From 184c7a0eebaf3a76c697db3488871bff5fe27de9 Mon Sep 17 00:00:00 2001
From: Frederic Lepied <flepied@mandriva.com>
Date: Wed, 24 Jul 2002 23:16:46 +0000
Subject: * describe file permissions according to the levels. * correct
 description of X server security.

---
 doc/security.txt | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

(limited to 'doc')

diff --git a/doc/security.txt b/doc/security.txt
index 1977e15..ea7b620 100644
--- a/doc/security.txt
+++ b/doc/security.txt
@@ -13,7 +13,8 @@ Security level 1 :
 - Global security check.
 - umask is 002 ( user = read,write | greoup = read,write | other = read ) 
 - easy file permission.
-- localhost authorized to connect to X display.
+- localhost authorized to connect to X display and X server listens to
+tcp connections.
 - . in $PATH
 - Warning in /var/log/security.log
 
@@ -29,7 +30,8 @@ Security level 2 ( Aka normal system ) :
 
 - umask is 022 ( user = read,write | group = read | other = read )
 - easy file permission.
-- localhost authorized to connect to X display.
+- localhost authorized to connect to X display and X server listens to
+tcp connections.
 
 ****************************
 Security level 3  ( Aka more secure system ) :
@@ -51,11 +53,13 @@ Security level 3  ( Aka more secure system ) :
 
 - umask is 022 ( user = read,write | group = read | other = read )
 - Normal file permission.
-- localhost authorized to connect to X display.
+- X server listens to tcp connections.
 - All system events additionally logged to /dev/tty12
 - Some system security check launched every midnight from the ( crontab ).
 - no autologin
 
+- home directories are accesible but not readable by others and group members.
+
 ****************************
 Security level 4 ( Aka Secured system ) :
 
@@ -96,6 +100,13 @@ chkconfig -add ).
 in /etc/hosts.allow).
 - ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
 
+- most sensible files and directories are restricted to the members of the adm group.
+- home directories are not accesible by others and group members.
+- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
+- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
+- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
+- rpm command restricted to the members of the rpm group.
+
 *******************************
 Security level 5 ( Aka Paranoid system ) :
 
@@ -135,6 +146,13 @@ chkconfig -add ).
 in /etc/hosts.allow).
 - ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .
 
+- most sensible files and directories are restricted to the root account.
+- home directories are not accesible by others and group members.
+- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
+- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
+- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
+- rpm command restricted to the members of the rpm group.
+
 ******************
 
 * level4/level5 : "services disabled" explanations :
-- 
cgit v1.2.1