#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#
# Need root access
if [[ ${UID} != 0 ]]; then
echo "You need to be root in order to change secure level."
exit 1
fi
export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
WaitAnswer() {
answer="nothing"
while [[ ${answer} != yes && ${answer} != no ]]; do
echo -n "yes/no : "
read answer
done
}
AddRules() {
string=$1
file=$2
quiet=$3
if [[ -z ${string} ]]; then
return;
fi
if [[ -z ${quiet} ]]; then
echo "Modifying config in ${file}..."
fi
if ! grep -Eqx "^${string}" ${file}; then
echo -e "${COMMENT}" >> ${file};
echo -e "${string}" >> ${file};
fi
if [[ -z ${3} ]]; then
echo -e "done.\n"
fi
}
AddBegRules() {
echo "Modifying config in ${2}..."
if [[ ! -f ${file} ]]; then
return;
fi
export VAL=$1
perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
echo -e "done.\n"
}
OLD_CleanRules() {
file=$1
ctrl=0
if [[ ! -f ${file} ]]; then
echo "${file} do not exist... can not clean."
return;
fi
echo -en "\t- Cleaning msec appended line in ${file} : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp ${file} ${tmpfile}
while read line; do
if [[ ${ctrl} == 1 ]]; then
ctrl=0
continue;
fi
if echo "${line}" | grep -qx "${COMMENT}"; then
ctrl=1
fi
if [[ ${ctrl} == 0 ]]; then
echo "${line}"
fi
done < ${tmpfile} > ${file}
rm -f ${tmpfile}
echo "done."
}
CleanRules() {
echo -en "\t- Cleaning msec appended line in $1 : "
perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
echo "done."
}
CommentUserRules() {
file=$1
if [[ ! -f ${file} ]]; then
return;
fi
echo -en "\t- Cleaning user appended line in ${file} : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp -f ${file} ${tmpfile}
while read line; do
if ! echo "${line}" | grep -qE "^#"; then
echo "# ${line}"
else
echo "${line}"
fi
done < ${tmpfile} > ${file}
rm -f ${tmpfile}
echo "done."
}
Syslog() {
if [[ ${SYSLOG_WARN} == yes ]]; then
/sbin/initlog --string=${1}
fi
}
Ttylog() {
if [[ ${TTY_WARN} == yes ]]; then
w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
echo -e ${1} > /dev/$i
done
fi
}
LoaderUpdate() {
# Ask only if we're not inside DrakX.
if [[ ! ${DRAKX_PASSWORD+set} ]]; then
echo "Do you want a password authentication at boot time ?"
echo "Be very carefull,"
echo "this will prevent your server to reboot without an operator to enter password".
WaitAnswer;
if [[ ${answer} == yes ]]; then
echo -n "Please enter the password which will be used at boot time : "
read password
else
password=""
fi
if [[ ! -z ${password} ]]; then
if [[ -f /etc/lilo.conf ]]; then
AddBegRules "password=$password" /etc/lilo.conf
chmod 600 /etc/lilo.conf
fi
if [[ -f /boot/grub/menu.lst ]]; then
AddBegRules "password $password" /boot/grub/menu.lst
chmod 600 /boot/grub/menu.lst
fi
loader=`/usr/sbin/detectloader`
case "${loader}" in
"LILO")
/sbin/lilo
;;
"GRUB")
;;
esac
fi
fi
}
# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
LoaderDrakX() {
if [[ -n "${DRAKX_PASSWORD}" ]]; then
if [[ -f /etc/lilo.conf ]]; then
AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
chmod 600 /etc/lilo.conf
fi
if [[ -f /boot/grub/menu.lst ]]; then
AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
chmod 600 /boot/grub/menu.lst
fi
loader=`/usr/sbin/detectloader`
case "${loader}" in
"LILO")
/sbin/lilo
;;
"GRUB")
;;
esac
fi
}
CleanLoaderRules() {
if [[ -f /etc/lilo.conf ]]; then
CleanRules /etc/lilo.conf
chmod 644 /etc/lilo.conf
fi
if [[ -f /boot/grub/menu.lst ]]; then
CleanRules /boot/grub/menu.lst
chmod 644 /boot/grub/menu.lst
fi
if [[ -z ${DRAKX_PASSWORD} ]]; then
loader=`/usr/sbin/detectloader`
case "${loader}" in
"LILO")
/sbin/lilo
;;
"GRUB")
;;
esac
fi
}
AllowAutologin() {
file=/etc/sysconfig/autologin
if [[ -f ${file} ]]; then
grep -v AUTOLOGIN < ${file} > ${file}.new
echo "AUTOLOGIN=yes" >> ${file}.new
mv -f ${file}.new ${file}
fi
}
ForbidAutologin() {
file=/etc/sysconfig/autologin
if [[ -f ${file} ]]; then
cat ${file} | grep -v AUTOLOGIN > ${file}.new
echo "AUTOLOGIN=no" >> ${file}.new
mv -f ${file}.new ${file}
fi
}
ForbidUserList() {
file=/usr/share/config/kdmrc
if [[ -f ${file} ]]; then
perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
fi
file=/etc/X11/gdm/gdm.conf
if [[ -f ${file} ]]; then
perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
fi
}
AllowUserList() {
file=/usr/share/config/kdmrc
if [[ -f ${file} ]]; then
perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
fi
file=/etc/X11/gdm/gdm.conf
if [[ -f ${file} ]]; then
perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
fi
}
ForbidReboot() {
echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp /etc/inittab ${tmpfile}
cat ${tmpfile} | \
sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
rm -f ${tmpfile}
[ -z "$DURING_INSTALL" ] && telinit u
echo "done."
}
AllowReboot() {
echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp /etc/inittab ${tmpfile}
cat ${tmpfile} | \
sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
rm -f ${tmpfile}
[ -z "$DURING_INSTALL" ] && telinit u
echo "done."
}
RootSshLogin () {
echo -n "Setting up the root ssh login : "
if [[ $1 == 4 || $1 == 5 ]]; then
/bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
chmod 0600 /etc/ssh/sshd_config
else
sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new
mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config
chmod 0600 /etc/ssh/sshd_config
fi
}
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX does it and gives us a file with some variables.
if [[ -f /etc/security/msec/security.conf ]]; then
. /etc/security/msec/security.conf
fi
clear
echo "Preparing to run security script : "
CleanRules /etc/syslog.conf
CleanRules /etc/hosts.deny
CommentUserRules /etc/hosts.deny
CleanRules /etc/hosts.allow
CommentUserRules /etc/hosts.allow
CleanRules /etc/securetty
CommentUserRules /etc/securetty
CleanRules /etc/security/msec/security.conf
CommentUserRules /etc/security/msec/security.conf
CleanRules /etc/ld.so.preload
CleanLoaderRules
LoaderDrakX
CleanRules /etc/logrotate.conf
CleanRules /etc/rc.d/rc.local
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
if [[ -f /etc/X11/xinit.d/msec ]]; then
CleanRules /etc/X11/xinit.d/msec
else
touch /etc/X11/xinit.d/msec
chmod 755 /etc/X11/xinit.d/msec
fi
echo -e "\nStarting to reconfigure the system : "
# For all secure level
echo "Setting spoofing protection : "
AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
# default groups which must exist on the system
# groupadd already checks for their existance...
groupadd nogroup >& /dev/null
groupadd -g 26 xgrp >& /dev/null
groupadd -g 33 ntools >& /dev/null
groupadd -g 34 ctools >& /dev/null
groupadd -g 81 audio >& /dev/null
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean
echo