aboutsummaryrefslogtreecommitdiffstats
path: root/share/README
blob: 02ee0362cb7237fdb9cfb2901c1dc65816401ace (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
******************
Configurations files in /etc/security/msec/
Shell scripts in /usr/share/msec.
******************

Suggestions & comments:
flepied@mandrakesoft.com

******************
Doc of the rewritting in python:

                        	0	1	2	3	4	5
root umask			022	022	022	022	022	077
shell timeout			0	0	0	0	3600	900
deny services			none	none	none	none	local	all
su only for wheel grp		no	no	no	no	no	yes
user umask			022	022	022	022	077	077
shell history size		default	default	default	default	10	10
direct root login		yes	yes	yes	yes	no	no
remote root login		yes	yes	yes	yes	no	no
sulogin for single user		no	no	no	no	yes	yes
user list in [kg]dm		yes	yes	yes	yes	no	no
promisc check			no	no	no	no	yes	yes
ignore icmp echo		no	no	no	no	yes	yes
ignore broadcasted icmp echo	no	no	no	no	yes	yes
ignore bogus error responses	no	no	no	no	yes	yes
enable libsafe			no	no	no	no	yes	yes
allow reboot by user		yes	yes	yes	yes	no	no
allow crontab/at		yes	yes	yes	yes	no	no
password aging			no	no	no	no	60	30
allow autologin			yes	yes	yes	no	no	no
console log			no	no	no	yes	yes	yes
issues				yes	yes	yes	local	local	no
ip spoofing protection		no	no	no	yes	yes	yes
dns spoofing protection		no	no	no	yes	yes	yes
log stange ip packets		no	no	no	yes	yes	yes
periodic security check		no	yes	yes	yes	yes	yes
allow X connections		yes	local	local	no	no	no
allow xauth from root		yes	yes	yes	yes	no	no
X server listen to		tcp	tcp	tcp	tcp	local	local
run msec by cron		yes	yes	yes	yes	yes	yes

Periodic security checks by level:

                  0   1   2   3    4    5
CHECK_SECURITY    no  yes yes yes  yes  yes  
CHECK_PERMS       no  no  no  yes  yes  yes  
CHECK_SUID_ROOT   no  no  yes yes  yes  yes  
CHECK_SUID_MD5    no  no  yes yes  yes  yes  
CHECK_SGID        no  no  yes yes  yes  yes  
CHECK_WRITABLE    no  no  yes yes  yes  yes  
CHECK_UNOWNED     no  no  no  no   yes  yes  
CHECK_PROMISC     no  no  no  no   yes  yes  
CHECK_OPEN_PORT   no  no  no  yes  yes  yes  
CHECK_PASSWD      no  no  no  yes  yes  yes  
CHECK_SHADOW      no  no  no  yes  yes  yes  
TTY_WARN          no  no  no  no   yes  yes  
MAIL_WARN         no  no  no  yes  yes  yes  
SYSLOG_WARN       no  no  yes yes  yes  yes  
RPM_CHECK         no  no  no  yes  yes  yes
CHKROOTKIT_CHECK  no  no  no  yes  yes  yes

These variables are configured by the user:

MAIL_USER the user to send the dayly reports. If not set, the email is
sent to root.

PERM_LEVEL is used to determine which file to use to fix
permissions/owners/groups (from /usr/share/msec/perm.$PERM_LEVEL). If
not set, the SECURE_LEVEL is used instead. If the file
/etc/security/msec/perm.local exists, it's used too. The syntax for
each line if the following:

<file specification>	<owner>	<permission>	[force]

<file specification> can be any glob to specify one or multiple
files/diretories.

<owner> must be in the form <user>.<group> or <user>. (force only
user) or .<group> (force only group) or current (keep current user and
group).

<permission> is an octal number representing the access rights or
current to keep the current permissions.

If force is present as a 4th argument, it means that msec will enforce
the permission even if the previous permission was lower.