#!/bin/bash # # Security level implementation... # Writen by Vandoorselaere Yoann # if [[ -f /usr/share/msec/lib.sh ]]; then . /usr/share/msec/lib.sh else echo "Can't find /usr/share/msec/lib.sh, exiting." exit 1 fi # Log in append only mode echo -e "Changing attribute of /var/log/* to append only...\n" # All events logged on tty12 echo "Loging all messages on tty12 : " AddRules "*.* /dev/tty12" /etc/syslog.conf # Prevent all kind of connection except from localhost echo "Denying all kind of connection except localhost : " AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny # Login as root on the console allowed : echo "Denying login as root (except on the console) :" AddRules "tty1" /etc/securetty quiet AddRules "tty2" /etc/securetty quiet AddRules "tty3" /etc/securetty quiet AddRules "tty4" /etc/securetty quiet AddRules "tty5" /etc/securetty quiet AddRules "tty6" /etc/securetty AddRules "vc/1" /etc/securetty quiet AddRules "vc/2" /etc/securetty quiet AddRules "vc/3" /etc/securetty quiet AddRules "vc/4" /etc/securetty quiet AddRules "vc/5" /etc/securetty quiet AddRules "vc/6" /etc/securetty # Security check echo "Updating file check variable : " echo -e "\t- Check security : yes." AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check important permissions : yes." AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file : yes." AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid root file integrity (backdoor check) : yes." AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check suid group file : yes." AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check world writable file : yes." AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check unowned file : yes." AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check promiscuous mode : yes." AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check listening port : yes." AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check passwd file integrity : yes." AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet echo -e "\t- Check shadow file integrity : yes." AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet echo -e "\t- Security warning on tty : yes." AddRules "TTY_WARN=yes" /etc/security/msec/security.conf quiet echo -e "\t- Security warning by mail : yes." AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet echo -e "\t- Security warning in syslog : yes." AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf # end security check # Check every 1 minutes for promisc problem echo "Adding promisc check in crontab (scheduled every minutes) :" AddRules "*/1 * * * * root /usr/share/msec/promisc_check.sh" /etc/crontab echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :" AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab # Server update export SECURE_LEVEL=4 echo "Setting secure level variable to 4 :" AddRules "SECURE_LEVEL=4" /etc/sysconfig/msec IFS=" " echo -n "Disabling all service, except : {" for service in `chkconfig --list | awk '{print $1}'`; do if grep -qx ${service} /etc/security/msec/server.4; then echo -n " ${service}" fi done echo " } : " for service in `chkconfig --list | awk '{print $1}'`; do chkconfig --del "${service}" if ! chkconfig --msec --add "${service}"; then echo -e "\t- Services ${service} scheduled to be disabled at next boot." fi done echo -e "done.\n"; echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :" AddRules "UMASK_ROOT=022" /etc/sysconfig/msec AddRules "UMASK_USER=077" /etc/sysconfig/msec if [[ -f /lib/libsafe.so.2 ]]; then echo "Enabling stack overflow protection :" AddRules "/lib/libsafe.so.2" /etc/ld.so.preload fi # Console timeout echo "Setting console timeout :" AddRules "TMOUT=7200" /etc/sysconfig/msec # No history file echo "No history file :" AddRules "HISTFILESIZE=0" /etc/sysconfig/msec # Ip spoofing protection echo "IP spoofing protection :" AddRules "nospoof on" /etc/host.conf AddRules "spoofalert on" /etc/host.conf # icmp echo echo "Ignoring icmp echo :" AddRules "net.ipv4.icmp_echo_ignore_all=1" /etc/sysctl.conf AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf # bad error echo "Enabling bad error message Protection :" AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf # log strange packets echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :" AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf LoadSysctl # issues echo "Removing /etc/issue.net :" RemoveIssueNet # Do not boot on a shell ForbidReboot ForbidAutologin # Group were modified in lib.sh... grpconv ForbidUserList RootSshLogin 4 ='get' action='/software/drakx/log/perl-install/loopback.pm'>
path: root/perl-install/loopback.pm
blob: 04c320ca365a8a489e700ec01597ff0e96db70a2 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

package loopback; # $Id$

use diagnostics;
use strict;

#-######################################################################################
#- misc imports
#-######################################################################################
use MDK::Common::System;
use common;
use partition_table qw(:types);
use commands;
use fs;
use log;


sub file {
    my ($part) = @_;
    ($part->{device}{mntpoint} || die "loopback::file but loopback file has no associated mntpoint") . 
      $part->{loopback_file};
}

sub loopbacks {
    map { map { @{$_->{loopback} || []} } partition_table::get_normal_parts($_) } @_;
}

sub carryRootLoopback {
    my ($part) = @_;
    $_->{mntpoint} eq '/' and return 1 foreach @{$part->{loopback} || []};
    0;
}

sub carryRootCreateSymlink {
    my ($part, $prefix) = @_;

    carryRootLoopback($part) or return;

    my $mntpoint = "$prefix$part->{mntpoint}";
    unless (-e $mntpoint) {
	eval { commands::mkdir_("-p", dirname($mntpoint)) };
	#- do non-relative link for install, should be changed to relative link before rebooting
	symlink "/initrd/loopfs", $mntpoint;

	commands::mkdir_("-p", "/initrd/loopfs/lnx4win/boot");
	symlink "/initrd/loopfs/lnx4win/boot", "$prefix/boot";
    }
    #- indicate kernel to keep initrd
    mkdir "$prefix/initrd", 0755;
}


sub format_part {
    my ($part, $prefix) = @_;
    fs::mount_part($part->{device}, $prefix);
    my $f = create($part, $prefix);
    local $part->{device} = $f;
    fs::real_format_part($part);
}

sub create {
    my ($part, $prefix) = @_;
    my $f = "$prefix$part->{device}{mntpoint}$part->{loopback_file}";
    return $f if -e $f;

    eval { commands::mkdir_("-p", dirname($f)) };

    log::l("creating loopback file $f ($part->{size} sectors)");

    local *F;
    sysopen F, $f, 2 | c::O_CREAT() or die "failed to create loopback file";
    sysseek F, ($part->{size} << 9) - 1, 0 or die "failed to create loopback file";
    syswrite F, "\0" or die "failed to create loopback file";
    $f;
}

sub getFree {
    my ($dir, $part) = @_;
    my $freespace = $dir ? 
      2 * (MDK::Common::System::df($dir))[1] : #- df in KiB
      $part->{size};

    $freespace - sum map { $_->{size} } @{$part->{loopback} || []};
}

#- returns the size of the loopback file if it already exists
#- returns -1 is the loopback file can't be used
sub verifFile {
    my ($dir, $file, $part) = @_;
    -e "$dir$file" and return -s "$dir$file";

    $_->{loopback_file} eq $file and return -1 foreach @{$part->{loopback} || []};

    undef;
}

sub prepare_boot {
    my ($prefix) = @_;
    my $r = readlink "$prefix/boot"; 
    unlink "$prefix/boot"; 
    mkdir "$prefix/boot", 0755;