From ff31c9236b1fd7465ea9687fc735e8af882e780e Mon Sep 17 00:00:00 2001 From: Eugeni Dodonov Date: Tue, 6 Jan 2009 21:31:46 +0000 Subject: Updated to working version of new msec. Conflicts: Makefile cron-sh/security_check.sh share/msec.py --- conf/level.default | 54 +++++++++++++++++++++++++++++ conf/level.none | 54 +++++++++++++++++++++++++++++ conf/level.secure | 54 +++++++++++++++++++++++++++++ conf/perm.0 | 92 -------------------------------------------------- conf/perm.1 | 94 --------------------------------------------------- conf/perm.2 | 96 ---------------------------------------------------- conf/perm.3 | 96 ---------------------------------------------------- conf/perm.4 | 96 ---------------------------------------------------- conf/perm.5 | 96 ---------------------------------------------------- conf/perm.default | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++ conf/perm.none | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++ conf/perm.secure | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++ conf/server.4 | 41 ---------------------- conf/server.5 | 14 -------- conf/server.default | 41 ++++++++++++++++++++++ conf/server.secure | 14 ++++++++ 16 files changed, 504 insertions(+), 625 deletions(-) create mode 100644 conf/level.default create mode 100644 conf/level.none create mode 100644 conf/level.secure delete mode 100644 conf/perm.0 delete mode 100644 conf/perm.1 delete mode 100644 conf/perm.2 delete mode 100644 conf/perm.3 delete mode 100644 conf/perm.4 delete mode 100644 conf/perm.5 create mode 100644 conf/perm.default create mode 100644 conf/perm.none create mode 100644 conf/perm.secure delete mode 100644 conf/server.4 delete mode 100644 conf/server.5 create mode 100644 conf/server.default create mode 100644 conf/server.secure (limited to 'conf') diff --git a/conf/level.default b/conf/level.default new file mode 100644 index 0000000..f9c0f7f --- /dev/null +++ b/conf/level.default @@ -0,0 +1,54 @@ +ENABLE_APPARMOR=no +ALLOW_X_CONNECTIONS=local +CHECK_WRITABLE=yes +ENABLE_IP_SPOOFING_PROTECTION=yes +MAIL_EMPTY_CONTENT=no +ACCEPT_BROADCASTED_ICMP_ECHO=yes +CHECK_PERMS=yes +CHECK_USER_FILES=yes +ENABLE_SUDO=wheel +ALLOW_XSERVER_TO_LISTEN=no +CHECK_CHKROOTKIT=yes +SHELL_HISTORY_SIZE=-1 +ALLOW_REBOOT=yes +CHECK_SUID_ROOT=yes +SYSLOG_WARN=yes +ENABLE_AT_CRONTAB=yes +ACCEPT_BOGUS_ERROR_RESPONSES=no +CHECK_PASSWD=yes +PASSWORD_HISTORY=0 +CHECK_SUID_MD5=yes +CHECK_SHOSTS=yes +MAIL_USER=root +ALLOW_AUTOLOGIN=yes +ENABLE_PAM_WHEEL_FOR_SU=no +CHECK_SHADOW=yes +ALLOW_ROOT_LOGIN=yes +CHECK_UNOWNED=no +ENABLE_CONSOLE_LOG=yes +ALLOW_USER_LIST=yes +ENABLE_DNS_SPOOFING_PROTECTION=yes +CREATE_SERVER_LINK=default +ENABLE_PASSWORD=yes +NOTIFY_WARN=yes +WIN_PARTS_UMASK=no +CHECK_OPEN_PORT=yes +SHELL_TIMEOUT=0 +ALLOW_REMOTE_ROOT_LOGIN=without_password +ENABLE_LOG_STRANGE_PACKETS=yes +USER_UMASK=022 +CHECK_RPM=yes +ENABLE_SULOGIN=no +ENABLE_PAM_ROOT_FROM_WHEEL=no +MAIL_WARN=yes +ALLOW_XAUTH_FROM_ROOT=yes +CHECK_SECURITY=yes +ACCEPT_ICMP_ECHO=yes +PASSWORD_LENGTH=4,0,0 +AUTHORIZE_SERVICES=yes +ROOT_UMASK=022 +ENABLE_MSEC_CRON=yes +TTY_WARN=no +ENABLE_POLICYKIT=yes +CHECK_SGID=yes +CHECK_PROMISC=no diff --git a/conf/level.none b/conf/level.none new file mode 100644 index 0000000..1e0f2c8 --- /dev/null +++ b/conf/level.none @@ -0,0 +1,54 @@ +ENABLE_APPARMOR=no +ALLOW_X_CONNECTIONS=yes +CHECK_WRITABLE=no +ENABLE_IP_SPOOFING_PROTECTION=yes +MAIL_EMPTY_CONTENT=no +ACCEPT_BROADCASTED_ICMP_ECHO=yes +CHECK_PERMS=no +CHECK_USER_FILES=no +ENABLE_SUDO=yes +ALLOW_XSERVER_TO_LISTEN=yes +CHECK_CHKROOTKIT=no +SHELL_HISTORY_SIZE=-1 +ALLOW_REBOOT=yes +CHECK_SUID_ROOT=no +SYSLOG_WARN=no +ENABLE_AT_CRONTAB=yes +ACCEPT_BOGUS_ERROR_RESPONSES=yes +CHECK_PASSWD=no +PASSWORD_HISTORY=0 +CHECK_SUID_MD5=no +CHECK_SHOSTS=no +MAIL_USER=root +ALLOW_AUTOLOGIN=yes +ENABLE_PAM_WHEEL_FOR_SU=no +CHECK_SHADOW=no +ALLOW_ROOT_LOGIN=yes +CHECK_UNOWNED=no +ENABLE_CONSOLE_LOG=yes +ALLOW_USER_LIST=yes +ENABLE_DNS_SPOOFING_PROTECTION=yes +CREATE_SERVER_LINK=no +ENABLE_PASSWORD=yes +NOTIFY_WARN=yes +WIN_PARTS_UMASK=no +CHECK_OPEN_PORT=no +SHELL_TIMEOUT=0 +ALLOW_REMOTE_ROOT_LOGIN=yes +ENABLE_LOG_STRANGE_PACKETS=no +USER_UMASK=022 +CHECK_RPM=no +ENABLE_SULOGIN=no +ENABLE_PAM_ROOT_FROM_WHEEL=no +MAIL_WARN=no +ALLOW_XAUTH_FROM_ROOT=yes +CHECK_SECURITY=no +ACCEPT_ICMP_ECHO=yes +PASSWORD_LENGTH=0,0,0 +AUTHORIZE_SERVICES=yes +ROOT_UMASK=022 +ENABLE_MSEC_CRON=no +TTY_WARN=no +ENABLE_POLICYKIT=yes +CHECK_SGID=no +CHECK_PROMISC=no diff --git a/conf/level.secure b/conf/level.secure new file mode 100644 index 0000000..4d12b1d --- /dev/null +++ b/conf/level.secure @@ -0,0 +1,54 @@ +ENABLE_APPARMOR=yes +ALLOW_X_CONNECTIONS=no +CHECK_WRITABLE=yes +ENABLE_IP_SPOOFING_PROTECTION=yes +MAIL_EMPTY_CONTENT=yes +ACCEPT_BROADCASTED_ICMP_ECHO=no +CHECK_PERMS=yes +CHECK_USER_FILES=yes +ENABLE_SUDO=no +ALLOW_XSERVER_TO_LISTEN=no +CHECK_CHKROOTKIT=yes +SHELL_HISTORY_SIZE=100 +ALLOW_REBOOT=no +CHECK_SUID_ROOT=yes +SYSLOG_WARN=yes +ENABLE_AT_CRONTAB=no +ACCEPT_BOGUS_ERROR_RESPONSES=no +CHECK_PASSWD=yes +PASSWORD_HISTORY=2 +CHECK_SUID_MD5=yes +CHECK_SHOSTS=yes +MAIL_USER=root +ALLOW_AUTOLOGIN=no +ENABLE_PAM_WHEEL_FOR_SU=yes +CHECK_SHADOW=yes +ALLOW_ROOT_LOGIN=no +CHECK_UNOWNED=yes +ENABLE_CONSOLE_LOG=no +ALLOW_USER_LIST=no +ENABLE_DNS_SPOOFING_PROTECTION=yes +CREATE_SERVER_LINK=secure +ENABLE_PASSWORD=yes +NOTIFY_WARN=no +WIN_PARTS_UMASK=0 +CHECK_OPEN_PORT=yes +SHELL_TIMEOUT=600 +ALLOW_REMOTE_ROOT_LOGIN=no +ENABLE_LOG_STRANGE_PACKETS=yes +USER_UMASK=077 +CHECK_RPM=yes +ENABLE_SULOGIN=yes +ENABLE_PAM_ROOT_FROM_WHEEL=no +MAIL_WARN=yes +ALLOW_XAUTH_FROM_ROOT=no +CHECK_SECURITY=yes +ACCEPT_ICMP_ECHO=yes +PASSWORD_LENGTH=6,1,1 +AUTHORIZE_SERVICES=local +ROOT_UMASK=077 +ENABLE_MSEC_CRON=yes +TTY_WARN=yes +ENABLE_POLICYKIT=no +CHECK_SGID=yes +CHECK_PROMISC=yes diff --git a/conf/perm.0 b/conf/perm.0 deleted file mode 100644 index e786706..0000000 --- a/conf/perm.0 +++ /dev/null @@ -1,92 +0,0 @@ -# Welcome in Level 0 -### -/ root.root 755 -/bin/ root.root 755 -/bin/ping root.root 4755 -/bin/rpm rpm.rpm 755 -/boot/ root.root 755 -/dev/ root.root 755 -/etc/ root.root 755 -/etc/conf.modules root.root 644 -/etc/cron.daily/ root.root 755 -/etc/cron.hourly/ root.root 755 -/etc/cron.monthly/ root.root 755 -/etc/cron.weekly/ root.root 755 -/etc/crontab root.root 644 -/etc/dhcpcd/ root.root 755 -/etc/dhcpcd/* root.root 644 -/etc/ftpaccess root.root 644 -/etc/ftpconversions root.root 644 -/etc/ftpgroups root.root 644 -/etc/ftphosts root.root 644 -/etc/ftpusers root.root 644 -/etc/gettydefs root.root 644 -/etc/hosts.allow root.root 644 -/etc/hosts.deny root.root 644 -/etc/hosts.equiv root.root 644 -/etc/httpd/modules.d/*.conf root.root 644 -/etc/httpd/conf/*.conf root.root 644 -/etc/httpd/conf/addon-modules/* root.root 644 -/etc/httpd/conf/vhosts.d/* root.root 644 -/etc/httpd/conf/webapps.d/* root.root 644 -/etc/inetd.conf root.root 644 -/etc/inittab root.root 644 -/etc/ld.so.conf root.root 644 -/etc/mandrake-release root.root 644 -/etc/modules.conf root.root 644 -/etc/motd root.root 644 -/etc/printcap root.root 644 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 755 -/etc/rc.d/init.d/ root.root 755 -/etc/rc.d/init.d/* root.root 755 -/etc/securetty root.root 644 -/etc/mail/sendmail.cf root.mail 644 -/etc/shutdown.allow root.root 644 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 644 -/etc/sysconfig root.root 755 -/etc/syslog.conf root.root 644 -/etc/updatedb.conf root.root 644 -/home/ root.root 755 -/home/* current 755 -/lib/ root.root 755 -/mnt/ root.root 755 -/proc root.root 555 -/root/ root.root 755 -/sbin/ root.root 755 -/tmp/ root.root 777 -/usr/ root.root 755 -/usr/* root.root 755 -/usr/bin/ root.root 755 -/usr/bin/cc root.root 755 -/usr/bin/finger root.root 755 -/usr/bin/g++* root.root 755 -/usr/bin/gcc* root.root 755 -/usr/bin/ssh root.root 755 -/usr/bin/telnet root.root 755 -/usr/bin/w root.root 755 -/usr/bin/who root.root 755 -/usr/lib/rpm/rpm? rpm.rpm 755 -/usr/sbin/ root.root 755 -/usr/sbin/sendmail.postfix root.root 755 -/usr/sbin/sendmail.sendmail root.mail 2755 -/usr/sbin/traceroute root.bin 4755 -/usr/share/doc root.root 755 -/usr/share/man root.root 755 -/usr/tmp root.root 777 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 644 -/var/lock/subsys root.root 755 -/var/log/ root.root 755 -/var/log/* root.adm 644 -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 