1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
|
msec(0.60.1) msec(0.60.1)
NAME
msec - Mandriva Linux security tools
SYNOPSIS
msec [options]
msecperms [options]
msecgui [options]
DESCRIPTION
msec is responsible to maintain system security in Mandriva. It sup‐
ports different security configurations, which can be organized into
several security levels. Currently, three preconfigured security levels
are provided:
none this level aims to provide the most basic security. It should be
used when you want to manage all aspects of system security on
your own.
default
this is the default security level, which configures a reason‐
ably safe set of security features. It activates several peri‐
odic system checks, and sends the results of their execution by
email (by default, the local 'root' account is used).
secure this level is configured to provide maximum system security,
even at the cost of limiting the remote access to the system,
and local user permissions. It also runs a wider set of periodic
checks, enforces the local password settings, and periodically
checks if the system security settings, configured by msec, were
modified directly or by some other application.
The security settings are stored in /etc/security/msec/security.conf
file, and default settings for each predefined level are stored in
/etc/security/msec/level.LEVEL. Permissions for files and directories
that should be enforced or checked for changes are stored in /etc/secu‐
rity/msec/perms.conf, and default permissions for each predefined level
are stored in /etc/security/msec/perm.LEVEL. Note that user-modified
parameters take precedence over default level settings. For example,
when default level configuration forbids direct root logins, this set‐
ting can be overridden by the user.
The following options are supported by msec applications:
msec:
This is the console version of msec. It is responsible for system secu‐
rity configuration and checking and transitions between security lev‐
els.
When executed without parameters, msec will read the system configura‐
tion file (/etc/security/msec/security.conf), and enforce the specified
security settings. The operations are logged to /var/log/msec.log file,
and also to syslog, using LOG_AUTHPRIV facility. Please note that msec
should by run as root.
-h, --help
This option will display the list of supported command line
options.
-l, --level <level>
List the default configuration for given security level.
-f, --force <level>
Apply the specified security level to the system, overwritting all
local changes. This is necessary to initialize a security level, either
on first install, on when a change to a different level is required.
-d
Enable debugging messages.
-p, --pretend
Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs
all the required tasks, except effectively writting data back to disk.
msecperms:
This application is responsible for system permission checking and
enforcements.
When executed without parameters, msecperms will read the permissions
configuration file (/etc/security/msec/perms.conf), and enforce the
specified security settings. The operations are logged to
/var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facil‐
ity. Please note that msecperms should by run as root.
-h, --help
This option will display the list of supported command line
options.
-l, --level <level>
List the default configuration for given security level.
-f, --force <level>
Apply the specified security level to the system, overwritting all
local changes. This is necessary to initialize a security level, either
on first install, on when a change to a different level is required.
-e, --enforce
Enforce the default permissions on all files.
-d
Enable debugging messages.
-p, --pretend
Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs
all the required tasks, except effectively writting data back to disk.
msecgui:
This is the GTK version of msec. It acts as frontend to all msec func‐
tionalities.
-h, --help
This option will display the list of supported command line
options.
-d
Enable debugging messages.
SECURITY OPTIONS
The following security options are supported by msec:
mail_empty_content
Enables sending of empty mail reports.
MSEC parameter: MAIL_EMPTY_CONTENT
Accepted values: yes, no
accept_broadcasted_icmp_echo
Accept/Refuse broadcasted icmp echo.
MSEC parameter: ACCEPT_BROADCASTED_ICMP_ECHO
Accepted values: yes, no
allow_xserver_to_listen
The argument specifies if clients are authorized to connect to the
X server on the tcp port 6000 or not.
MSEC parameter: ALLOW_XSERVER_TO_LISTEN
Accepted values: yes, no
check_chkrootkit
Enables checking for known rootkits using chkrootkit.
MSEC parameter: CHECK_CHKROOTKIT
Accepted values: yes, no
check_suid_root
Enables checking for additions/removals of suid root files.
MSEC parameter: CHECK_SUID_ROOT
Accepted values: yes, no
enable_at_crontab
Enable/Disable crontab and at for users. Put allowed users in
/etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
MSEC parameter: ENABLE_AT_CRONTAB
Accepted values: yes, no
accept_bogus_error_responses
Accept/Refuse bogus IPv4 error messages.
MSEC parameter: ACCEPT_BOGUS_ERROR_RESPONSES
Accepted values: yes, no
check_suid_md5
Enables checksum verification for suid files.
MSEC parameter: CHECK_SUID_MD5
Accepted values: yes, no
mail_user
Defines email to receive security notifications.
MSEC parameter: MAIL_USER
Accepted values: *
allow_autologin
Allow/Forbid autologin.
MSEC parameter: ALLOW_AUTOLOGIN
Accepted values: yes, no
enable_pam_wheel_for_su
Enabling su only from members of the wheel group or allow su from
any user.
MSEC parameter: ENABLE_PAM_WHEEL_FOR_SU
Accepted values: yes, no
create_server_link
Creates the symlink /etc/security/msec/server to point to
/etc/security/msec/server.<SERVER_LEVEL>. The /etc/secu‐
rity/msec/server is used by chkconfig --add to decide to add a ser‐
vice if it is present in the file during the installation of pack‐
ages.
MSEC parameter: CREATE_SERVER_LINK
Accepted values: no, default, secure
set_shell_timeout
Set the shell timeout. A value of zero means no timeout.
MSEC parameter: SHELL_TIMEOUT
Accepted values: *
check_shadow
Enables checking for empty passwords.
MSEC parameter: CHECK_SHADOW
Accepted values: yes, no
enable_password
Use password to authenticate users. Take EXTREMELY care when dis‐
abling passwords, as it will leave the machine COMPLETELY vulnera‐
ble.
