1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
****************************
Security level 1 :
- Global security check.
- umask is 002 ( user = read,write | greoup = read,write | other = read )
- easy file permission.
- localhost authorized to connect to X display.
- User in audio group.
- . in $PATH
- Warning in /var/log/security.log
****************************
Security level 2 :
- Global security check
- Suid root file check
- Suid root file md5sum check
- Writeable file check
- Warning in syslog
- Warning in /var/log/security.log
- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
- localhost authorized to connect to X display.
- User in audio group.
****************************
Security level 3 ( Aka normal system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
****************************
Security level 4 ( Aka Secured system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- umask 022 ( user = read,write | group = read | other = read ) for root
- umask 077 ( user = read,write | group = | other = ) for normal users
- restricted file permissions.
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
* - Services not contained in /etc/security/msec/server.4 are disabled (
considered as not really secure ) ( but the user can reenable it with
chkconfig ).
- Ask for a boot password ( if the user want ).
- Connection to the system denyied for all except localhost.
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
*******************************
Security level 5 ( Aka Paranoid system ) :
- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writeable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- umask 077 ( user = read,write | group = | other = )
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- Services not contained in /etc/security/msec/server.5 are disabled (
considered as not really secure ) ( but the user can reenable it with
chkconfig ).
- Ask for a boot password ( if the user want ).
- Connection to the system denyied for all.
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .
******************
* level4/level5 : "services disabled" explanations :
- Some server aren't really considered as secure,
these one, should for exemple be compiled from sources.
server considered as secure are specified in /etc/security/msec/server.4/5
When enabling level4/5, all server which aren't considered as secure are
disabled ( NOT uninstalled, just disabled ) user can reenable them using the
chkconfig utility ( server will be launched at next boot ).
In these level, we are also denying rpm to enable any server considered as insecure
( off course rpm can install the server ).
The user have the choise : chkconfig --add servername will enable the server.
Or add the server in the secured server list
*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
- In high security level, only user having access to group "sugrp" can use the su command.
***
|