#This file was created by <camille> Thu Jan  6 11:15:42 2000
#LyX 0.12 (C) 1995-1998 Matthias Ettrich and the LyX Team
\lyxformat 2.15
\textclass article
\language american
\inputencoding latin1
\fontscheme default
\graphics default
\paperfontsize default
\spacing single 
\papersize Default
\paperpackage a4
\use_geometry 0
\use_amsmath 0
\paperorientation portrait
\secnumdepth 3
\tocdepth 3
\paragraph_separation skip
\defskip medskip
\quotes_language english
\quotes_times 2
\papercolumns 1
\papersides 2
\paperpagestyle default

\layout Title


\size huge 
msec
\size default 
 
\noun on 
[Mandrake SECurity tools]
\layout Author

Camille B�gnis <camille@mandriva.com>
\layout Date

22/12/1999
\layout Standard


\begin_inset LatexCommand \tableofcontents

\end_inset 


\layout Section

Introducing msec
\layout Standard

While Linux is being used for a very wide range of applications, from basic
 office work to high availability servers, came the need for different security
 levels.
 It is obvious that constraints inherent to highly secured servers do not
 match the needs of a secretary.
 In the other hand a big public server is more sensitive to malicious people
 than my isolated Linux box.
\layout Standard

It is in that aim that were designed the msec package.
 It is made of two parts:
\layout Enumerate

Scripts that modify the whole system to lead it to one of the six security
 levels provided with msec.
 These levels range from very poor security and ease of use, to paranoid
 config, suitable for very sensitive applications, managed by experts.
\layout Enumerate

Cron jobs, that will periodically check the integrity of the system upon
 security level configuration, and eventually detect and warn you of possible
 intrusion of the system or security leak.
\layout Standard

Note that the user may also define his own security level, adjusting parameters
 to his own needs.
 
\layout Section

Installation
\layout Standard

msec is a base rpm.
 That means that if you previously installed Linux-Mandrake, msec is already
 installed on your system.
\layout Standard

Installing the rpm will create a msec directory into /etc/security, containing
 all is needed to secure your system.
\layout Standard

Then just login as root and type 
\begin_inset Quotes erd
\end_inset 

/usr/sbin/msec x
\begin_inset Quotes erd
\end_inset 

, x being the security level you want or 
\begin_inset Quotes eld
\end_inset 

custom
\begin_inset Quotes erd
\end_inset 

 to create your own security level.
 The script will begin to remove all modifications made by a previous security
 level change, and apply the features of the chosen security level to your
 system.
 If you choose 
\begin_inset Quotes eld
\end_inset 

custom
\begin_inset Quotes erd
\end_inset 

, then you will be asked a series of questions for each security feature
 msec proposes.
 At the end, these features will be applied to your system.
\layout Standard

Note that whatever the level you chose, your configuration will be stored
 into 
\begin_inset Quotes eld
\end_inset 

/etc/security/msec/security.conf
\begin_inset Quotes erd
\end_inset 

.
\layout Subsection

Level 0 
\begin_inset Quotes eld
\end_inset 

Welcome To Crackers
\begin_inset Quotes erd
\end_inset 


\layout Standard

This level is to be used with care.
 It makes your system more easy to use, but very sensitive at the same time.
 In particular, you shouldn't use this security level if you answer yes
 to at least one of the following questions:
\layout Itemize

Is my computer connected to the Internet?
\layout Itemize

Is my computer connected to other computers by a network?
\layout Itemize

Does this computer will be used by someone else than me?
\layout Itemize

Is there some confidential stuff on my computer I don't want others have
 access?
\layout Itemize

I don't know Linux enough and I could harm it by myself?
\layout Standard

As we see, this security level shouldn't be set by default because it may
 result in big problems for your data.
\layout Subsection

Level 1 
\begin_inset Quotes eld
\end_inset 

Poor
\begin_inset Quotes erd
\end_inset 


\layout Standard

The main security improvement compared with level 0 is that now, the access
 to one user's stuff is granted via user-name and password.
 So it may be used by various people, and it is less sensitive to bad maneuvers.
 However it shouldn't be used for a connected computer whether by modem
 or to a LAN (Local Area Network).
\layout Subsection

