From 78b13ca5f0677f9e6e5a07a18473a2d7724b51d0 Mon Sep 17 00:00:00 2001 From: Yoann Vandoorselaere Date: Thu, 25 Nov 1999 19:44:10 +0000 Subject: Initial revision --- doc/msec.spec | 76 +++++++++++++++++++++++++++++++++++++++++++++ doc/security.txt | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 170 insertions(+) create mode 100644 doc/msec.spec create mode 100644 doc/security.txt (limited to 'doc') diff --git a/doc/msec.spec b/doc/msec.spec new file mode 100644 index 0000000..5324cbf --- /dev/null +++ b/doc/msec.spec @@ -0,0 +1,76 @@ +Summary: Security Level & Program for the Linux Mandrake distribution +Name: msec +Version: 0.3 +Release: 5mdk +Source: ftp://mandrakesoft.com/pub/yoann/msec-0.3.tar.gz +Copyright: GPL +Group: System Environment/Base +BuildRoot: /var/tmp/msec +Requires: /bin/bash setup chkconfig + +%description +The Mandrake-Security package is designed to provide generic +secure level to the Mandrake-Linux users... +It will permit you to choose between level 1 to 5 for a +less -> more secured distribution. +This packages includes several program that will be run periodically +in order to test the security of your system and alert you if needed. + +%prep +%setup + +%build +make CFLAGS="$RPM_OPT_FLAGS" + +%install +mkdir -p $RPM_BUILD_ROOT/etc/security/msec/init-sh +mkdir -p $RPM_BUILD_ROOT/etc/security/msec/cron-sh +mkdir -p $RPM_BUILD_ROOT/usr/bin + +cp init-sh/level*.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/lib.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/init.sh $RPM_BUILD_ROOT/etc/security/msec +cp init-sh/file_perm.sh $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/perm.[1-5] $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp init-sh/server.* $RPM_BUILD_ROOT/etc/security/msec/init-sh +cp cron-sh/*.sh $RPM_BUILD_ROOT/etc/security/msec/cron-sh +touch $RPM_BUILD_ROOT/etc/security/msec/security.conf +cp src/promisc_check/promisc_check $RPM_BUILD_ROOT/usr/bin + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(-,root,root) +/etc/security/msec +/usr/bin/promisc_check + +%changelog +* Thu Nov 25 1999 Yoann Vandoorselaere +- Cleaned up tree. + +* Thu Nov 25 1999 Yoann Vandoorselaere +- Removed touched file /-i + +* Thu Nov 25 1999 Yoann Vandoorselaere +- Create rc.firewall to avoid error, +- Call grpuser with the good path, +- Call groupadd before usermod. + +* Tue Nov 23 1999 Yoann Vandoorselaere +- New release (0.3) : + Now each security level has it's own set of permissions. + Add "." at the end of $PATH for level 1. + Corrected some grave bug, it should work properly now. + +* Thu Nov 18 1999 Yoann Vandoorselaere +- New release (0.2) : + Fixed the path for promisc_check.sh : + now /etc/security/msec/cron-sh/promisc_check.sh + In level 1 & 2, user is now automagically added to the audio group. + +* Tue Nov 16 1999 Yoann Vandoorselaere +- First packaging attempt :-). + + + diff --git a/doc/security.txt b/doc/security.txt new file mode 100644 index 0000000..4d22ca5 --- /dev/null +++ b/doc/security.txt @@ -0,0 +1,94 @@ + +**************************** + +Security level 1 : +OK - Access to the system as a normal user. +OK - . in $PATH +OK - Login as root from the console granted. +OK - No rules check for password. +OK - Permission for /dev & /etc = 755 +OK - Permission for /home = 755 +OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ). +OK - xhost + localhost + +**************************** + +Security level 2 : +OK - Access to the system as a normal user. +OK - Login as root from the console granted. + + - No rules check for password. + ---> Waiting for Chmouel to verify password... + +OK - Device are accessible by group. ( ie: the user is automagically added to the audio group, video group & all... ). +OK - Permission for /dev & /etc = 755 +OK - Permission for /home = 755 +OK xhost + localhost + +**************************** + +Security level 3 : +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - Low level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Permission for /dev & /etc = 755 +OK - Permission for /home/* = 750 +OK - Detection of interface in promiscuous mode ( one time a minute ) + + +**************************** + +Security level 4 : +OK - lilo pass -> only if the user want it . +- kernel patch -> Secure linux ? +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - Medium level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file. +OK - Device only accessible by root as a default. +OK - Deny all kind of connection except from local network. +OK - Permission for /dev & /etc directories = 755 +OK - Permission for /home = 711 +OK - Permission for /home/* = 750 +OK - Detection of interface in promiscuous mode ( one time a minute ) + +***************************** + +Security level 5 : *Server Only* + +OK - lilo pass -> only if the user want it . +- kernel patch -> Secure linux +OK - Access to the system as a normal user. +OK - Login as root from the console denied. + + - High level rules check on password. + ---> Waiting for Chmouel to verify password... + +OK - Keep track of the suid file, warn when new suid file are detected, in a suid log file. +OK - Device only accessible by root as a default. +OK - No server installed by default. ( except maybe the crontab ) +OK - Deny all kind of connection ( hosts.deny -> ALL:ALL:DENY ) +OK - Permission for /dev & /etc directories = 711 +OK - Permission for /home = 711 +OK - Permission for /home/* = 700 +OK - Permission for /tmp = 700 +OK - Detection of interface in promiscuous mode ( one time a minute ) + + + + + +*** Future Release : *** +- Automatic tty locking ( unlock by passwd ) after X time of inactivity. + + + + + + -- cgit v1.2.1