From 7302e9630ba3d551368b16454b890806056c68b1 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Tue, 4 Jan 2000 12:37:33 +0000 Subject: *** empty log message *** --- ChangeLog | 1 + doc/security.txt | 4 +++- init-sh/custom.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 48 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24c3821..542b4bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 2000-01-04 Yoann Vandoorselaere * shutdown.allow is 600 in level 4/5; 644 else. + * updated doc/security.txt 2000-01-03 Yoann Vandoorselaere * level 0-3 -> ctrl-alt-del allowed. diff --git a/doc/security.txt b/doc/security.txt index 86c101c..ff1280b 100644 --- a/doc/security.txt +++ b/doc/security.txt @@ -74,6 +74,7 @@ Security level 4 ( Aka Secured system ) : chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all except localhost. +- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ). ******************************* Security level 5 ( Aka Paranoid system ) : @@ -97,11 +98,12 @@ Security level 5 ( Aka Paranoid system ) : - Highly restricted file permission - All system events additionally logged to /dev/tty12 - System security check every midnight ( crontab ). -* - Services not contained in /etc/security/msec/init-sh/server.5 are disabled ( +- Services not contained in /etc/security/msec/init-sh/server.5 are disabled ( considered as not really secure ) ( but the user can reenable it with chkconfig ). - Ask for a boot password ( if the user want ). - Connection to the system denyied for all. +- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) . ****************** diff --git a/init-sh/custom.sh b/init-sh/custom.sh index 99154f9..057a288 100755 --- a/init-sh/custom.sh +++ b/init-sh/custom.sh @@ -9,7 +9,6 @@ if [[ -f /etc/security/msec/init-sh/lib.sh ]]; then . /etc/security/msec/init-sh/lib.sh fi - clear ### @@ -19,6 +18,21 @@ if [[ ${answer} == yes ]]; then AddRules "*.* /dev/tty12" /etc/syslog.conf fi +### +echo "Do you want to only allow ctrl-alt-del if root is logged locally ?" +echo "( or if an user present in /etc/shutdown.allow is logged locally )" +WaitAnswer; clear +tmpfile=`mktemp tmp/secure.XXXXXX` +cp /etc/inittab ${tmpfile} +if [[ ${answer} == yes ]]; then + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab +else + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab +fi +rm -f ${tmpfile} + ### echo "Do you want to deny any machine to connect to yours ?" WaitAnswer @@ -36,7 +50,7 @@ fi echo "Do you want root console login to be allowed ?" WaitAnswer; clear if [[ ${answer} == yes ]]; then - AddRules "tty1" /etc/securetty quiet +g AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet @@ -117,6 +131,34 @@ if [[ ${answer} == yes ]]; then fi ### +echo "Do you want security report to be done directly on the console ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "TTY_WARN=yes" /etc/security/msec/security.conf +else + AddRules "TTY_WARN=no" /etc/security/msec/security.conf +fi +### + +echo "Do you want security report to be done in syslog ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf +else + AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf +fi +### + +echo "Do you want security report to be done by mail ?" +WaitAnswer; clear +if [[ ${answer} == yes ]]; then + AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf +else + AddRules "MAIL_WARN=no" /etc/security/msec/security.conf +fi +### + + LiloUpdate; /sbin/lilo >& /dev/null -- cgit v1.2.1