aboutsummaryrefslogtreecommitdiffstats
path: root/src/msec/man.py
blob: d00838af6f3d04c4c249329fd1c2bc65a930f98d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
#!/usr/bin/python
#---------------------------------------------------------------
# Project         : Mandriva Linux
# Module          : share
# File            : man.py
# Version         : $Id$
# Author          : Frederic Lepied
# Created On      : Sat Jan 26 17:38:39 2002
# Purpose         : loads a python module and creates a man page from
# the doc strings of the functions.
#---------------------------------------------------------------

import sys
import imp
import inspect

import config
from libmsec import MSEC, Log
try:
    from version import version
except:
    version = "(development version)"

header = '''.ds q \N'34'
.TH msec 8 msec "Mandriva Linux"
.SH NAME
msec \- Mandriva Linux security tools
.SH SYNOPSIS
.nf
.B msec [options]
.B msecperms [options]
.B msecgui [options]
.fi
.SH DESCRIPTION
.B msec
is responsible to maintain system security in Mandriva. It supports different security
configurations, which can be organized into several security levels, stored in
/etc/security/msec/level.LEVELNAME. Currently, three preconfigured security levels are
provided with Mandriva Linux:

.TP
\\fBnone\\fR
this level disables all msec options. It should be used when you want to manage
all aspects of system security on your own.

.TP
\\fBstandard\\fR
this is the default security level, which configures a reasonably safe set of security
features. It activates several periodic system checks, and sends the results of their
execution by email (by default, the local 'root' account is used).

.TP
\\fBsecure\\fR
this level is configured to provide maximum system security, even at the cost of limiting
the remote access to the system, and local user permissions. It also runs a wider set of
periodic checks, enforces the local password settings, and periodically checks if the
system security settings, configured by msec, were modified directly or by some other
application.

.TP
Note that besides those levels you may create as many levels as necessary.

.PP

The security settings are stored in \\fB/etc/security/msec/security.conf\\fR
file, and default settings for each predefined level are stored in
\\fB/etc/security/msec/level.LEVEL\\fR.  Permissions for files and directories
that should be enforced or checked for changes are stored in
\\fB/etc/security/msec/perms.conf\\fR, and default permissions for each
predefined level are stored in \\fB/etc/security/msec/perm.LEVEL\\fR.  Note
that user-modified parameters take precedence over default level settings. For
example, when default level configuration forbids direct root logins, this
setting can be overridden by the user.

.PP

The following options are supported by msec applications:

.TP
\\fBmsec\\fR:
.PP

This is the console version of msec. It is responsible for system security configuration
and checking and transitions between security levels.

When executed without parameters, msec will read the system configuration file
(/etc/security/msec/security.conf), and enforce the specified security
settings. The operations are logged to \\fB/var/log/msec.log\\fP file, and also
to syslog, using \\fBLOG_AUTHPRIV\\fR facility.  Please note that msec should
by run as root.

\\fB\-h, --help\\fR
    This option will display the list of supported command line options.

\\fB\-l, --level <level>\\fR
    List the default configuration for given security level.

\\fB\-f, --force <level>\\fR

    Apply the specified security level to the system, overwritting all local
changes in /etc/security/msec/security.conf. This usually should be performed
either on first install, on when a transition to a different level is required.

\\fB\-d\\fR
    Enable debugging messages.

\\fB\-p, --pretend\\fR
    Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs all the
required tasks, except effectively writting data back to disk.

.TP
\\fBmsecperms\\fR:
.PP

This application is responsible for system permission checking and enforcements.

When executed without parameters, msecperms will read the permissions
configuration file (/etc/security/msec/perms.conf), and enforce the specified
security settings. The operations are logged to \\fB/var/log/msec.log\\fP file,
and also to syslog, using \\fBLOG_AUTHPRIV\\fR facility.  Please note that msecperms
should by run as root.

\\fB\-h, --help\\fR
    This option will display the list of supported command line options.

\\fB\-l, --level <level>\\fR
    List the default configuration for given security level.

