way, it is possible to exclude the results for the \\fBdeluge\\fP application from the list of open ports as follows:"),
+p40=_("Each exception entry is a regular exception, and you might define as many exceptions as necessary."),
+p41=_("In order to exclude a path from all msec checks, you may use * for the check name. For example, the following would exclude /media/ from all msec checks:"),
+p42=_("See below for all msec options that support this feature."),
+tit5=_("SECURITY OPTIONS"),
+p43=_("The following security options are supported by msec:")
+)
footer = '''.RE
-.SH NOTES
-Msec applications must be run by root.
-.SH AUTHORS
+.SH {tit6}
+{p45}
+.SH {tit7}
Frederic Lepied
Eugeni Dodonov
-'''
+'''.format(
+tit6=_("NOTES"),
+p45=_("Msec applications must be run by root."),
+tit7=_("AUTHORS"))
### strings used in the rewritting
function_str = '''
.TP 4
-.B \\fI%s\\fP
-%s
+.B \\fI{callback}\\fP
+{f}
-MSEC parameter: \\fI%s\\fP
+{label1} \\fI{v}\\fP
-Accepted values: \\fI%s\\fP
+{label2} \\fI{params}\\fP
'''
### code
@@ -304,10 +362,10 @@ for callback in callbacks:
variable, params = settings_rev[callback]
func = msec.get_action(callback)
if func:
- print(function_str % (callback, func.__doc__.strip(), variable, ", ".join(params)))
+ print(function_str.format(callback=callback, f=func.__doc__.strip(), v=variable, params=", ".join(params), label1=_('MSEC parameter:'), label2=_("Accepted values:")))
if variable in config.CHECKS_WITH_EXCEPTIONS:
# this check supports exceptions
- print("""(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)""" % variable)
+ print(_("(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)") % variable)
print(footer)