Automatic changing of Linux permissions and msec - Tilted Forum Project Discussion Community

rubicon · 06-01-2005, 01:44 PM

I recently installed Mandriva 10.2 due to a hard disk crash under 10.0. Anyway, I chose the Security Level High option for the hell of it. I configured Samba and had my Windows and Mac client connecting, however every hour or so the permissions to the shared folders would mysteriously change.

My shared folders (located in /home) are chmod 0770 and kept changing to 0700. This is a problem because I would lose access to the files. I hunted through Google and couldn't find anything helpful until something about the "msec" command appeared.

msec (under Mandriva at least) allows you to change your security level. More digging and I discovered msec parses config files to determine what it should do to ensure security is being met. I discovered a setting which forces chmod 0700 on folders located in /home.

I won't go into all of it here, but if you do a Google search for "msec" you'll find a good bit of information about changing your security level to something else or tweak the msec configuration. In my case, I simply overrode the /home setting from chmod 0700 to 0770.

I'm posting here as an FYI as I had a tough time tracking this down. Lower security levels don't have this problem.

bendsley · 06-01-2005, 06:40 PM

The Mandrake Security tools package is designed to provide a generic secure level for Mandrake Linux users. It allows you to select on a scale of 0 to 5 the amount of security you need. This packages includes several programs that run periodically to test the security of your system and alert you if necessary.

"msec" has been around for quite a while. A little more info below:

The Mandriva security package (aka msec) is a set of tools that manages the security of the system. Mandriva offers by default 6 level of security, whose name describe their efficiency:

1. Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. However, it makes the system very easy to use, and can be set if your computer is not connected to a network (Ithe Internet or a LAN); is used by only one person.

2. Level 1: Poor. Now, the system is usable by multiple users locally, but should not be used if the system is on a network (the Internet or a LAN).

3. Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use.

4. Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind a hardware firewall. This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default (other distributions such as Red Hat or SuSE?).

5. Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.

6. Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services.

msec is the main script of the msec package. It enables the system administrator to change the security level for that system. msec is provided with six preconfigured security levels. These levels range from poor security and ease of use, to paranoid config, suitable for very sensitive server applications.

You must be root to run msec. Launch msec x to set you security level to x (x=[0-5]). It'll modify your system according to security level x features. Called without argument, it will enforce the current security level without lowering security. All the changes are logged to syslog at the AUTH facility when called non interactivelly (by cron for example) or at the LOCAL1 facility when called interactivelly (on the command line or from Mandriva Linux Control Center for example). For a fine description of each security level, consult the documenta- tion under /usr/share/doc/msec-*/security.txt.

If you want to make changes to the current level, use /etc/security/msec/perm.local to override the permissions/owners/groups and /etc/security/msec/level.local to override the rules.

Available options:

-o all-local-files= if is 1, consider that all the files are local.

-o log= if is different of syslog do not log to syslog but to the standard error output. -o nolocal= do not load the /etc/security/msec/level.local rules.

-o non-local-fstypes= is a list of non local file system types separated by spaces.

-o print= if is equal to 1, output the default values of the rules.

-o root= use as the root of the file system.

Rules
accept_bogus_error_responses(arg) Accept/Refuse bogus IPv4 error messages.

accept_broadcasted_icmp_echo(arg) Accept/Refuse broadcasted icmp echo.

accept_icmp_echo(arg) Accept/Refuse icmp echo.

allow_autologin(arg) Allow/Forbid autologin.

allow_issues(arg) If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed.

allow_reboot(arg) Allow/Forbid reboot by the console user.

allow_remote_root_login(arg) Allow/Forbid remote root login.

allow_root_login(arg) Allow/Forbid direct root login.

allow_user_list(arg) Allow/Forbid the list of users on the system on display managers (kdm and gdm).

allow_x_connections(arg, listen_tcp=None) Allow/Forbid X connections. First arg specifies what is done on the client side: ALL (all connections are allowed), LOCAL (only local connection) and NONE (no connection).

allow_xserver_to_listen(arg) The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. authorize_services(arg) Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and none if arg = NONE. To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)).

create_server_link() If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 in /etc/security/msec/security.conf, creates the symlink /etc/secu- rity/msec/server to point to /etc/secu- rity/msec/server.. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages.

enable_at_crontab(arg) Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).

enable_console_log(arg, expr='*.*', dev='tty12') Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log.

