Tilted Forum Project Discussion Community  

Go Back   Tilted Forum Project Discussion Community > Interests > Tilted Technology


 
 
LinkBack Thread Tools
Old 06-01-2005, 01:44 PM   #1 (permalink)
Stop. Think. Question.
 
rubicon's Avatar
 
Location: Redondo Beach, CA
Automatic changing of Linux permissions and msec

I recently installed Mandriva 10.2 due to a hard disk crash under 10.0. Anyway, I chose the Security Level High option for the hell of it. I configured Samba and had my Windows and Mac client connecting, however every hour or so the permissions to the shared folders would mysteriously change.

My shared folders (located in /home) are chmod 0770 and kept changing to 0700. This is a problem because I would lose access to the files. I hunted through Google and couldn't find anything helpful until something about the "msec" command appeared.

msec (under Mandriva at least) allows you to change your security level. More digging and I discovered msec parses config files to determine what it should do to ensure security is being met. I discovered a setting which forces chmod 0700 on folders located in /home.

I won't go into all of it here, but if you do a Google search for "msec" you'll find a good bit of information about changing your security level to something else or tweak the msec configuration. In my case, I simply overrode the /home setting from chmod 0700 to 0770.

I'm posting here as an FYI as I had a tough time tracking this down. Lower security levels don't have this problem.
__________________
How you do anything is how you do everything.
rubicon is offline  
Old 06-01-2005, 06:40 PM   #2 (permalink)
Professional Loafer
 
bendsley's Avatar
 
Location: texas
The Mandrake Security tools package is designed to provide a generic secure level for Mandrake Linux users. It allows you to select on a scale of 0 to 5 the amount of security you need. This packages includes several programs that run periodically to test the security of your system and alert you if necessary.

"msec" has been around for quite a while. A little more info below:

The Mandriva security package (aka msec) is a set of tools that manages the security of the system. Mandriva offers by default 6 level of security, whose name describe their efficiency:

1. Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. However, it makes the system very easy to use, and can be set if your computer is not connected to a network (Ithe Internet or a LAN); is used by only one person.

2. Level 1: Poor. Now, the system is usable by multiple users locally, but should not be used if the system is on a network (the Internet or a LAN).

3. Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use.

4. Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind a hardware firewall. This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default (other distributions such as Red Hat or SuSE?).

5. Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.

6. Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services.

msec is the main script of the msec package. It enables the system administrator to change the security level for that system. msec is provided with six preconfigured security levels. These levels range from poor security and ease of use, to paranoid config, suitable for very sensitive server applications.

You must be root to run msec. Launch msec x to set you security level to x (x=[0-5]). It'll modify your system according to security level x features. Called without argument, it will enforce the current security level without lowering security. All the changes are logged to syslog at the AUTH facility when called non interactivelly (by cron for example) or at the LOCAL1 facility when called interactivelly (on the command line or from Mandriva Linux Control Center for example). For a fine description of each security level, consult the documenta- tion under /usr/share/doc/msec-*/security.txt.

If you want to make changes to the current level, use /etc/security/msec/perm.local to override the permissions/owners/groups and /etc/security/msec/level.local to override the rules.

Available options:

-o all-local-files= if is 1, consider that all the files are local.

-o log= if is different of syslog do not log to syslog but to the standard error output. -o nolocal= do not load the /etc/security/msec/level.local rules.

-o non-local-fstypes= is a list of non local file system types separated by spaces.

-o print= if is equal to 1, output the default values of the rules.

-o root= use as the root of the file system.

Rules
accept_bogus_error_responses(arg) Accept/Refuse bogus IPv4 error messages.

accept_broadcasted_icmp_echo(arg) Accept/Refuse broadcasted icmp echo.

accept_icmp_echo(arg) Accept/Refuse icmp echo.

allow_autologin(arg) Allow/Forbid autologin.

allow_issues(arg) If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed.

allow_reboot(arg) Allow/Forbid reboot by the console user.

allow_remote_root_login(arg) Allow/Forbid remote root login.

allow_root_login(arg) Allow/Forbid direct root login.

allow_user_list(arg) Allow/Forbid the list of users on the system on display managers (kdm and gdm).

allow_x_connections(arg, listen_tcp=None) Allow/Forbid X connections. First arg specifies what is done on the client side: ALL (all connections are allowed), LOCAL (only local connection) and NONE (no connection).

allow_xserver_to_listen(arg) The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. authorize_services(arg) Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and none if arg = NONE. To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)).

create_server_link() If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 in /etc/security/msec/security.conf, creates the symlink /etc/secu- rity/msec/server to point to /etc/secu- rity/msec/server.. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages.

enable_at_crontab(arg) Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).

enable_console_log(arg, expr='*.*', dev='tty12') Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log.

enable_dns_spoofing_protection(arg, alert=1) Enable/Disable name resolution spoofing protection. If alert is true, also reports to syslog.

enable_ip_spoofing_protection(arg, alert=1) Enable/Disable IP spoofing protection.

enable_libsafe(arg) Enable/Disable libsafe if libsafe is found on the system.

enable_log_strange_packets(arg) Enable/Disable the logging of IPv4 strange packets.

enable_msec_cron(arg) Enable/Disable msec hourly security check.

enable_pam_wheel_for_su(arg) Enabling su only from members of the wheel group or allow su from any user.

enable_password(arg) Use password to authenticate users.

enable_promisc_check(arg) Activate/Disable ethernet cards promiscuity check.

enable_security_check(arg) Activate/Disable daily security check.

enable_sulogin(arg) Enable/Disable sulogin(8) in single user level.

no_password_aging_for(name) Add the name as an exception to the handling of password aging by msec.

password_aging(max, inactive=-1) Set password aging to max days and delay to change to inactive.

password_history(arg) Set the password history length to prevent password reuse.

password_length(length, ndigits=0, nupper=0) Set the password minimum length and minimum number of digit and minimum number of capitalized letters.

set_root_umask(umask) Set the root umask.

set_security_conf(var, value) Set the variable var to the value value in /var/lib/msec/secu- rity.conf. The best way to override the default setting is to use create /etc/security/msec/security.conf with the value you want.

The following variables are currentrly recognized by msec:

CHECK_UNOWNED if set to yes, report unowned files.

CHECK_SHADOW if set to yes, check empty password in /etc/shadow.

CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files.

CHECK_SECURITY if set to yes, run the daily security checks.

CHECK_PASSWD if set to yes, check for empty passwords, for no pass- word in /etc/shadow and for users with the 0 id other than root.

SYSLOG_WARN if set to yes, report check result to syslog.

CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files.

CHECK_PERMS if set to yes, check permissions of files in the users' home.

CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.

CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode.

RPM_CHECK if set to yes, run some checks against the rpm database.

TTY_WARN if set to yes, reports check result to tty.

CHECK_WRITABLE if set to yes, check files/directories writable by everybody.

MAIL_WARN if set to yes, report check result by mail.

MAIL_USER if set, send the mail report to this email address else send it to root.

CHECK_OPEN_PORT if set to yes, check open ports.

CHECK_SGID if set to yes, check additions/removals of sgid files.

set_shell_history_size(size) Set shell commands history size. A value of -1 means unlimited.

set_shell_timeout(val) Set the shell timeout. A value of zero means no timeout.

set_user_umask(umask) Set the user umask.

Files
/usr/sbin/msec_ /var/lib/msec/security.conf_ Contains the configuration of the current active security level. These settings can be overridden in /etc/security/msec/security.conf.
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."
bendsley is offline  
 

Tags
automatic, changing, linux, msec, permissions


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -8. The time now is 05:41 AM.

Tilted Forum Project

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360