blob: 22e546aa136fd75a3bccda1a9e767a45061e4f41 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
changes in version 0.30
=======================
* don't lower security if the admin has already augmented it (when called without argument).
* splitted functions that worked on multiple levels.
changes between version 0.18 and 0.19
=====================================
msec utility changes:
* no password in level 0
Periodic security checks changes:
* config file is now in /var/lib/msec/security.conf and can
be overriden by /etc/security/msec/security.conf.
changes between version 0.17 and 0.18
=====================================
msec utility changes:
* allow /etc/security/msec/level.local to override the default
setting of the level.
* promisc_check.sh works now.
* added mseclib man page.
changes between version 0.16 and 0.17
=====================================
msec utility changes:
* handle shell timeout (level 4 and 5)
* limit shell history (level 4 and 5)
* su only for wheel group (level 5)
* sulogin for single user mode (level 4 and 5)
* various sysctl.conf settings for icmp and network parameters
* password aging (level 4 and 5)
* suppress /etc/issue.net (level 4 and 5) and /etc/issue (level 5)
* removed manipulation of the groups of users
* removed removal of services
* logging in syslog according to the guideline for explanations in tools
* more correct prevention of direct root logins
* rewritten in python
msec can be used to change level and it's also run hourly by cron to
maintain the security level on the system. Only the minimum of changes
on the filesystem are applied and the minimum of programs started.
Periodic security checks changes:
* added rpm database checks (rpm -va and rpm -qa)
* report when a user other than root is at uid 0
* diff_check reports even when the log is empty
* use chkrootkit if present.
Permissions settings changes:
* /
* removed audio group handling because it has always conflicted with pam_console
* handle /var/log sub-directories in a generic manner
* /etc/rc.d/init.d/*
* corrected ssh and ping related paths
* /etc/sysconfig
* /proc
* corrected gcc files
* rpm related files to avoid exposing what is installed
* /var/lock/subsys
* added a local.perm to allow modifications without modifying level perms
* corrected all the inconsistencies between levels to be able to change and come back
without problem
* rewritten in python
|