Level 2 
\begin_inset Quotes eld
\end_inset 

Low
\begin_inset Quotes erd
\end_inset 


\layout Standard

Few improvements for this security level, the main one is that there are
 more security warnings and checks.
 It is more secure for multi-users use.
\layout Subsection

Level 3 
\begin_inset Quotes erd
\end_inset 

Medium
\begin_inset Quotes erd
\end_inset 


\layout Standard

This is the standard security recommended for a computer that will be used
 to connect to the Internet as a client.
 Most of security checks are periodically run, specifically one that check
 for open ports on the system.
 However, these open ports are kept opened and access to them is granted
 to everyone.
 So this security level is not really suited for a system permanently connected
 to the Internet.
\layout Standard

From the user's point of view, the system is now a little bit more closed,
 so it'll need some basic knowledges of the Linux system to achieve some
 special operations.
 The security here offered is comparable with the one of a standard RedHat
 or previous Mandrake distribution.
\layout Subsection

Level 4 
\begin_inset Quotes eld
\end_inset 

High
\begin_inset Quotes erd
\end_inset 


\layout Standard

With this security level, the use of this system as a server becomes possible.
 The security is now high enough to use the system as a server which accept
 connections from many clients.
 Connections from the computer itself only will be granted.
 Howether advanced services have been disabled, and the system administrator
 will have to activate the desired ones by hand in config files.
 He also will have to define from whom the access is granted.
\layout Standard

Security checks will warn system administrator of possible security holes
 or intrusions on the system.
\layout Subsection

Level 5 
\begin_inset Quotes eld
\end_inset 

Paranoid
\begin_inset Quotes erd
\end_inset 


\layout Standard

We take level 4 features, but now the system is entirely closed.
 Security features are at their maximum.
 The system administrator has to activate ports, and grant connections to
 give other computers access to services offered by this machine.
 
\layout Section

Security levels features
\layout Standard

Follows the description of the different security features each level brings
 to the system.
 These features are of various types:
\layout Itemize

file permissions,
\layout Itemize

warnings dispatching,
\layout Itemize

periodicall security checks:
\layout Quotation

- on files: suid root, writable, unowned;
\layout Quotation

- listening ports: active, promiscuous;
\layout Quotation

- passwords files.
\layout Itemize

X display connections,
\layout Itemize

listening port check,
\layout Itemize

services available,
\layout Itemize

boot password,
\layout Itemize

authorized clients.
\layout Standard
\LyXTable
multicol5
28 7 0 0 -1 -1 -1 -1
1 1 0 0
1 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
0 1 0 0
2 1 0 "50mm" ""
8 1 0 "" ""
8 1 0 "" ""
8 1 0 "" ""
8 1 0 "" ""
8 1 0 "" ""
8 1 1 "" ""
0 2 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 2 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 2 0 1 0 0 0 "" ""
0 2 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 2 0 1 0 0 0 "" ""
0 2 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""
0 8 0 1 0 0 0 "" ""


\series bold 
\emph on 
Feature 
\backslash 
 Security level
\newline 
0
\newline 
1
\newline 
2
\newline 
3
\newline 
4
\newline 
5
\series default 
\emph toggle 

\newline 
Global security check
\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
umask users
\newline 
002
\newline 
002
\newline 
022
\newline 
022
\newline 
077
\newline 
077
\newline 
umask root
\newline 
002
\newline 
002
\newline 
022
\newline 
022
\newline 
022
\newline 
077
\newline 
shell without password
\newline 
*
\newline 

\newline 

\newline 

\newline 

\newline 

\newline 
authorized to connect to X display
\newline 
all
\newline 
local
\newline 
local
\newline 
none
\newline 
none
\newline 
none
\newline 
User in audio group
\newline 
*
\newline 
*
\newline 
*
\newline 

