blob: 02ee0362cb7237fdb9cfb2901c1dc65816401ace (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
******************
Configurations files in /etc/security/msec/
Shell scripts in /usr/share/msec.
******************
Suggestions & comments:
flepied@mandrakesoft.com
******************
Doc of the rewritting in python:
0 1 2 3 4 5
root umask 022 022 022 022 022 077
shell timeout 0 0 0 0 3600 900
deny services none none none none local all
su only for wheel grp no no no no no yes
user umask 022 022 022 022 077 077
shell history size default default default default 10 10
direct root login yes yes yes yes no no
remote root login yes yes yes yes no no
sulogin for single user no no no no yes yes
user list in [kg]dm yes yes yes yes no no
promisc check no no no no yes yes
ignore icmp echo no no no no yes yes
ignore broadcasted icmp echo no no no no yes yes
ignore bogus error responses no no no no yes yes
enable libsafe no no no no yes yes
allow reboot by user yes yes yes yes no no
allow crontab/at yes yes yes yes no no
password aging no no no no 60 30
allow autologin yes yes yes no no no
console log no no no yes yes yes
issues yes yes yes local local no
ip spoofing protection no no no yes yes yes
dns spoofing protection no no no yes yes yes
log stange ip packets no no no yes yes yes
periodic security check no yes yes yes yes yes
allow X connections yes local local no no no
allow xauth from root yes yes yes yes no no
X server listen to tcp tcp tcp tcp local local
run msec by cron yes yes yes yes yes yes
Periodic security checks by level:
0 1 2 3 4 5
CHECK_SECURITY no yes yes yes yes yes
CHECK_PERMS no no no yes yes yes
CHECK_SUID_ROOT no no yes yes yes yes
CHECK_SUID_MD5 no no yes yes yes yes
CHECK_SGID no no yes yes yes yes
CHECK_WRITABLE no no yes yes yes yes
CHECK_UNOWNED no no no no yes yes
CHECK_PROMISC no no no no yes yes
CHECK_OPEN_PORT no no no yes yes yes
CHECK_PASSWD no no no yes yes yes
CHECK_SHADOW no no no yes yes yes
TTY_WARN no no no no yes yes
MAIL_WARN no no no yes yes yes
SYSLOG_WARN no no yes yes yes yes
RPM_CHECK no no no yes yes yes
CHKROOTKIT_CHECK no no no yes yes yes
These variables are configured by the user:
MAIL_USER the user to send the dayly reports. If not set, the email is
sent to root.
PERM_LEVEL is used to determine which file to use to fix
permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If
not set, the SECURE_LEVEL is used instead. If the file
/etc/security/msec/perm.local exists, it's used too. The syntax for
each line if the following:
<file specification> <owner> <permission> [force]
<file specification> can be any glob to specify one or multiple
files/diretories.
<owner> must be in the form <user>.<group> or <user>. (force only
user) or .<group> (force only group) or current (keep current user and
group).
<permission> is an octal number representing the access rights or
current to keep the current permissions.
If force is present as a 4th argument, it means that msec will enforce
the permission even if the previous permission was lower.
|