.ds q \N'34' .TH msec 0.60.2 msec "Mandriva Linux" .SH NAME msec \- Mandriva Linux security tools .SH SYNOPSIS .nf .B msec [options] .B msecperms [options] .B msecgui [options] .fi .SH DESCRIPTION .B msec is responsible to maintain system security in Mandriva. It supports different security configurations, which can be organized into several security levels. Currently, three preconfigured security levels are provided: .TP \fBnone\fR this level aims to provide the most basic security. It should be used when you want to manage all aspects of system security on your own. .TP \fBdefault\fR this is the default security level, which configures a reasonably safe set of security features. It activates several periodic system checks, and sends the results of their execution by email (by default, the local 'root' account is used). .TP \fBsecure\fR this level is configured to provide maximum system security, even at the cost of limiting the remote access to the system, and local user permissions. It also runs a wider set of periodic checks, enforces the local password settings, and periodically checks if the system security settings, configured by msec, were modified directly or by some other application. .PP The security settings are stored in \fB/etc/security/msec/security.conf\fR file, and default settings for each predefined level are stored in \fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories that should be enforced or checked for changes are stored in \fB/etc/security/msec/perms.conf\fR, and default permissions for each predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note that user-modified parameters take precedence over default level settings. For example, when default level configuration forbids direct root logins, this setting can be overridden by the user. .PP The following options are supported by msec applications: .TP \fBmsec\fR: .PP This is the console version of msec. It is responsible for system security configuration and checking and transitions between security levels. When executed without parameters, msec will read the system configuration file (/etc/security/msec/security.conf), and enforce the specified security settings. The operations are logged to \fB/var/log/msec.log\fP file, and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should by run as root. \fB\-h, --help\fR This option will display the list of supported command line options. \fB\-l, --level \fR List the default configuration for given security level. \fB\-f, --force \fR Apply the specified security level to the system, overwritting all local changes. This is necessary to initialize a security level, either on first install, on when a change to a different level is required. \fB\-d\fR Enable debugging messages. \fB\-p, --pretend\fR Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk. .TP \fBmsecperms\fR: .PP This application is responsible for system permission checking and enforcements. When executed without parameters, msecperms will read the permissions configuration file (/etc/security/msec/perms.conf), and enforce the specified security settings. The operations are logged to \fB/var/log/msec.log\fP file, and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms should by run as root. \fB\-h, --help\fR This option will display the list of supported command line options. \fB\-l, --level \fR List the default configuration for given security level. \fB\-f, --force \fR Apply the specified security level to the system, overwritting all local changes. This is necessary to initialize a security level, either on first install, on when a change to a different level is required. \fB\-e, --enforce\fR Enforce the default permissions on all files. \fB\-d\fR Enable debugging messages. \fB\-p, --pretend\fR Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk. .TP \fBmsecgui\fR: .PP This is the GTK version of msec. It acts as frontend to all msec functionalities. \fB\-h, --help\fR This option will display the list of supported command line options. \fB\-d\fR Enable debugging messages. .SH "SECURITY OPTIONS" The following security options are supported by msec: .TP 4 .B \fIenable_dns_spoofing_protection\fP Enable/Disable name resolution spoofing protection. If \fIalert\fP is true, also reports to syslog. MSEC parameter: \fIENABLE_IP_SPOOFING_PROTECTION\fP Accepted values: \fIyes, no\fP .TP 4 .B \fImail_empty_content\fP Enables sending of empty mail reports. MSEC parameter: \fIMAIL_EMPTY_CONTENT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIaccept_broadcasted_icmp_echo\fP Accept/Refuse broadcasted icmp echo. MSEC parameter: \fIACCEPT_BROADCASTED_ICMP_ECHO\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_xserver_to_listen\fP The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. MSEC parameter: \fIALLOW_XSERVER_TO_LISTEN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_chkrootkit\fP Enables checking for known rootkits using chkrootkit. MSEC parameter: \fICHECK_CHKROOTKIT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_suid_root\fP Enables checking for additions/removals of suid root files. MSEC parameter: \fICHECK_SUID_ROOT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_at_crontab\fP Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). MSEC parameter: \fIENABLE_AT_CRONTAB\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIaccept_bogus_error_responses\fP Accept/Refuse bogus IPv4 error messages. MSEC parameter: \fIACCEPT_BOGUS_ERROR_RESPONSES\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_suid_md5\fP Enables checksum verification for suid files. MSEC parameter: \fICHECK_SUID_MD5\fP Accepted values: \fIyes, no\fP .TP 4 .B \fImail_user\fP Defines email to receive security notifications. MSEC parameter: \fIMAIL_USER\fP Accepted values: \fI*\fP .TP 4 .B \fIallow_autologin\fP Allow/Forbid autologin. MSEC parameter: \fIALLOW_AUTOLOGIN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_pam_wheel_for_su\fP Enabling su only from members of the wheel group or allow su from any user. MSEC parameter: \fIENABLE_PAM_WHEEL_FOR_SU\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcreate_server_link\fP Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.SERVER_LEVEL. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages. MSEC parameter: \fICREATE_SERVER_LINK\fP Accepted values: \fIno, default, secure\fP .TP 4 .B \fIset_shell_timeout\fP Set the shell timeout. A value of zero means no timeout. MSEC parameter: \fISHELL_TIMEOUT\fP Accepted values: \fI*\fP .TP 4 .B \fIcheck_user_files\fP Enables permission checking on users' files that should not be owned by someone else, or writable. MSEC parameter: \fICHECK_USER_FILES\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_shadow\fP Enables checking for empty passwords. MSEC parameter: \fICHECK_SHADOW\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_password\fP Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable. MSEC parameter: \fIENABLE_PASSWORD\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIset_win_parts_umask\fP Set umask option for mounting vfat and ntfs partitions. A value of None means default umask. MSEC parameter: \fIWIN_PARTS_UMASK\fP Accepted values: \fIno, *\fP .TP 4 .B \fIcheck_open_port\fP Enables checking for open network ports. MSEC parameter: \fICHECK_OPEN_PORT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_log_strange_packets\fP Enable/Disable the logging of IPv4 strange packets. MSEC parameter: \fIENABLE_LOG_STRANGE_PACKETS\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_rpm\fP Enables verification of installed packages. MSEC parameter: \fICHECK_RPM\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_pam_root_from_wheel\fP Allow root access without password for the members of the wheel group. MSEC parameter: \fIENABLE_PAM_ROOT_FROM_WHEEL\fP Accepted values: \fIyes, no\fP .TP 4 .B \fImail_warn\fP Enables security results submission by email. MSEC parameter: \fIMAIL_WARN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIpassword_length\fP Set the password minimum length and minimum number of digit and minimum number of capitalized letters. MSEC parameter: \fIPASSWORD_LENGTH\fP Accepted values: \fI*\fP .TP 4 .B \fIset_root_umask\fP Set the root umask. MSEC parameter: \fIROOT_UMASK\fP Accepted values: \fI*\fP .TP 4 .B \fIcheck_sgid\fP Enables checking for additions/removals of sgid files. MSEC parameter: \fICHECK_SGID\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_promisc\fP Activate/Disable ethernet cards promiscuity check. MSEC parameter: \fICHECK_PROMISC\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_x_connections\fP Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection). MSEC parameter: \fIALLOW_X_CONNECTIONS\fP Accepted values: \fIyes, no, local\fP .TP 4 .B \fIcheck_writable\fP Enables checking for files/directories writable by everybody. MSEC parameter: \fICHECK_WRITABLE\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_console_log\fP Enable/Disable syslog reports to console terminal 12. MSEC parameter: \fIENABLE_CONSOLE_LOG\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_ip_spoofing_protection\fP Enable/Disable IP spoofing protection. MSEC parameter: \fIENABLE_DNS_SPOOFING_PROTECTION\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_perms\fP Enables periodic permission checking for system files. MSEC parameter: \fICHECK_PERMS\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIset_shell_history_size\fP Set shell commands history size. A value of -1 means unlimited. MSEC parameter: \fISHELL_HISTORY_SIZE\fP Accepted values: \fI*\fP .TP 4 .B \fIallow_reboot\fP Allow/Forbid system reboot and shutdown to local users. MSEC parameter: \fIALLOW_REBOOT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIsyslog_warn\fP Enables logging to system log. MSEC parameter: \fISYSLOG_WARN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_shosts\fP Enables checking for dangerous options in users' .rhosts/.shosts files. MSEC parameter: \fICHECK_SHOSTS\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_passwd\fP Enables password-related checks, such as empty passwords and strange super-user accounts. MSEC parameter: \fICHECK_PASSWD\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIpassword_history\fP Set the password history length to prevent password reuse. This is not supported by pam_tcb. MSEC parameter: \fIPASSWORD_HISTORY\fP Accepted values: \fI*\fP .TP 4 .B \fIcheck_security\fP Enables daily security checks. MSEC parameter: \fICHECK_SECURITY\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_root_login\fP Allow/Forbid direct root login. MSEC parameter: \fIALLOW_ROOT_LOGIN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIcheck_unowned\fP Enables checking for unowned files. MSEC parameter: \fICHECK_UNOWNED\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_user_list\fP Allow/Forbid the list of users on the system on display managers (kdm and gdm). MSEC parameter: \fIALLOW_USER_LIST\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_remote_root_login\fP Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information. MSEC parameter: \fIALLOW_REMOTE_ROOT_LOGIN\fP Accepted values: \fIyes, no, without_password\fP .TP 4 .B \fIenable_msec_cron\fP Enable/Disable msec hourly security check. MSEC parameter: \fIENABLE_MSEC_CRON\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIenable_sulogin\fP Enable/Disable sulogin(8) in single user level. MSEC parameter: \fIENABLE_SULOGIN\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIallow_xauth_from_root\fP Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details. MSEC parameter: \fIALLOW_XAUTH_FROM_ROOT\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIset_user_umask\fP Set the user umask. MSEC parameter: \fIUSER_UMASK\fP Accepted values: \fI*\fP .TP 4 .B \fIaccept_icmp_echo\fP Accept/Refuse icmp echo. MSEC parameter: \fIACCEPT_ICMP_ECHO\fP Accepted values: \fIyes, no\fP .TP 4 .B \fIauthorize_services\fP Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). MSEC parameter: \fIAUTHORIZE_SERVICES\fP Accepted values: \fIyes, no, local\fP .TP 4 .B \fItty_warn\fP Enables periodic security check results to terminal. MSEC parameter: \fITTY_WARN\fP Accepted values: \fIyes, no\fP .RE .SH NOTES Msec applications must be run by root. .SH AUTHORS Frederic Lepied Eugeni Dodonov