\newline 

\newline 

\newline 
.
 in $PATH
\newline 
*
\newline 
*
\newline 

\newline 

\newline 

\newline 

\newline 
Warning in /var/log/security.log
\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Warning directly on tty 
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Warning in syslog
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Warning sent by mail to root
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Suid root file check
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Suid root file md5sum check
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Writable file check
\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
*
\newline 
Permissions check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Suid group file check 
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Unowned file check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Promiscuous check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Listening port check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Passwd file integrity check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Shadow file integrity check
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
System security check every midnight
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
All system events additionally logged to /dev/tty12
\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
*
\newline 
Only root can 
\begin_inset Quotes eld
\end_inset 

ctrl-alt-del
\begin_inset Quotes erd
\end_inset 


\newline 

\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
Services not known disabled
\newline 

\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
Boot password 
\newline 

\newline 

\newline 

\newline 

\newline 
*
\newline 
*
\newline 
Grant connection to
\newline 
all
\newline 
all
\newline 
all
\newline 
all
\newline 
local
\newline 
none
\layout Standard

Note that six out of the ten periodical checks can detect changes on the
 system.
 They store into files located in 
\begin_inset Quotes eld
\end_inset 

/var/log/security/
\begin_inset Quotes erd
\end_inset 

 the configuration of the system during the last check (one day ago), and
 warn you of any changes occurred meanwhile.
 These checks are:
\layout Itemize

Suid root file check
\layout Itemize

Suid root file md5sum check
\layout Itemize

Writable file check
\layout Itemize

Suid group file check 
\layout Itemize

Unowned file check 
\layout Itemize

Listening port check
\layout Subsection

Global security check 
\layout Itemize

NFS filesystems globally exported.
 This is regarded as insecure, as there is no restriction for who may mount
 these filesystems
\layout Itemize

NFS mounts with missing nosuid.
 These filesystems are exported without the 
\begin_inset Quotes eld
\end_inset 

nosuid
\begin_inset Quotes erd
\end_inset 

 option.
\layout Itemize

Host trusting files contains 
\begin_inset Quotes eld
\end_inset 

+
\begin_inset Quotes erd
\end_inset 

 sign.
 That means that one of the files 
\begin_inset Quotes eld
\end_inset 

/etc/hosts.equiv /etc/shosts.equiv /etc/hosts.lpd
\begin_inset Quotes erd
\end_inset 

 is containing hosts which are allowed to connect without proper authentication.
\layout Itemize

Executables found in the aliases file.
 It issues a warning naming the executables run through files "/etc/aliases
\begin_inset Quotes erd
\end_inset 

 and 
\begin_inset Quotes eld
\end_inset 

/etc/postfix/aliases".
\layout Subsection

umask users 
\layout Standard

Simply sets the umask for normal users to the value corresponding to the
 security level.
\layout Subsection

umask root 
\layout Standard

The same but for the root.
\layout Subsection

shell without password
\layout Standard

Access to the consoles is granted without asking for a password.
\layout Subsection

authorized to connect to X display
\layout Itemize

all : Everybody from everywhere can open an X window on your screen.
\layout Itemize

local : Only people connected at localhost may open an X window on your
 screen.
\layout Itemize

none : Nobody can do that.
\layout Subsection

User in audio group
\layout Standard

Each user is a member of the 
\begin_inset Quotes eld
\end_inset 

audio
\begin_inset Quotes erd
\end_inset 

 group.
 That means that every user connected to the system is given access to sound
 card.
\layout Subsection

.
 in $PATH
\layout Standard

the 
\begin_inset Quotes eld
\end_inset 

.
\begin_inset Quotes erd
\end_inset 

 entry is added to $PATH environment variable, allowing execution of programs
 within the current working directory.
\layout Subsection

Warning in /var/log/security.log 
\layout Standard

Each warning issued by msec is logged into 
\begin_inset Quotes eld
\end_inset 

/var/log/security.log
\begin_inset Quotes erd
\end_inset 

.
\layout Subsection

Warning directly on tty 
\layout Standard

Each warning issued by msec is directly printed on current console.
\layout Subsection

Warning in syslog
\layout Standard

Warnings of msec are directed to syslog service.
\layout Subsection

Warning sent by mail to root
\layout Standard

Warnings issued by msec are also sent by mail to root.
\layout Subsection

Suid root file check
\layout Standard

Check for new or removed suid root files on the system.
 If such files are encountered a list of these files is issued as a warning.
\layout Subsection