enable_dns_spoofing_protection(arg, alert=1) Enable/Disable name resolution spoofing protection. If alert is true, also reports to syslog.

enable_ip_spoofing_protection(arg, alert=1) Enable/Disable IP spoofing protection.

enable_libsafe(arg) Enable/Disable libsafe if libsafe is found on the system.

enable_log_strange_packets(arg) Enable/Disable the logging of IPv4 strange packets.

enable_msec_cron(arg) Enable/Disable msec hourly security check.

enable_pam_wheel_for_su(arg) Enabling su only from members of the wheel group or allow su from any user.

enable_password(arg) Use password to authenticate users.

enable_promisc_check(arg) Activate/Disable ethernet cards promiscuity check.

enable_security_check(arg) Activate/Disable daily security check.

enable_sulogin(arg) Enable/Disable sulogin(8) in single user level.

no_password_aging_for(name) Add the name as an exception to the handling of password aging by msec.

password_aging(max, inactive=-1) Set password aging to max days and delay to change to inactive.

password_history(arg) Set the password history length to prevent password reuse.

password_length(length, ndigits=0, nupper=0) Set the password minimum length and minimum number of digit and minimum number of capitalized letters.

set_root_umask(umask) Set the root umask.

set_security_conf(var, value) Set the variable var to the value value in /var/lib/msec/secu- rity.conf. The best way to override the default setting is to use create /etc/security/msec/security.conf with the value you want.

The following variables are currentrly recognized by msec:

CHECK_UNOWNED if set to yes, report unowned files.

CHECK_SHADOW if set to yes, check empty password in /etc/shadow.

CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files.

CHECK_SECURITY if set to yes, run the daily security checks.

CHECK_PASSWD if set to yes, check for empty passwords, for no pass- word in /etc/shadow and for users with the 0 id other than root.

SYSLOG_WARN if set to yes, report check result to syslog.

CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files.

CHECK_PERMS if set to yes, check permissions of files in the users' home.

CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.

CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode.

RPM_CHECK if set to yes, run some checks against the rpm database.

TTY_WARN if set to yes, reports check result to tty.

CHECK_WRITABLE if set to yes, check files/directories writable by everybody.

MAIL_WARN if set to yes, report check result by mail.

MAIL_USER if set, send the mail report to this email address else send it to root.

CHECK_OPEN_PORT if set to yes, check open ports.

CHECK_SGID if set to yes, check additions/removals of sgid files.

set_shell_history_size(size) Set shell commands history size. A value of -1 means unlimited.

set_shell_timeout(val) Set the shell timeout. A value of zero means no timeout.

set_user_umask(umask) Set the user umask.

Files
/usr/sbin/msec_ /var/lib/msec/security.conf_ Contains the configuration of the current active security level. These settings can be overridden in /etc/security/msec/security.conf.

06-01-2005, 01:44 PM	#1 (permalink)
rubicon Stop. Think. Question. Location: Redondo Beach, CA	Automatic changing of Linux permissions and msec I recently installed Mandriva 10.2 due to a hard disk crash under 10.0. Anyway, I chose the Security Level High option for the hell of it. I configured Samba and had my Windows and Mac client connecting, however every hour or so the permissions to the shared folders would mysteriously change. My shared folders (located in /home) are chmod 0770 and kept changing to 0700. This is a problem because I would lose access to the files. I hunted through Google and couldn't find anything helpful until something about the "msec" command appeared. msec (under Mandriva at least) allows you to change your security level. More digging and I discovered msec parses config files to determine what it should do to ensure security is being met. I discovered a setting which forces chmod 0700 on folders located in /home. I won't go into all of it here, but if you do a Google search for "msec" you'll find a good bit of information about changing your security level to something else or tweak the msec configuration. In my case, I simply overrode the /home setting from chmod 0700 to 0770. I'm posting here as an FYI as I had a tough time tracking this down. Lower security levels don't have this problem. __________________ How you do anything is how you do everything.

