aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh/level4.sh
blob: 0ae716b17ca57315f43075bff1ac3c86f7170476 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/bin/bash 


#
# Security level implementation...
# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
#

if [[ -f /usr/share/msec/lib.sh ]]; then
    . /usr/share/msec/lib.sh
else
    echo "Can't find /usr/share/msec/lib.sh, exiting."
    exit 1
fi

# Log in append only mode
echo -e "Changing attribute of /var/log/* to append only...\n"

# All events logged on tty12
echo "Loging all messages on tty12 : "
AddRules "*.* /dev/tty12" /etc/syslog.conf

# Prevent all kind of connection except from localhost
echo "Denying all kind of connection except localhost : "
AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny

# Login as root on the console allowed :
echo "Denying login as root (except on the console) :"
AddRules "tty1" /etc/securetty quiet
AddRules "tty2" /etc/securetty quiet
AddRules "tty3" /etc/securetty quiet
AddRules "tty4" /etc/securetty quiet
AddRules "tty5" /etc/securetty quiet
AddRules "tty6" /etc/securetty 
AddRules "vc/1" /etc/securetty quiet
AddRules "vc/2" /etc/securetty quiet
AddRules "vc/3" /etc/securetty quiet
AddRules "vc/4" /etc/securetty quiet
AddRules "vc/5" /etc/securetty quiet
AddRules "vc/6" /etc/securetty 

# Security check
echo "Updating file check variable : "
echo -e "\t- Check security : yes."
    AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf      quiet
echo -e "\t- Check important permissions : yes."
    AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf         quiet    
echo -e "\t- Check suid root file : yes."
    AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf 	quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
    AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf 	quiet
echo -e "\t- Check suid group file : yes."
    AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Check world writable file : yes."
    AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Check unowned file : yes."
    AddRules "CHECK_UNOWNED=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Check promiscuous mode : yes."
    AddRules "CHECK_PROMISC=yes" /etc/security/msec/security.conf       quiet
echo -e "\t- Check listening port : yes."                               
    AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Check passwd file integrity : yes."
    AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Check shadow file integrity : yes."
    AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf	quiet
echo -e "\t- Security warning on tty : yes."
    AddRules "TTY_WARN=yes" /etc/security/msec/security.conf	        quiet
echo -e "\t- Security warning by mail : yes."
    AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf       quiet
    AddRules "MAIL_USER=root" /etc/security/msec/security.conf      quiet
echo -e "\t- Security warning in syslog : yes."			
    AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf		
# end security check

# Check every 1 minutes for promisc problem
echo "Adding promisc check in crontab (scheduled every minutes) :"
AddRules "*/1 * * * *    root    /usr/share/msec/promisc_check.sh" /etc/crontab

echo "Adding \"diff\" & \"global\" security check in crontab (scheduled every midnight) :"
AddRules "0 4 * * *    root    /usr/share/msec/security.sh" /etc/crontab

# Server update
echo "Setting secure level variable to 4 :"
AddRules "export SECURE_LEVEL=4" /etc/profile.d/msec.sh
AddRules "setenv SECURE_LEVEL 4" /etc/profile.d/msec.csh


export SECURE_LEVEL=4

IFS="
"
echo -n "Disabling all service, except : {"
for service in `chkconfig --list | awk '{print $1}'`; do
    if grep -qx ${service} /etc/security/msec/server.4; then
        echo -n " ${service}"
    fi
done
echo " } : "

for service in `chkconfig --list | awk '{print $1}'`; do
    chkconfig --del "${service}"
    if ! chkconfig --msec --add "${service}"; then
        echo -e "\t- Services ${service} scheduled to be disabled at next boot."
    fi
done
echo -e "done.\n";

# /etc/profile
echo "Setting umask to 022 (u=rw,g=rx) for root, 077 (u=rw) for user :"
AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile.d/msec.sh
AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi" /etc/profile.d/msec.csh

echo "Adding \"non secure\" PATH variable :"
if ! echo ${PATH} |grep -q /usr/X11R6/bin ; then
	AddRules "export SECURE_LEVEL=4" /etc/profile.d/msec.sh quiet
	AddRules "export PATH=\$PATH:/usr/X11R6/bin" /etc/profile.d/msec.sh quiet
	AddRules "setenv SECURE_LEVEL 4" /etc/profile.d/msec.csh quiet
	AddRules "setenv PATH \"\${PATH}:/usr/X11R6/bin\"" /etc/profile.d/msec.csh quiet
fi      
if ! echo ${PATH} |grep -q /usr/games ; then
	AddRules "export PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile.d/msec.sh quiet
	AddRules "setenv PATH \"\${PATH}:/usr/games\"" /etc/profile.d/msec.csh quiet
fi      

AddRules "export PATH=\$PATH:." /etc/profile.d/msec.sh quiet
AddRules "setenv PATH \"\${PATH}:.\"" /etc/profile.d/msec.csh quiet

if [[ -f /lib/libsafe.so.1.3 ]]; then
    echo "Enabling stack overflow protection :"
    AddRules "/lib/libsafe.so.1.3" /etc/ld.so.preload
fi

# Do not boot on a shell
ForbidReboot

ForbidAutologin

# Group were modified in lib.sh...
grpconv

ForbidUserList
RootSshLogin 4