644 -/var/log/*/*/* current 644 -/var/log/*/. current 755 -/var/log/mailman/ root.mail 2775 -/var/log/mailman/* root.mail 664 -/var/spool/mail/ root.mail 2775 -/var/tmp root.root 777 diff --git a/conf/perm.1 b/conf/perm.1 deleted file mode 100644 index ddeaa3c..0000000 --- a/conf/perm.1 +++ /dev/null @@ -1,94 +0,0 @@ -# Welcome in Level 1 -### -/ root.root 755 -/bin/ root.root 755 -/bin/ping root.root 4755 -/bin/rpm rpm.rpm 755 -/boot/ root.root 755 -/dev/ root.root 755 -/etc/ root.root 755 -/etc/conf.modules root.root 644 -/etc/cron.daily/ root.root 755 -/etc/cron.hourly/ root.root 755 -/etc/cron.monthly/ root.root 755 -/etc/cron.weekly/ root.root 755 -/etc/crontab root.root 644 -/etc/dhcpcd/ root.root 755 -/etc/dhcpcd/* root.root 644 -/etc/ftpaccess root.root 644 -/etc/ftpconversions root.root 644 -/etc/ftpgroups root.root 644 -/etc/ftphosts root.root 644 -/etc/ftpusers root.root 644 -/etc/gettydefs root.root 644 -/etc/hosts.allow root.root 644 -/etc/hosts.deny root.root 644 -/etc/hosts.equiv root.root 644 -/etc/httpd/modules.d/*.conf root.root 644 -/etc/httpd/conf/*.conf root.root 644 -/etc/httpd/conf/addon-modules/* root.root 644 -/etc/httpd/conf/vhosts.d/* root.root 644 -/etc/httpd/conf/webapps.d/* root.root 644 -/etc/inetd.conf root.root 644 -/etc/inittab root.root 644 -/etc/ld.so.conf root.root 644 -/etc/mandrake-release root.root 644 -/etc/modules.conf root.root 644 -/etc/motd root.root 644 -/etc/printcap root.root 644 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 755 -/etc/rc.d/init.d/ root.root 755 -/etc/rc.d/init.d/* root.root 744 -/etc/rc.d/init.d/functions root.root 644 -/etc/rc.d/init.d/mandrake_consmap root.root 644 -/etc/securetty root.root 644 -/etc/sendmail.cf root.mail 644 -/etc/shutdown.allow root.root 644 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 644 -/etc/sysconfig root.root 755 -/etc/syslog.conf root.root 644 -/etc/updatedb.conf root.root 644 -/home/ root.root 755 -/home/* current 755 -/lib/ root.root 755 -/mnt/ root.root 755 -/proc root.root 555 -/root/ root.root 755 -/sbin/ root.root 755 -/tmp/ root.root 1777 -/usr/ root.root 755 -/usr/* root.root 755 -/usr/bin/ root.root 755 -/usr/bin/cc root.root 755 -/usr/bin/finger root.root 755 -/usr/bin/g++* root.root 755 -/usr/bin/gcc* root.root 755 -/usr/bin/ssh root.root 755 -/usr/bin/telnet root.root 755 -/usr/bin/w root.root 755 -/usr/bin/who root.root 755 -/usr/lib/rpm/rpm? rpm.rpm 755 -/usr/sbin/ root.root 755 -/usr/sbin/sendmail.postfix root.root 755 -/usr/sbin/sendmail.sendmail root.mail 2755 -/usr/sbin/traceroute root.bin 4755 -/usr/share/doc root.root 755 -/usr/share/man root.root 755 -/usr/tmp root.root 1777 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 644 -/var/lock/subsys root.root 755 -/var/log/ root.root 755 -/var/log/* root.adm 644 -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 644 -/var/log/*/*/* current 644 -/var/log/*/. current 755 -/var/log/mailman/ root.mail 2775 -/var/log/mailman/* root.mail 664 -/var/spool/mail/ root.mail 2775 -/var/tmp root.root 1777 diff --git a/conf/perm.2 b/conf/perm.2 deleted file mode 100644 index 7fa4ae8..0000000 --- a/conf/perm.2 +++ /dev/null @@ -1,96 +0,0 @@ -# Welcome in Level 2 -### -/ root.root 755 -/bin/ root.root 755 -/bin/ping root.root 4755 -/bin/rpm rpm.rpm 755 -/boot/ root.root 755 -/dev/ root.root 755 -/etc/ root.root 755 -/etc/conf.modules root.root 644 -/etc/cron.daily/ root.root 755 -/etc/cron.hourly/ root.root 755 -/etc/cron.monthly/ root.root 755 -/etc/cron.weekly/ root.root 755 -/etc/crontab root.root 644 -/etc/dhcpcd/ root.root 755 -/etc/dhcpcd/* root.root 644 -/etc/ftpaccess root.root 644 -/etc/ftpconversions root.root 644 -/etc/ftpgroups root.root 644 -/etc/ftphosts root.root 644 -/etc/ftpusers root.root 644 -/etc/gettydefs root.root 644 -/etc/hosts.allow root.root 644 -/etc/hosts.deny root.root 644 -/etc/hosts.equiv root.root 644 -/etc/httpd/modules.d/*.conf root.root 644 -/etc/httpd/conf/*.conf root.root 644 -/etc/httpd/conf/addon-modules/* root.root 644 -/etc/httpd/conf/vhosts.d/* root.root 644 -/etc/httpd/conf/webapps.d/* root.root 644 -/etc/inetd.conf root.root 644 -/etc/inittab root.root 644 -/etc/ld.so.conf root.root 