From 7e8b185f1d5705ca80c87fa5d5b8ac3ff699c42c Mon Sep 17 00:00:00 2001
From: Yoann Vandoorselaere <yoann@mandriva.com>
Date: Mon, 29 Nov 1999 15:06:21 +0000
Subject: *** empty log message ***

---
 Makefile          |   1 +
 doc/msec.spec     |  18 +++++++--
 init-sh/custom.sh | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 init-sh/init.sh   |   1 +
 init-sh/lib.sh    |  19 +++++++---
 5 files changed, 140 insertions(+), 9 deletions(-)

diff --git a/Makefile b/Makefile
index a7e1e15..e3755ce 100644
--- a/Makefile
+++ b/Makefile
@@ -17,6 +17,7 @@ install:
 	(cp init-sh/grpuser /etc/security/msec/init-sh);
 	(cp init-sh/file_perm.sh /etc/security/msec/init-sh);
 	(cp init-sh/*.[1-5] /etc/security/msec/init-sh/)
+	(cp init-sh/custom.sh /etc/security/msec/init-sh);
 	(cp init-sh/server.* /etc/security/msec/init-sh)
 	(touch /etc/security/msec/security.conf)
 	(cd src/promisc_check; make install)
diff --git a/doc/msec.spec b/doc/msec.spec
index 45ef518..22f56ee 100644
--- a/doc/msec.spec
+++ b/doc/msec.spec
@@ -1,7 +1,7 @@
 Summary: Security Level & Program for the Linux Mandrake distribution
 Name: msec
-Version: 0.3
-Release: 8mdk
+Version: 0.4
+Release: 1mdk
 Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz
 Copyright: GPL
 Group: System Environment/Base
@@ -11,8 +11,8 @@ Requires: /bin/bash setup chkconfig
 %description
 The Mandrake-Security package is designed to provide generic 
 secure level to the Mandrake-Linux users...
-It will permit you to choose between level 1 to 5 for a 
-less -> more secured distribution.
+It will permit you to choose between level 1 to 5 & custom
+for a less -> more secured distribution.
 This packages includes several program that will be run periodically
 in order to test the security of your system and alert you if needed.
 
@@ -34,6 +34,7 @@ cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
 cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh
 cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh
 cp init-sh/grpuser $RPM_BUILD_ROOT/etc/security/msec/init-sh
+cp init-sh/custom.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh
 cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh
 touch $RPM_BUILD_ROOT/etc/security/msec/security.conf
 cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin
@@ -47,6 +48,15 @@ rm -rf $RPM_BUILD_ROOT
 /usr/bin/promisc_check
 
 %changelog
+* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Released 0.4 :
+- Now have a custom mode, just answer the question.
+- Msec print what it does.
+- Bug fix in LiloUpdate().
+
+* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
+- Fixed a few bugs in msec.
+
 * Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
 - grpuser was not installed.
 
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index e69de29..eac0cc8 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -0,0 +1,110 @@
+#!/bin/bash
+
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+if [ -f /etc/security/msec/init-sh/lib.sh ]; then
+    . /etc/security/msec/init-sh/lib.sh
+fi
+
+
+clear
+
+###
+echo "Do you want your log file to be in append mode only ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    find /var/log/ -type f -exec chattr +a {} \;
+fi
+###
+echo "Do you want all system events to be logged on tty12 ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "*.* /dev/tty12" /etc/syslog.conf
+fi
+###
+echo "Do you want to deny any machine to connect to yours ?"
+WaitAnswer
+if [ ${answer} == "yes" ]; then
+    echo "Do you want only localhost to be allowed ?"
+    WaitAnswer; clear
+    if [ "${answer}" == "yes" ]; then
+	AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
+    else
+	AddRules "ALL:ALL:DENY" /etc/hosts.deny
+    fi
+fi
+###
+echo "Do you want root console login to be allowed ?" 
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "tty1" /etc/securetty quiet
+    AddRules "tty2" /etc/securetty quiet
+    AddRules "tty3" /etc/securetty quiet
+    AddRules "tty4" /etc/securetty quiet
+    AddRules "tty5" /etc/securetty quiet
+    AddRules "tty6" /etc/securetty 
+fi
+###
+echo "Do you want your system to daily check SUID Root file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
+    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check SUID Group file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
+    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check Writable file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "CHECK_WRITABLE=yes" /etc/security/msec/security.conf
+    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to daily check Unowned file change ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
+    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/file_check.sh" /etc/crontab
+fi
+###
+echo "Do you want your system to verify every minutes if a network interface"
+echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
+    AddRules "*/1 * * * *    root    nice --adjustment=+19 /etc/security/msec/cron-sh/promisc_check.sh" /etc/crontab
+fi
+###
+LiloUpdate;
+/sbin/lilo >& /dev/null
+###
+echo "Do you want a "." in your PATH variable ?"
+echo "This permit you to not use ./progname & to just type progname"
+echo "However this is a *high* security risk."
+WaitAnswer; clear
+if [ ${answer} == "yes" ]; then
+    AddRules "PATH=\$PATH:/usr/X11R6/bin" /etc/profile
+fi
+###
+AddRules "SECURE_LEVEL=\"custom\"" /etc/profile
+export SECURE_LEVEL="custom"
+###
+AddRules "umask 077" /etc/profile
+
+
+
+
+
+
+
+
+
diff --git a/init-sh/init.sh b/init-sh/init.sh
index fa8e9b3..361eb1e 100755
--- a/init-sh/init.sh
+++ b/init-sh/init.sh
@@ -9,6 +9,7 @@ fi
 
 if [ "${1}" == "custom" ]; then
 	/etc/security/msec/init-sh/custom.sh
+	exit 0;
 fi
 
 if [ -f /etc/security/msec/init-sh/level$1.sh ]; then
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 578c4e4..81c62c0 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -26,6 +26,15 @@ fi
 USERNAME="blah"
 COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
 
+WaitAnswer() {
+    answer="nothing"
+
+    while [[ "${answer}" != "yes" && "${answer}" != "no" ]]; do
+	echo -n "yes/no : "
+	read answer
+    done
+}
+
 AddRules () {
 	string=$1
 	file=$2
@@ -113,9 +122,8 @@ LiloUpdate() {
     	echo "Do you want a password authentication at boot time ?"
     	echo "Be very carefull,"
     	echo "this will prevent your server to reboot without an operator to enter password".
-    	echo -n "[yes]/no : "
-    	read answer
-    	if [[ "${answer}" == "yes" || "${answer}" == "" ]]; then
+		WaitAnswer
+    	if [ "${answer}" == "yes" ]; then
         	echo -n "Please enter the password which will be used at boot time : "
         	read password
     	else
@@ -131,9 +139,10 @@ LiloUpdate() {
 	    if ! echo "${line}" | grep -q "password"; then
 		echo "${line}" >> /etc/lilo.conf
 	    fi
-    	done < /etc/secure.tmp
+    	done < /tmp/secure.tmp
 	
-	rm -f /etc/secure.tmp
+	rm -f /tmp/secure.tmp
+	clear
     	AddRules "password=$PASSWORD" /etc/lilo.conf
     fi
 }
-- 
cgit v1.2.1