aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh/custom.sh
blob: b8b8402dd01e44abace938ed0ce33a8720b5a11a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
#!/bin/bash

#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#


if [[ -f /usr/share/msec/lib.sh ]]; then
    . /usr/share/msec/lib.sh
else
    echo "Can't find /usr/share/msec/lib.sh, exiting."
    exit 1
fi

clear

###
echo "Do you want all system events to be logged on tty12 ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "*.* /dev/tty12" /etc/syslog.conf
fi

###
echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
echo "( or if an user present in /etc/shutdown.allow is logged locally )"
WaitAnswer; clear
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp /etc/inittab ${tmpfile}
if [[ ${answer} == yes ]]; then
    cat ${tmpfile} | \
    sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
else
    cat ${tmpfile} | \
    sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
fi
rm -f ${tmpfile}

###
echo "Do you want to deny any machine to connect to yours ?"
WaitAnswer
if [[ ${answer} == yes ]]; then
    echo "Do you want only localhost to be allowed ?"
    WaitAnswer; clear
    if [[ ${answer} == yes ]]; then
	AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
    else
	AddRules "ALL:ALL:DENY" /etc/hosts.deny
    fi
fi

###
echo "Do you want root console login to be allowed ?" 
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "tty1" /etc/securetty quiet
    AddRules "tty2" /etc/securetty quiet
    AddRules "tty3" /etc/securetty quiet
    AddRules "tty4" /etc/securetty quiet
    AddRules "tty5" /etc/securetty quiet
    AddRules "tty6" /etc/securetty 
fi
###
echo "Do you want your system to daily check important security problem ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf
        AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check new open port listening ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf
	AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to check for grave permission problem on sensibles files ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf
	AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check SUID Root file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check suid files md5 checksum changes ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf
	AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check SUID Group file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check Writeable file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to daily check Unowned file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf
    AddRules "0 0-23 * * *    root    nice --adjustment=+19 /usr/share/msec/security.sh" /etc/crontab
fi

###
echo "Do you want your system to verify every minutes if a network interface"
echo "is in promiscuous state (which mean someone is probably running a sniffer on your machine ) ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf
    AddRules "*/1 * * * *    root    nice --adjustment=+19 /usr/share/msec/promisc_check.sh" /etc/crontab
fi
###

echo "Do you want security report to be done directly on the console ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "TTY_WARN=yes" /etc/security/msec/security.conf
else
    AddRules "TTY_WARN=no" /etc/security/msec/security.conf
fi
###

echo "Do you want security report to be done in syslog ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
else
    AddRules "SYSLOG_WARN=no" /etc/security/msec/security.conf
fi
###

echo "Do you want security report to be done by mail ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf
else
    AddRules "MAIL_WARN=no" /etc/security/msec/security.conf
fi
###


LiloUpdate;
/sbin/lilo >& /dev/null

###
echo "Do you want to disable your running server ( except important one )"
echo "This is only valuable for server installed with rpm."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	echo -n "Disabling all service, except : {"
	chkconfig --list | awk '{print $1}' | while read service; do
   		if grep -qx ${service} /etc/security/msec/server.4; then
       		echo -n " ${service}"
   		fi
	done
	echo " } : "

	chkconfig --list | awk '{print $1}' | while read service; do
    	chkconfig --del "${service}"
    	if ! chkconfig --msec --add "${service}"; then
       	 	echo -e "\t- Services ${service} is now disabled."
    	fi
	done
	echo -e "done.\n";
fi

###
echo "Do you want to disallow rpm to automatically enable a new installed server for run on next reboot ?"
echo "yes = you will need to chkconfig (--add ) servername for the server to run on boot."
echo "no  = rpm will do it for you, but you have less control of what is running on your machine."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
	export SECURE_LEVEL="4"
	AddRules "SECURE_LEVEL=\"4\"" /etc/profile
else
	AddRules "SECURE_LEVEL=\"3\"" /etc/profile
fi

###
echo "Do you want an easy, normal, restricted, or paranoid umask ?"
echo "easy ( 002 )   = user = rwx, group = rwx, other = rx"
echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" 
echo "paranoid ( 077 ) = user = rwx, group = , other ="
answer="nothing"
while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" != "restricted" && "${answer}" != "paranoid"  ]]; do
	echo -n "easy/normal/restricted/paranoid : "
    read answer
done
case "${answer}" in
	"easy")
	AddRules "umask 002" /etc/profile
	;;
	"normal")
	AddRules "umask 022" /etc/profile
	;;
	"restricted")
	AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile
	;;
	"paranoid")
	AddRules "umask 077" /etc/profile
	;;
esac

###
echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet
else
    AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
fi

AddRules "export PATH SECURE_LEVEL" /etc/profile