MSEC parameter: ENABLE_PASSWORD
Accepted values: yes, no
set_win_parts_umask
Set umask option for mounting vfat and ntfs partitions. A value of
None means default umask.
MSEC parameter: WIN_PARTS_UMASK
Accepted values: no, *
check_open_port
Enables checking for open network ports.
MSEC parameter: CHECK_OPEN_PORT
Accepted values: yes, no
enable_log_strange_packets
Enable/Disable the logging of IPv4 strange packets.
MSEC parameter: ENABLE_LOG_STRANGE_PACKETS
Accepted values: yes, no
check_rpm
Enables verification of installed packages.
MSEC parameter: CHECK_RPM
Accepted values: yes, no
enable_pam_root_from_wheel
Allow root access without password for the members of the wheel
group.
MSEC parameter: ENABLE_PAM_ROOT_FROM_WHEEL
Accepted values: yes, no
mail_warn
Enables security results submission by email.
MSEC parameter: MAIL_WARN
Accepted values: yes, no
password_length
Set the password minimum length and minimum number of digit and
minimum number of capitalized letters.
MSEC parameter: PASSWORD_LENGTH
Accepted values: *
set_root_umask
Set the root umask.
MSEC parameter: ROOT_UMASK
Accepted values: *
check_sgid
Enables checking for additions/removals of sgid files.
MSEC parameter: CHECK_SGID
Accepted values: yes, no
check_promisc
Activate/Disable ethernet cards promiscuity check.
MSEC parameter: CHECK_PROMISC
Accepted values: yes, no
allow_x_connections
Allow/Forbid X connections. Accepted arguments: yes (all connec‐
tions are allowed), local (only local connection), no (no connec‐
tion).
MSEC parameter: ALLOW_X_CONNECTIONS
Accepted values: yes, no, local
check_writable
Enables checking for files/directories writable by everybody.
MSEC parameter: CHECK_WRITABLE
Accepted values: yes, no
enable_console_log
Enable/Disable syslog reports to console 12. expr is the expression
describing what to log (see syslog.conf(5) for more details) and
dev the device to report the log.
MSEC parameter: ENABLE_CONSOLE_LOG
Accepted values: yes, no
enable_ip_spoofing_protection
Enable/Disable IP spoofing protection.
MSEC parameter: ENABLE_IP_SPOOFING_PROTECTION
Accepted values: yes, no
check_perms
Enables permission checking in users' home.
MSEC parameter: CHECK_PERMS
Accepted values: yes, no
set_shell_history_size
Set shell commands history size. A value of -1 means unlimited.
MSEC parameter: SHELL_HISTORY_SIZE
Accepted values: *
allow_reboot
Allow/Forbid system reboot and shutdown to local users.
MSEC parameter: ALLOW_REBOOT
Accepted values: yes, no
syslog_warn
Enables logging to system log.
MSEC parameter: SYSLOG_WARN
Accepted values: yes, no
check_shosts
Enables checking for dangerous options in users' .rhosts/.shosts
files.
MSEC parameter: CHECK_SHOSTS
Accepted values: yes, no
check_passwd
Enables password-related checks, such as empty passwords and
strange super-user accounts.
MSEC parameter: CHECK_PASSWD
Accepted values: yes, no
password_history
Set the password history length to prevent password reuse. This is
not supported by pam_tcb.
MSEC parameter: PASSWORD_HISTORY
Accepted values: *
check_security
Enables daily security checks.
MSEC parameter: CHECK_SECURITY
Accepted values: yes, no
allow_root_login
Allow/Forbid direct root login.
MSEC parameter: ALLOW_ROOT_LOGIN
Accepted values: yes, no
check_unowned
Enables checking for unowned files.
MSEC parameter: CHECK_UNOWNED
Accepted values: yes, no
allow_user_list
Allow/Forbid the list of users on the system on display managers
(sddm and gdm).
MSEC parameter: ALLOW_USER_LIST
Accepted values: yes, no
allow_remote_root_login
Allow/Forbid remote root login via sshd. You can specify yes, no
and without-password. See sshd_config(5) man page for more informa‐
tion.
MSEC parameter: ALLOW_REMOTE_ROOT_LOGIN
Accepted values: yes, no, without_password
enable_msec_cron
Enable/Disable msec hourly security check.
MSEC parameter: ENABLE_MSEC_CRON
Accepted values: yes, no
enable_sulogin
Enable/Disable sulogin(8) in single user level.
MSEC parameter: ENABLE_SULOGIN
Accepted values: yes, no
allow_xauth_from_root
Allow/forbid to export display when passing from the root account
to the other users. See pam_xauth(8) for more details.
MSEC parameter: ALLOW_XAUTH_FROM_ROOT
Accepted values: yes, no
set_user_umask
Set the user umask.
MSEC parameter: USER_UMASK
Accepted values: *
accept_icmp_echo
Accept/Refuse icmp echo.
MSEC parameter: ACCEPT_ICMP_ECHO
Accepted values: yes, no
authorize_services
Configure access to tcp_wrappers services (see hosts.deny(5)). If
arg = yes, all services are authorized. If arg = local, only local
ones are, and if arg = no, no services are authorized. In this
case, To authorize the services you need, use /etc/hosts.allow (see
hosts.allow(5)).
MSEC parameter: AUTHORIZE_SERVICES
Accepted values: yes, no, local
tty_warn
Enables periodic security check results to terminal.
MSEC parameter: TTY_WARN
Accepted values: yes, no
NOTES
Msec applications must be run by root.
AUTHORS
Frederic Lepied
Eugeni Dodonov <eugeni@mandriva.com>
Mandriva Linux msec msec(0.60.1)
|