msec(0.60.1) msec(0.60.1) NAME msec - Mandriva Linux security tools SYNOPSIS msec [options] msecperms [options] msecgui [options] DESCRIPTION msec is responsible to maintain system security in Mandriva. It sup‐ ports different security configurations, which can be organized into several security levels. Currently, three preconfigured security levels are provided: none this level aims to provide the most basic security. It should be used when you want to manage all aspects of system security on your own. default this is the default security level, which configures a reason‐ ably safe set of security features. It activates several peri‐ odic system checks, and sends the results of their execution by email (by default, the local 'root' account is used). secure this level is configured to provide maximum system security, even at the cost of limiting the remote access to the system, and local user permissions. It also runs a wider set of periodic checks, enforces the local password settings, and periodically checks if the system security settings, configured by msec, were modified directly or by some other application. The security settings are stored in /etc/security/msec/security.conf file, and default settings for each predefined level are stored in /etc/security/msec/level.LEVEL. Permissions for files and directories that should be enforced or checked for changes are stored in /etc/secu‐ rity/msec/perms.conf, and default permissions for each predefined level are stored in /etc/security/msec/perm.LEVEL. Note that user-modified parameters take precedence over default level settings. For example, when default level configuration forbids direct root logins, this set‐ ting can be overridden by the user. The following options are supported by msec applications: msec: This is the console version of msec. It is responsible for system secu‐ rity configuration and checking and transitions between security lev‐ els. When executed without parameters, msec will read the system configura‐ tion file (/etc/security/msec/security.conf), and enforce the specified security settings. The operations are logged to /var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facility. Please note that msec should by run as root. -h, --help This option will display the list of supported command line options. -l, --level List the default configuration for given security level. -f, --force Apply the specified security level to the system, overwritting all local changes. This is necessary to initialize a security level, either on first install, on when a change to a different level is required. -d Enable debugging messages. -p, --pretend Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk. msecperms: This application is responsible for system permission checking and enforcements. When executed without parameters, msecperms will read the permissions configuration file (/etc/security/msec/perms.conf), and enforce the specified security settings. The operations are logged to /var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facil‐ ity. Please note that msecperms should by run as root. -h, --help This option will display the list of supported command line options. -l, --level List the default configuration for given security level. -f, --force Apply the specified security level to the system, overwritting all local changes. This is necessary to initialize a security level, either on first install, on when a change to a different level is required. -e, --enforce Enforce the default permissions on all files. -d Enable debugging messages. -p, --pretend Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk. msecgui: This is the GTK version of msec. It acts as frontend to all msec func‐ tionalities. -h, --help This option will display the list of supported command line options. -d Enable debugging messages. SECURITY OPTIONS The following security options are supported by msec: mail_empty_content Enables sending of empty mail reports. MSEC parameter: MAIL_EMPTY_CONTENT Accepted values: yes, no accept_broadcasted_icmp_echo Accept/Refuse broadcasted icmp echo. MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO Accepted values: yes, no allow_xserver_to_listen The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. MSEC parameter: ALLOW_XSERVER_TO_LISTEN Accepted values: yes, no check_chkrootkit Enables checking for known rootkits using chkrootkit. MSEC parameter: CHECK_CHKROOTKIT Accepted values: yes, no check_suid_root Enables checking for additions/removals of suid root files. MSEC parameter: CHECK_SUID_ROOT Accepted values: yes, no enable_at_crontab Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). MSEC parameter: ENABLE_AT_CRONTAB Accepted values: yes, no accept_bogus_error_responses Accept/Refuse bogus IPv4 error messages. MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES Accepted values: yes, no check_suid_md5 Enables checksum verification for suid files. MSEC parameter: CHECK_SUID_MD5 Accepted values: yes, no mail_user Defines email to receive security notifications. MSEC parameter: MAIL_USER Accepted values: * allow_autologin Allow/Forbid autologin. MSEC parameter: ALLOW_AUTOLOGIN Accepted values: yes, no enable_pam_wheel_for_su Enabling su only from members of the wheel group or allow su from any user. MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU Accepted values: yes, no create_server_link Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.. The /etc/secu‐ rity/msec/server is used by chkconfig --add to decide to add a ser‐ vice if it is present in the file during the installation of pack‐ ages. MSEC parameter: CREATE_SERVER_LINK Accepted values: no, default, secure set_shell_timeout Set the shell timeout. A value of zero means no timeout. MSEC parameter: SHELL_TIMEOUT Accepted values: * check_shadow Enables checking for empty passwords. MSEC parameter: CHECK_SHADOW Accepted values: yes, no enable_password Use password to authenticate users. Take EXTREMELY care when dis‐ abling passwords, as it will leave the machine COMPLETELY vulnera‐ ble. MSEC parameter: ENABLE_PASSWORD Accepted values: yes, no set_win_parts_umask Set umask option for mounting vfat and ntfs partitions. A value of None means default umask. MSEC parameter: WIN_PARTS_UMASK Accepted values: no, * check_open_port Enables checking for open network ports. MSEC parameter: CHECK_OPEN_PORT Accepted values: yes, no enable_log_strange_packets Enable/Disable the logging of IPv4 strange packets. MSEC parameter: ENABLE_LOG_STRANGE_PACKETS Accepted values: yes, no check_rpm Enables verification of installed packages. MSEC parameter: CHECK_RPM Accepted values: yes, no enable_pam_root_from_wheel Allow root access without password for the members of the wheel group. MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL Accepted values: yes, no mail_warn Enables security results submission by email. MSEC parameter: MAIL_WARN Accepted values: yes, no password_length Set the password minimum length and minimum number of digit and minimum number of capitalized letters. MSEC parameter: PASSWORD_LENGTH Accepted values: * set_root_umask Set the root umask. MSEC parameter: ROOT_UMASK Accepted values: * check_sgid Enables checking for additions/removals of sgid files. MSEC parameter: CHECK_SGID Accepted values: yes, no check_promisc Activate/Disable ethernet cards promiscuity check. MSEC parameter: CHECK_PROMISC Accepted values: yes, no allow_x_connections Allow/Forbid X connections. Accepted arguments: yes (all connec‐ tions are allowed), local (only local connection), no (no connec‐ tion). MSEC parameter: ALLOW_X_CONNECTIONS Accepted values: yes, no, local check_writable Enables checking for files/directories writable by everybody. MSEC parameter: CHECK_WRITABLE Accepted values: yes, no enable_console_log Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log. MSEC parameter: ENABLE_CONSOLE_LOG Accepted values: yes, no enable_ip_spoofing_protection Enable/Disable IP spoofing protection. MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION Accepted values: yes, no check_perms Enables permission checking in users' home. MSEC parameter: CHECK_PERMS Accepted values: yes, no set_shell_history_size Set shell commands history size. A value of -1 means unlimited. MSEC parameter: SHELL_HISTORY_SIZE Accepted values: * allow_reboot Allow/Forbid system reboot and shutdown to local users. MSEC parameter: ALLOW_REBOOT Accepted values: yes, no syslog_warn Enables logging to system log. MSEC parameter: SYSLOG_WARN Accepted values: yes, no check_shosts Enables checking for dangerous options in users' .rhosts/.shosts files. MSEC parameter: CHECK_SHOSTS Accepted values: yes, no check_passwd Enables password-related checks, such as empty passwords and strange super-user accounts. MSEC parameter: CHECK_PASSWD Accepted values: yes, no password_history Set the password history length to prevent password reuse. This is not supported by pam_tcb. MSEC parameter: PASSWORD_HISTORY Accepted values: * check_security Enables daily security checks. MSEC parameter: CHECK_SECURITY Accepted values: yes, no allow_root_login Allow/Forbid direct root login. MSEC parameter: ALLOW_ROOT_LOGIN Accepted values: yes, no check_unowned Enables checking for unowned files. MSEC parameter: CHECK_UNOWNED Accepted values: yes, no allow_user_list Allow/Forbid the list of users on the system on display managers (sddm and gdm). MSEC parameter: ALLOW_USER_LIST Accepted values: yes, no allow_remote_root_login Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more informa‐ tion. MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN Accepted values: yes, no, without_password enable_msec_cron Enable/Disable msec hourly security check. MSEC parameter: ENABLE_MSEC_CRON Accepted values: yes, no enable_sulogin Enable/Disable sulogin(8) in single user level. MSEC parameter: ENABLE_SULOGIN Accepted values: yes, no allow_xauth_from_root Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details. MSEC parameter: ALLOW_XAUTH_FROM_ROOT Accepted values: yes, no set_user_umask Set the user umask. MSEC parameter: USER_UMASK Accepted values: * accept_icmp_echo Accept/Refuse icmp echo. MSEC parameter: ACCEPT_ICMP_ECHO Accepted values: yes, no authorize_services Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). MSEC parameter: AUTHORIZE_SERVICES Accepted values: yes, no, local tty_warn Enables periodic security check results to terminal. MSEC parameter: TTY_WARN Accepted values: yes, no NOTES Msec applications must be run by root. AUTHORS Frederic Lepied Eugeni Dodonov Mandriva Linux msec msec(0.60.1)