644 -/etc/mandrake-release root.root 644 -/etc/modules.conf root.root 644 -/etc/motd root.root 644 -/etc/printcap root.root 644 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 755 -/etc/rc.d/init.d/ root.root 755 -/etc/rc.d/init.d/* root.root 744 -/etc/rc.d/init.d/functions root.root 644 -/etc/rc.d/init.d/mandrake_consmap root.root 644 -/etc/rc.d/init.d/xprint root.root 755 -/etc/securetty root.root 644 -/etc/sendmail.cf root.mail 644 -/etc/shutdown.allow root.root 644 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 644 -/etc/sysconfig root.root 755 -/etc/syslog.conf root.root 644 -/etc/updatedb.conf root.root 644 -/home/ root.root 755 -/home/* current 755 -/lib/ root.root 755 -/mnt/ root.root 755 -/proc root.root 555 -/root/ root.root 700 -/sbin/ root.root 755 -/tmp/ root.root 1777 -/usr/ root.root 755 -/usr/* root.root 755 -/usr/bin/ root.root 755 -/usr/bin/cc root.root 755 -/usr/bin/finger root.root 755 -/usr/bin/g++* root.root 755 -/usr/bin/gcc* root.root 755 -/usr/bin/ssh root.root 755 -/usr/bin/telnet root.root 755 -/usr/bin/w root.root 755 -/usr/bin/who root.root 755 -/usr/lib/rpm/rpm? rpm.rpm 755 -/usr/sbin/ root.root 755 -/usr/sbin/sendmail.postfix root.root 755 -/usr/sbin/sendmail.sendmail root.mail 2755 -/usr/sbin/traceroute root.bin 4755 -/usr/share/doc root.root 755 -/usr/share/man root.root 755 -/usr/tmp root.root 1777 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 644 -/var/lock/subsys root.root 755 -/var/log/ root.root 755 -/var/log/* root.adm 640 -/var/log/Xorg.0.log current current -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 640 -/var/log/*/*/* current 640 -/var/log/*/. current 755 -/var/log/mailman/ root.mail 2775 -/var/log/mailman/* root.mail 664 -/var/spool/mail/ root.mail 2775 -/var/tmp root.root 1777 diff --git a/conf/perm.3 b/conf/perm.3 deleted file mode 100644 index 23f273b..0000000 --- a/conf/perm.3 +++ /dev/null @@ -1,96 +0,0 @@ -# Welcome in Level 3 -### -/ root.adm 755 -/bin/ root.root 755 -/bin/ping root.root 4755 -/bin/rpm rpm.rpm 755 -/boot/ root.root 755 -/dev/ root.root 755 -/etc/ root.root 755 -/etc/conf.modules root.root 644 -/etc/cron.daily/ root.root 755 -/etc/cron.hourly/ root.root 755 -/etc/cron.monthly/ root.root 755 -/etc/cron.weekly/ root.root 755 -/etc/crontab root.root 644 -/etc/dhcpcd/ root.root 755 -/etc/dhcpcd/* root.root 644 -/etc/ftpaccess root.root 644 -/etc/ftpconversions root.root 644 -/etc/ftpgroups root.root 644 -/etc/ftphosts root.root 644 -/etc/ftpusers root.root 644 -/etc/gettydefs root.root 644 -/etc/hosts.allow root.root 644 -/etc/hosts.deny root.root 644 -/etc/hosts.equiv root.root 644 -/etc/httpd/modules.d/*.conf root.root 644 -/etc/httpd/conf/*.conf root.root 644 -/etc/httpd/conf/addon-modules/* root.root 644 -/etc/httpd/conf/vhosts.d/* root.root 644 -/etc/httpd/conf/webapps.d/* root.root 644 -/etc/inetd.conf root.root 644 -/etc/inittab root.root 644 -/etc/ld.so.conf root.root 644 -/etc/mandrake-release root.root 644 -/etc/modules.conf root.root 644 -/etc/motd root.root 644 -/etc/printcap root.root 644 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 755 -/etc/rc.d/init.d/ root.root 755 -/etc/rc.d/init.d/* root.root 700 -/etc/rc.d/init.d/functions root.root 644 -/etc/rc.d/init.d/mandrake_consmap root.root 644 -/etc/rc.d/init.d/xprint root.root 755 -/etc/securetty root.root 644 -/etc/sendmail.cf root.mail 644 -/etc/shutdown.allow root.root 644 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 644 -/etc/sysconfig root.root 755 -/etc/syslog.conf root.adm 640 -/etc/updatedb.conf root.root 644 -/home/ root.root 755 -/home/* current 711 -/lib/ root.root 755 -/mnt/ root.root 755 -/proc root.root 555 -/root/ root.root 700 -/sbin/ root.root 755 -/tmp/ root.root 1777 -/usr/ root.root 755 -/usr/* root.root 755 -/usr/bin/ root.root 755 -/usr/bin/cc root.root 755 -/usr/bin/finger root.root 755 -/usr/bin/g++* root.root 755 -/usr/bin/gcc* root.root 755 -/usr/bin/ssh root.root 755 -/usr/bin/telnet root.root 755 -/usr/bin/w root.root 755 -/usr/bin/who root.root 755 -/usr/lib/rpm/rpm? rpm.rpm 755 -/usr/sbin/ root.root 755 -/usr/sbin/sendmail.postfix root.root 755 -/usr/sbin/sendmail.sendmail root.mail 2755 -/usr/sbin/traceroute root.bin 4755 -/usr/share/doc root.root 755 -/usr/share/man root.root 755 -/usr/tmp root.root 1777 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 644 -/var/lock/subsys root.root 755 -/var/log/ root.root 755 -/var/log/* root.root 640 -/var/log/Xorg.0.log current current -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 640 -/var/log/*/*/* current 640 -/var/log/*/. current 755 -/var/log/mailman/ root.mail 2775 -/var/log/mailman/* root.mail 660 -/var/spool/mail/ root.mail 2775 -/var/tmp root.root 1777 diff --git a/conf/perm.4 b/conf/perm.4 deleted file mode 100644 index b8848bf..0000000 --- a/conf/perm.4 +++ /dev/null @@ -1,96 +0,0 @@ -# Welcome in Level 4, aka secure & usable. -### -/ root.adm 751 -/bin/ root.adm 751 -/bin/ping root.ntools 4750 -/bin/rpm rpm.rpm 750 -/boot/ root.ctools 710 -/dev/ root.root 711 -/etc/ root.adm 711 -/etc/conf.modules root.adm 640 -/etc/cron.daily/ root.adm 750 -/etc/cron.hourly/ root.adm 750 -/etc/cron.monthly/ root.adm 750 -/etc/cron.weekly/ root.adm 750 -/etc/crontab root.adm 640 -/etc/dhcpcd/ root.adm 750 -/etc/dhcpcd/* root.adm 640 -/etc/ftpaccess root.adm 640 -/etc/ftpconversions root.adm 640 -/etc/ftpgroups root.adm 640 -/etc/ftphosts root.adm 640 -/etc/ftpusers root.adm 640 -/etc/gettydefs root.adm 640 -/etc/hosts.allow root.daemon 644 -/etc/hosts.deny root.daemon 644 -/etc/hosts.equiv root.daemon 640 -/etc/httpd/modules.d/*.conf root.adm 640 -/etc/httpd/conf/*.conf root.adm 640 -/etc/httpd/conf/addon-modules/* root.adm 640 -/etc/httpd/conf/vhosts.d/* root.adm 640 -/etc/httpd/conf/webapps.d/* root.adm 640 -/etc/inetd.conf root.adm 640 -/etc/inittab root.adm 640 -/etc/ld.so.conf root.ctools 640 -/etc/mandrake-release root.adm 640 -/etc/modules.conf root.adm 640 -/etc/motd root.adm 644 -/etc/printcap root.lp 640 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.adm 750 -/etc/rc.d/init.d/ root.adm 750 -/etc/rc.d/init.d/* root.adm 740 -/etc/rc.d/init.d/functions root.adm 644 -/etc/rc.d/init.d/mandrake_consmap root.adm 644 -/etc/rc.d/init.d/xprint root.root 755 -/etc/securetty root.root 640 -/etc/sendmail.cf root.mail 640 -/etc/shutdown.allow root.adm 640 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.adm 600 -/etc/ssh/ssh_host_*key.pub root.adm 644 -/etc/ssh/sshd_config root.adm 640 -/etc/sysconfig root.adm 751 -/etc/syslog.conf root.adm 640 -/etc/updatedb.conf root.adm 640 -/home/ root.adm 751 -/home/* current 700 -/lib/ root.adm 751 -/mnt/ root.adm 750 -/proc root.adm 550 -/root/ root.root 700 -/sbin/ root.adm 751 -/tmp/ root.adm 1773 -/usr/ root.adm 751 -/usr/* root.adm 751 -/usr/bin/ root.adm 751 -/usr/bin/cc root.ctools 750 -/usr/bin/finger root.ntools 750 -/usr/bin/g++* root.ctools 750 -/usr/bin/gcc* root.ctools 750 -/usr/bin/ssh root.ntools 750 -/usr/bin/telnet root.ntools 750 -/usr/bin/w root.ntools 750 -/usr/bin/who root.ntools 750 -/usr/lib/rpm/rpm? rpm.rpm 750 -/usr/sbin/ root.adm 751 -/usr/sbin/sendmail.postfix root.root 711 -/usr/sbin/sendmail.sendmail root.mail 2711 -/usr/sbin/traceroute root.ntools 4750 -/usr/share/doc rpm.rpm 750 -/usr/share/man rpm.rpm 750 -/usr/tmp root.adm 1773 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 640 -/var/lock/subsys root.adm 750 -/var/log/ root.adm 751 -/var/log/* root.root 600 -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 600 -/var/log/*/*/* current 600 -/var/log/*/. current 700 -/var/log/intraline/. current 750 -/var/log/mailman/ root.mail 2770 -/var/log/mailman/* root.mail 660 -/var/spool/mail/ root.mail 771 -/var/tmp root.adm 1773 diff --git a/conf/perm.5 b/conf/perm.5 deleted file mode 100644 index 8aedfc8..0000000 --- a/conf/perm.5 +++ /dev/null @@ -1,96 +0,0 @@ -# Welcome in Level 5, aka paranoid. -### -/ root.root 711 -/bin/ root.root 711 -/bin/ping root.ntools 4750 -/bin/rpm rpm.rpm 750 -/boot/ root.ctools 710 -/dev/ root.root 711 -/etc/ root.root 711 -/etc/conf.modules root.root 600 -/etc/cron.daily/ root.root 700 -/etc/cron.hourly/ root.root 700 -/etc/cron.monthly/ root.root 700 -/etc/cron.weekly/ root.root 700 -/etc/crontab root.root 600 -/etc/dhcpcd/ root.root 700 -/etc/dhcpcd/* root.root 600 -/etc/ftpaccess root.root 600 -/etc/ftpconversions root.root 600 -/etc/ftpgroups root.root 600 -/etc/ftphosts root.root 600 -/etc/ftpusers root.root 600 -/etc/gettydefs root.root 600 -/etc/hosts.allow root.daemon 644 -/etc/hosts.deny root.daemon 644 -/etc/hosts.equiv root.daemon 640 -/etc/httpd/modules.d/*.conf root.root 600 -/etc/httpd/conf/*.conf root.root 600 -/etc/httpd/conf/addon-modules/* root.root 600 -/etc/httpd/conf/vhosts.d/* root.root 600 -/etc/httpd/conf/webapps.d/* root.root 600 -/etc/inetd.conf root.root 600 -/etc/inittab root.root 600 -/etc/ld.so.conf root.root 600 -/etc/mandrake-release root.root 600 -/etc/modules.conf root.root 600 -/etc/motd root.root 644 -/etc/printcap root.lp 640 -/etc/profile.d/* root.root 755 -/etc/rc.d/ root.root 700 -/etc/rc.d/init.d/ root.root 700 -/etc/rc.d/init.d/* root.root 700 -/etc/rc.d/init.d/functions root.root 644 -/etc/rc.d/init.d/mandrake_consmap root.adm 644 -/etc/rc.d/init.d/xprint root.root 755 -/etc/securetty root.root 600 -/etc/sendmail.cf root.mail 640 -/etc/shutdown.allow root.root 600 -/etc/ssh/ssh_config root.root 644 -/etc/ssh/ssh_host_*key root.root 600 -/etc/ssh/ssh_host_*key.pub root.root 644 -/etc/ssh/sshd_config root.root 600 -/etc/sysconfig root.root 711 -/etc/syslog.conf root.root 600 -/etc/updatedb.conf root.root 600 -/home/ root.root 711 -/home/* current 700 -/lib/ root.root 711 -/mnt/ root.root 710 -/proc root.adm 550 -/root/ root.root 700 -/sbin/ root.root 711 -/tmp/ root.root 1733 -/usr/ root.root 711 -/usr/* root.root 711 -/usr/bin/ root.root 711 -/usr/bin/cc root.ctools 750 -/usr/bin/finger root.ntools 750 -/usr/bin/g++* root.ctools 750 -/usr/bin/gcc* root.ctools 750 -/usr/bin/ssh root.ntools 750 -/usr/bin/telnet root.ntools 750 -/usr/bin/w root.ntools 750 -/usr/bin/who root.ntools 750 -/usr/lib/rpm/rpm? rpm.rpm 750 -/usr/sbin/ root.root 711 -/usr/sbin/sendmail.postfix root.root 711 -/usr/sbin/sendmail.sendmail root.mail 2711 -/usr/sbin/traceroute root.ntools 4750 -/usr/share/doc rpm.rpm 710 -/usr/share/man rpm.rpm 710 -/usr/tmp root.root 1733 -/var/ root.root 755 -/var/lib/rpm/Packages rpm.rpm 640 -/var/lock/subsys root.root 700 -/var/log/ root.root 711 -/var/log/* root.root 600 -/var/log/lp-errs lp.lp 600 -/var/log/*/* current 600 -/var/log/*/*/* current 600 -/var/log/*/. current 700 -/var/log/intraline/. current 750 -/var/log/mailman/ root.mail 2770 -/var/log/mailman/* root.mail 660 -/var/spool/mail/ root.mail 771 -/var/tmp root.root 1733 diff --git a/conf/perm.default b/conf/perm.default new file mode 100644 index 0000000..744e4a8 --- /dev/null +++ b/conf/perm.default @@ -0,0 +1,96 @@ +# Welcome in Level 2 +### +/ root.adm 755 +/bin/ root.root 755 +/bin/ping root.root 4755 +/bin/rpm rpm.rpm 755 +/boot/ root.root 755 +/dev/ root.root 755 +/etc/ root.root 755 +/etc/conf.modules root.root 644 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 +/etc/dhcpcd/* root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/httpd/modules.d/*.conf root.root 644 +/etc/httpd/conf/*.conf root.root 644 +/etc/httpd/conf/addon-modules/* root.root 644 +/etc/httpd/conf/vhosts.d/* root.root 644 +/etc/httpd/conf/webapps.d/* root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/mandrake-release root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/profile.d/* root.root 755 +/etc/rc.d/ root.root 755 +/etc/rc.d/init.d/ root.root 755 +/etc/rc.d/init.d/* root.root 744 +/etc/rc.d/init.d/functions root.root 644 +/etc/rc.d/init.d/mandrake_consmap root.root 644 +/etc/rc.d/init.d/xprint root.root 755 +/etc/securetty root.root 644 +/etc/sendmail.cf root.mail 644 +/etc/shutdown.allow root.root 644 +/etc/ssh/ssh_config root.root 644 +/etc/ssh/ssh_host_*key root.root 600 +/etc/ssh/ssh_host_*key.pub root.root 644 +/etc/ssh/sshd_config root.root 644 +/etc/sysconfig root.root 755 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 +/home/ root.root 755 +/home/* current.current 755 +/lib/ root.root 755 +/mnt/ root.root 755 +/proc root.root 555 +/root/ root.root 700 +/sbin/ root.root 755 +/tmp/ root.root 1777 +/usr/ root.root 755 +/usr/* root.root 755 +/usr/bin/ root.root 755 +/usr/bin/cc root.root 755 +/usr/bin/finger root.root 755 +/usr/bin/g++* root.root 755 +/usr/bin/gcc* root.root 755 +/usr/bin/ssh root.root 755 +/usr/bin/telnet root.root 755 +/usr/bin/w root.root 755 +/usr/bin/who root.root 755 +/usr/lib/rpm/rpm? rpm.rpm 755 +/usr/sbin/ root.root 755 +/usr/sbin/sendmail.postfix root.root 755 +/usr/sbin/sendmail.sendmail root.mail 2755 +/usr/sbin/traceroute root.bin 4755 +/usr/share/doc root.root 755 +/usr/share/man root.root 755 +/usr/tmp root.root 1777 +/var/ root.root 755 +/var/lib/rpm/Packages rpm.rpm 644 +/var/lock/subsys root.root 755 +/var/log/ root.root 755 +/var/log/* root.adm 640 +/var/log/Xorg.0.log current.current current +/var/log/lp-errs lp.lp 600 +/var/log/*/* current.current 640 +/var/log/*/*/* current.current 640 +/var/log/*/. current.current 755 +/var/log/mailman/ root.mail 2775 +/var/log/mailman/* root.mail 660 +/var/spool/mail/ root.mail 2775 +/var/tmp root.root 1777 diff --git a/conf/perm.none b/conf/perm.none new file mode 100644 index 0000000..9df8c21 --- /dev/null +++ b/conf/perm.none @@ -0,0 +1,94 @@ +# Welcome in Level 1 +### +/ root.root 755 +/bin/ root.root 755 +/bin/ping root.root 4755 +/bin/rpm rpm.rpm 755 +/boot/ root.root 755 +/dev/ root.root 755 +/etc/ root.root 755 +/etc/conf.modules root.root 644 +/etc/cron.daily/ root.root 755 +/etc/cron.hourly/ root.root 755 +/etc/cron.monthly/ root.root 755 +/etc/cron.weekly/ root.root 755 +/etc/crontab root.root 644 +/etc/dhcpcd/ root.root 755 +/etc/dhcpcd/* root.root 644 +/etc/ftpaccess root.root 644 +/etc/ftpconversions root.root 644 +/etc/ftpgroups root.root 644 +/etc/ftphosts root.root 644 +/etc/ftpusers root.root 644 +/etc/gettydefs root.root 644 +/etc/hosts.allow root.root 644 +/etc/hosts.deny root.root 644 +/etc/hosts.equiv root.root 644 +/etc/httpd/modules.d/*.conf root.root 644 +/etc/httpd/conf/*.conf root.root 644 +/etc/httpd/conf/addon-modules/* root.root 644 +/etc/httpd/conf/vhosts.d/* root.root 644 +/etc/httpd/conf/webapps.d/* root.root 644 +/etc/inetd.conf root.root 644 +/etc/inittab root.root 644 +/etc/ld.so.conf root.root 644 +/etc/mandrake-release root.root 644 +/etc/modules.conf root.root 644 +/etc/motd root.root 644 +/etc/printcap root.root 644 +/etc/profile.d/* root.root 755 +/etc/rc.d/ root.root 755 +/etc/rc.d/init.d/ root.root 755 +/etc/rc.d/init.d/* root.root 744 +/etc/rc.d/init.d/functions root.root 644 +/etc/rc.d/init.d/mandrake_consmap root.root 644 +/etc/securetty root.root 644 +/etc/sendmail.cf root.mail 644 +/etc/shutdown.allow root.root 644 +/etc/ssh/ssh_config root.root 644 +/etc/ssh/ssh_host_*key root.root 600 +/etc/ssh/ssh_host_*key.pub root.root 644 +/etc/ssh/sshd_config root.root 644 +/etc/sysconfig root.root 755 +/etc/syslog.conf root.root 644 +/etc/updatedb.conf root.root 644 +/home/ root.root 755 +/home/* current.current 755 +/lib/ root.root 755 +/mnt/ root.root 755 +/proc root.root 555 +/root/ root.root 755 +/sbin/ root.root 755 +/tmp/ root.root 1777 +/usr/ root.root 755 +/usr/* root.root 755 +/usr/bin/ root.root 755 +/usr/bin/cc root.root 755 +/usr/bin/finger root.root 755 +/usr/bin/g++* root.root 755 +/usr/bin/gcc* root.root 755 +/usr/bin/ssh root.root 755 +/usr/bin/telnet root.root 755 +/usr/bin/w root.root 755 +/usr/bin/who root.root 755 +/usr/lib/rpm/rpm? rpm.rpm 755 +/usr/sbin/ root.root 755 +/usr/sbin/sendmail.postfix root.root 755 +/usr/sbin/sendmail.sendmail root.mail 2755 +/usr/sbin/traceroute root.bin 4755 +/usr/share/doc root.root 755 +/usr/share/man root.root 755 +/usr/tmp root.root 1777 +/var/ root.root 755 +/var/lib/rpm/Packages rpm.rpm 644 +/var/lock/subsys root.root 755 +/var/log/ root.root 755 +/var/log/* root.adm 644 +/var/log/lp-errs lp.lp 600 +/var/log/*/* current.current 644 +/var/log/*/*/* current.current 644 +/var/log/*/. current.current 755 +/var/log/mailman/ root.mail 2775 +/var/log/mailman/* root.mail 664 +/var/spool/mail/ root.mail 2775 +/var/tmp root.root 1777 diff --git a/conf/perm.secure b/conf/perm.secure new file mode 100644 index 0000000..159a933 --- /dev/null +++ b/conf/perm.secure @@ -0,0 +1,97 @@ +# Welcome in Level 2 +### +/ root.adm 755 +/bin/ root.adm 755 +/bin/ping root.ntools 4750 +/bin/rpm rpm.rpm 750 +/boot/ root.ctools 710 +/dev/ root.root 755 +/etc/ root.adm 755 +/etc/conf.modules root.adm 640 +/etc/cron.daily/ root.adm 750 +/etc/cron.hourly/ root.adm 750 +/etc/cron.monthly/ root.adm 750 +/etc/cron.weekly/ root.adm 750 +/etc/crontab root.adm 640 +/etc/dhcpcd/ root.adm 750 +/etc/dhcpcd/* root.adm 640 +/etc/ftpaccess root.adm 640 +/etc/ftpconversions root.adm 640 +/etc/ftpgroups root.adm 640 +/etc/ftphosts root.adm 640 +/etc/ftpusers root.adm 640 +/etc/gettydefs root.adm 640 +/etc/hosts.allow root.daemon 644 +/etc/hosts.deny root.daemon 644 +/etc/hosts.equiv root.daemon 640 +/etc/httpd/modules.d/*.conf root.adm 640 +/etc/httpd/conf/*.conf root.adm 640 +/etc/httpd/conf/addon-modules/* root.adm 640 +/etc/httpd/conf/vhosts.d/* root.adm 640 +/etc/httpd/conf/webapps.d/* root.adm 640 +/etc/inetd.conf root.adm 640 +/etc/inittab root.adm 640 +/etc/ld.so.conf root.ctools 640 +/etc/mandrake-release root.adm 644 +/etc/modules.conf root.adm 640 +/etc/motd root.adm 644 +/etc/printcap root.lp 640 +/etc/profile.d/* root.root 755 +/etc/rc.d/ root.adm 755 +/etc/rc.d/init.d/ root.adm 755 +/etc/rc.d/init.d/* root.adm 744 +/etc/rc.d/init.d/functions root.adm 644 +/etc/rc.d/init.d/mandrake_consmap root.adm 644 +/etc/rc.d/init.d/xprint root.root 755 +/etc/securetty root.root 640 +/etc/sendmail.cf root.mail 640 +/etc/shutdown.allow root.adm 640 +/etc/ssh/ssh_config root.root 644 +/etc/ssh/ssh_host_*key root.adm 600 +/etc/ssh/ssh_host_*key.pub root.adm 644 +/etc/ssh/sshd_config root.adm 640 +/etc/sysconfig root.adm 755 +/etc/syslog.conf root.adm 640 +/etc/updatedb.conf root.adm 644 +/home/ root.adm 751 +/home/* current.current 751 +/lib/ root.adm 755 +/mnt/ root.adm 750 +/proc root.adm 555 +/root/ root.root 700 +/sbin/ root.adm 751 +/tmp/ root.adm 1773 +/usr/ root.adm 755 +/usr/* root.adm 755 +/usr/bin/ root.adm 755 +/usr/bin/cc root.ctools 750 +/usr/bin/finger root.ntools 750 +/usr/bin/g++* root.ctools 750 +/usr/bin/gcc* root.ctools 750 +/usr/bin/ssh root.ntools 750 +/usr/bin/telnet root.ntools 750 +/usr/bin/w root.ntools 750 +/usr/bin/who root.ntools 750 +/usr/lib/rpm/rpm? rpm.rpm 750 +/usr/sbin/ root.adm 751 +/usr/sbin/sendmail.postfix root.root 711 +/usr/sbin/sendmail.sendmail root.mail 2711 +/usr/sbin/traceroute root.ntools 4750 +/usr/share/doc root.root 755 +/usr/share/man root.root 755 +/usr/tmp root.adm 1773 +/var/ root.root 755 +/var/lib/rpm/Packages rpm.rpm 640 +/var/lock/subsys root.adm 750 +/var/log/ root.adm 751 +/var/log/* root.root 640 +/var/log/Xorg.0.log current.current current +/var/log/lp-errs lp.lp 600 +/var/log/*/* current.current 600 +/var/log/*/*/* current.current 600 +/var/log/*/. current.current 700 +/var/log/intraline/. current.current 750 +/var/log/mailman/ root.mail 2770 +/var/log/mailman/* root.mail 660 +/var/spool/mail/ root.mail 771 +/var/tmp root.adm 1773 diff --git a/conf/server.4 b/conf/server.4 deleted file mode 100644 index d518731..0000000 --- a/conf/server.4 +++ /dev/null @@ -1,41 +0,0 @@ -adsl -bgpd -bridge -crond -dansguardian -dhcpd -diald -dm -ez-ipupdate -ftwall -fwlogwatch -gpm -httpd -httpd-naat -httpd2-naat -ipsec -iptables -iptoip -isdn4linux -keytable -named -network -ntpd -openvpn -ospfd -ospf6d -pcmcia -pptp -pptpd -prelude-manager -ripd -ripngd -shorewall -snortd -squid -sshd -syslog -usb -xfs -xinetd -zebra diff --git a/conf/server.5 b/conf/server.5 deleted file mode 100644 index 2141239..0000000 --- a/conf/server.5 +++ /dev/null @@ -1,14 +0,0 @@ -bastille-firewall -crond -dm -gpm -ipchains -keytable -network -pcmcia -prelude -shorewall -snortd -syslog -usb -xfs diff --git a/conf/server.default b/conf/server.default new file mode 100644 index 0000000..d518731 --- /dev/null +++ b/conf/server.default @@ -0,0 +1,41 @@ +adsl +bgpd +bridge +crond +dansguardian +dhcpd +diald +dm +ez-ipupdate +ftwall +fwlogwatch +gpm +httpd +httpd-naat +httpd2-naat +ipsec +iptables +iptoip +isdn4linux +keytable +named +network +ntpd +openvpn +ospfd +ospf6d +pcmcia +pptp +pptpd +prelude-manager +ripd +ripngd +shorewall +snortd +squid +sshd +syslog +usb +xfs +xinetd +zebra diff --git a/conf/server.secure b/conf/server.secure new file mode 100644 index 0000000..2141239 --- /dev/null +++ b/conf/server.secure @@ -0,0 +1,14 @@ +bastille-firewall +crond +dm +gpm +ipchains +keytable +network +pcmcia +prelude +shorewall +snortd +syslog +usb +xfs -- cgit v1.2.1