aboutsummaryrefslogtreecommitdiffstats
path: root/doc/security.txt
blob: aa4ea2e8f8a18485d9e8c92434fd986a49233df2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
****************************
Security level 0 :

- no password
- umask is 002 ( user = read,write | greoup = read,write | other = read ) 
- easy file permission.
- everybody authorized to connect to X display.
- . in $PATH

****************************
Security level 1 :

- Global security check.
- umask is 002 ( user = read,write | greoup = read,write | other = read ) 
- easy file permission.
- localhost authorized to connect to X display and X server listens to
tcp connections.
- . in $PATH
- Warning in /var/log/security.log

****************************
Security level 2 ( Aka normal system ) :

- Global security check
- Suid root file check
- Suid root file md5sum check
- Writable file check
- Warning in syslog
- Warning in /var/log/security.log 

- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
- localhost authorized to connect to X display and X server listens to
tcp connections.

****************************
Security level 3  ( Aka more secure system ) :

- Global security check 
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check 
- Writable file check 
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- rpm database checks
- send the results of checks by mail if they aren't empty

- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
- X server listens to tcp connections.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
- no autologin

- home directories are accesible but not readable by others and group members.

****************************
Security level 4 ( Aka Secured system ) :

- Global security check 
- Permissions check
- Suid root file check 
- Suid root file md5sum check
- Suid group file check
- Writable file check
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check 
- Shadow file integrity check 
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty
 to show that the checks were run.

- umask 022 ( user = read,write | group = read | other = read ) for root
- umask 077 ( user = read,write | group =  | other =  ) for normal users
- restricted file permissions.
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- localhost authorized to connect to X display.
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- remote root login only with a pass phrase
- no list of users in kdm and gdm
- password aging at 60 days
- shell history limited to 10
- shell timeout 3600 seconds
- at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow
* - Services not contained in /etc/security/msec/server.4 are disabled during
package installation (  considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all except localhost (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).

- most sensible files and directories are restricted to the members of the adm group.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

*******************************
Security level 5 ( Aka Paranoid system ) :

- Global security check
- Permissions check 
- Suid root file check 
- Suid root file md5sum check
- Suid group file check 
- Writable file check
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check 
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty
 to show that the checks were run.

- umask 077 ( user = read,write | group =  | other =  )
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- no list of users in kdm and gdm
- password aging at 30 days
- password history to 5
- shell history limited to 10
- shell timeout 900 seconds
- su to root only allowed to members of the wheel group (activated only if the wheel group
isn't empty)
* - Services not contained in /etc/security/msec/server.5 are disabled during
package installation (  considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .

- most sensible files and directories are restricted to the root account.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

******************

* level4/level5 : "services disabled" explanations :

- Some server aren't really considered as secure,
  these one, should for example be compiled from sources.
  server considered as secure are specified in /etc/security/msec/server.4/5
  
  When enabling level4/5, all servers which aren't considered as secure are
  disabled ( NOT uninstalled, just disabled ) user can reenable them using the
  chkconfig utility ( server will be launched at next boot ).
 
  In these level, we are also denying rpm to enable any server considered as insecure 
  ( off course rpm can install the server ).
  The user have the choise : chkconfig --add servername will enable the server.
  Or add the server in the secured server list







*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
***