Suid root file md5sum check
\layout Standard

Checks the md5sum signature of each suid root file that is on the system.
 If the signature has changed, it means that a modification has been made
 to this program, probably a backdoor.
 A warning is then issued.
\layout Subsection

Writable file check
\layout Standard

Check wether files are world writable on the system.
 If so, issues a warning containing the list of these naughty files.
\layout Subsection

Permissions check
\layout Standard

This one checks permissions for some special files such as .netrc or user's
 config files.
 It also checks permissions of users home dir.
 If their permissions are too loose or owners unusual, it issues a warning.
\layout Subsection

Suid group file check 
\layout Standard

Check for new or removed suid group files on the system.
 If such files are encountered, a list of these files is issued as a warning.
\layout Subsection

Unowned file check
\layout Standard

This check searches for files owned by users/groups(or more accurately by
 uids/gids) not known into /etc/password, If such files are found, the owner
 is automatically changed to user/group 
\begin_inset Quotes eld
\end_inset 

nobody
\begin_inset Quotes erd
\end_inset 

.
\layout Subsection

Promiscuous check
\layout Standard

This test checks every ethernet card to determine wether they are in promiscuous
 mode.
 This mode allows the card to intercept every packet received by the card,
 even those that are not directed to it.
 It may mean that a sniffer is running on your machine.
\layout Standard

Note that this check is setted up to be run every minute.
\layout Subsection

Listening port check
\layout Standard

Issues a warning with all listening ports.
\layout Subsection

Passwd file integrity check
\layout Standard

Verify that each user has a password ( no blank password) and if it is shadowed.
\layout Subsection

Shadow file integrity check
\layout Standard

Verify that each user into the shadow file has a password ( no blank password).
\layout Subsection

System security check every midnight
\layout Standard

All previous checks will be performed everyday at midnight.
 This relies on the addition of cron scripts in crontab file.
\layout Subsection

All system events additionally logged to /dev/tty12
\layout Standard

*All* system messages directed to syslog are copied to tty12 console.
\layout Subsection

Only root can 
\begin_inset Quotes eld
\end_inset 

ctrl-alt-del
\begin_inset Quotes erd
\end_inset 


\layout Standard

Root (or a user referenced into /etc/shutdown.allow) must be logged into
 a console for the key binding 
\begin_inset Quotes eld
\end_inset 

ctrl-alt-del
\begin_inset Quotes erd
\end_inset 

 having effect.
 If no privileged user is logged, nothing happens when someone uses 
\begin_inset Quotes eld
\end_inset 

ctrl-alt-del
\begin_inset Quotes erd
\end_inset 

 .
\layout Subsection

Services not known disabled 
\layout Standard

All services not contained into 
\begin_inset Quotes eld
\end_inset 

/etc/security/msec/server.4
\begin_inset Quotes erd
\end_inset 

 for level 4 or 
\begin_inset Quotes eld
\end_inset 

server.5
\begin_inset Quotes erd
\end_inset 

 for level 5 will be disabled.
 They are not removed, but simply not started when loading a runlevel.
 If you need some of them, just add them again with the 
\begin_inset Quotes eld
\end_inset 

chkconfig
\begin_inset Quotes erd
\end_inset 

 utility (you might also need to restart them with init scripts in /etc/rc.d/init.
d/ ).
\layout Subsection

Boot password 
\layout Standard

Allows you to setup a password for Lilo.
 Prevents (unexperienced) people from rebooting the machine, but in the
 other hand, the machine won't be able to reboot by itself.
\layout Subsection

Grant connection to
\layout Itemize

all : All computers are allowed to connect to open ports.
\layout Itemize

local : Only the localhost is allowed to connect to open ports.
\layout Itemize

none : No computers are allowed to connect to open ports.
\layout Section

ToDo
\layout Standard

- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
\layout Standard

- In high security level, only user having access to group "sugrp" can use
 the su command.
\layout Section

Author
\layout Standard

Vandoorselaere Yoann
\the_end