\\fB\-f, --force <level>\\fR
    Apply the specified security level to the system, overwritting all local
changes in /etc/security/msec/perms.conf. This usually should be performed
either on first install, on when a transition to a different level is required.

\\fB\-e, --enforce\\fR
    Enforce the default permissions on all files.

\\fB\-d\\fR
    Enable debugging messages.

\\fB\-p, --pretend\\fR
    Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs all the
required tasks, except effectively writting data back to disk.

.TP
\\fBmsecgui\\fR:
.PP

This is the GTK version of msec. It acts as frontend to all msec functionalities.

\\fB\-h, --help\\fR
    This option will display the list of supported command line options.

\\fB\-d\\fR
    Enable debugging messages.

.SH EXAMPLES

\\fBEnforce system configuration according to /etc/security/msec/security.conf file:\\fP
    msec

\\fBDisplay system configuration changes without enforcing anything:\\fP
    msec -p

\\fBInstall predefined security level 'standard':\\fP
    msec -f standard

\\fBPreview changes inflicted by change to 'standard' level:\\fP
    msec -p -f standard

\\fBCreate a custom security level based on 'standard':\\fP
    cp /etc/security/msec/level.standard /etc/security/msec/level.my
    edit /etc/security/msec/level.my
    msec -f my

\\fBEnforce system permissions according to /etc/security/msec/perms.conf file:\\fP
    msecperms

\\fBDisplay permissions changes without enforcing anything:\\fP
    msecperms -p

\\fBInstall predefined permissions for level 'standard':\\fP
    msecperms -f standard

\\fBPreview changes inflicted by change to 'standard' level:\\fP
    msecperms -p -f standard

\\fBCreate a custom permissions level based on 'secure':\\fP
    cp /etc/security/msec/perm.secure /etc/security/msec/perm.my
    edit /etc/security/msec/level.my
    msecperms -f my

.SH "DEFINING EXCEPTIONS FOR PERIODIC CHECKS"
.B msec
is capable of excluding certain patterns from periodic check reports. For
this, it is possible to define the exceptions in
\\fB/etc/security/msec/exceptions\\fP file, for each supported check.

.PP
For example, to exclude all items that match \\fB/mnt\\fP, Mandriva-based
chrooted installations in \\fB/chroot\\fP and all backup files from the
results of of check for unowned files on the system, it is sufficient to
define the following entry in the exceptions file:

.TP
    CHECK_UNOWNED /mnt
.TP
    CHECK_UNOWNED /chroot/mdv_.*/
.TP
    CHECK_UNOWNED .*~

.PP
In a similar way, it is possible to exclude the results for the
\\fBdeluge\\fP application from the list of open ports as follows:

.TP
    CHECK_OPEN_PORT /deluge

.PP
Each exception entry is a regular exception, and you might define as many
exceptions as necessary.

.PP
In order to exclude a path from all msec checks, you may use * for the check
name. For example, the following would exclude /media/ from all msec checks:

.TP
    * /media/

.PP
See below for all msec options that support this feature.


.SH "SECURITY OPTIONS"

The following security options are supported by msec:

'''

footer = '''.RE
.SH NOTES
Msec applications must be run by root.
.SH AUTHORS
Frederic Lepied

Eugeni Dodonov <eugeni@mandriva.com>
'''

### strings used in the rewritting
function_str = '''
.TP 4
.B \\fI%s\\fP
%s

MSEC parameter: \\fI%s\\fP

Accepted values: \\fI%s\\fP
'''

### code

# process all configuration parameters
log = Log(log_syslog=False, log_file=False)
msec = MSEC(log)

#print >>sys.stderr, dir(msec.create_server_link)

print header

for variable in config.SETTINGS:
    callback, params = config.SETTINGS[variable]
    func = msec.get_action(callback)
    if func:
        print function_str % (callback, func.__doc__.strip(), variable, ", ".join(params))
    if variable in config.CHECKS_WITH_EXCEPTIONS:
        # this check supports exceptions
        print """(This check supports exceptions via %s variable defined in \\fB/etc/security/msec/exceptions\\fP file)""" % variable

print footer

# man.py ends here