06-01-2005, 06:40 PM	#2 (permalink)
bendsley Professional Loafer Location: texas	The Mandrake Security tools package is designed to provide a generic secure level for Mandrake Linux users. It allows you to select on a scale of 0 to 5 the amount of security you need. This packages includes several programs that run periodically to test the security of your system and alert you if necessary. "msec" has been around for quite a while. A little more info below: The Mandriva security package (aka msec) is a set of tools that manages the security of the system. Mandriva offers by default 6 level of security, whose name describe their efficiency: 1. Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. However, it makes the system very easy to use, and can be set if your computer is not connected to a network (Ithe Internet or a LAN); is used by only one person. 2. Level 1: Poor. Now, the system is usable by multiple users locally, but should not be used if the system is on a network (the Internet or a LAN). 3. Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use. 4. Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind a hardware firewall. This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default (other distributions such as Red Hat or SuSE?). 5. Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables. 6. Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services. msec is the main script of the msec package. It enables the system administrator to change the security level for that system. msec is provided with six preconfigured security levels. These levels range from poor security and ease of use, to paranoid config, suitable for very sensitive server applications. You must be root to run msec. Launch msec x to set you security level to x (x=[0-5]). It'll modify your system according to security level x features. Called without argument, it will enforce the current security level without lowering security. All the changes are logged to syslog at the AUTH facility when called non interactivelly (by cron for example) or at the LOCAL1 facility when called interactivelly (on the command line or from Mandriva Linux Control Center for example). For a fine description of each security level, consult the documenta- tion under /usr/share/doc/msec-/security.txt. If you want to make changes to the current level, use /etc/security/msec/perm.local to override the permissions/owners/groups and /etc/security/msec/level.local to override the rules. Available options:* -o all-local-files= if is 1, consider that all the files are local. -o log= if is different of syslog do not log to syslog but to the standard error output. -o nolocal= do not load the /etc/security/msec/level.local rules. -o non-local-fstypes= is a list of non local file system types separated by spaces. -o print= if is equal to 1, output the default values of the rules. -o root= use as the root of the file system. Rules accept_bogus_error_responses(arg) Accept/Refuse bogus IPv4 error messages. accept_broadcasted_icmp_echo(arg) Accept/Refuse broadcasted icmp echo. accept_icmp_echo(arg) Accept/Refuse icmp echo. allow_autologin(arg) Allow/Forbid autologin. allow_issues(arg) If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed. allow_reboot(arg) Allow/Forbid reboot by the console user. allow_remote_root_login(arg) Allow/Forbid remote root login. allow_root_login(arg) Allow/Forbid direct root login. allow_user_list(arg) Allow/Forbid the list of users on the system on display managers (kdm and gdm). allow_x_connections(arg, listen_tcp=None) Allow/Forbid X connections. First arg specifies what is done on the client side: ALL (all connections are allowed), LOCAL (only local connection) and NONE (no connection). allow_xserver_to_listen(arg) The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. authorize_services(arg) Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and none if arg = NONE. To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). create_server_link() If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 in /etc/security/msec/security.conf, creates the symlink /etc/secu- rity/msec/server to point to /etc/secu- rity/msec/server.. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages. enable_at_crontab(arg) Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). enable_console_log(arg, expr='.', dev='tty12') Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log. enable_dns_spoofing_protection(arg, alert=1) Enable/Disable name resolution spoofing protection. If alert is true, also reports to syslog. enable_ip_spoofing_protection(arg, alert=1) Enable/Disable IP spoofing protection. enable_libsafe(arg) Enable/Disable libsafe if libsafe is found on the system. enable_log_strange_packets(arg) Enable/Disable the logging of IPv4 strange packets. enable_msec_cron(arg) Enable/Disable msec hourly security check. enable_pam_wheel_for_su(arg) Enabling su only from members of the wheel group or allow su from any user. enable_password(arg) Use password to authenticate users. enable_promisc_check(arg) Activate/Disable ethernet cards promiscuity check. enable_security_check(arg) Activate/Disable daily security check. enable_sulogin(arg) Enable/Disable sulogin(8) in single user level. no_password_aging_for(name) Add the name as an exception to the handling of password aging by msec. password_aging(max, inactive=-1) Set password aging to max days and delay to change to inactive. password_history(arg) Set the password history length to prevent password reuse. password_length(length, ndigits=0, nupper=0) Set the password minimum length and minimum number of digit and minimum number of capitalized letters. set_root_umask(umask) Set the root umask. set_security_conf(var, value) Set the variable var to the value value in /var/lib/msec/secu- rity.conf. The best way to override the default setting is to use create /etc/security/msec/security.conf with the value you want. The following variables are currentrly recognized by msec: CHECK_UNOWNED if set to yes, report unowned files. CHECK_SHADOW if set to yes, check empty password in /etc/shadow. CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid files. CHECK_SECURITY if set to yes, run the daily security checks. CHECK_PASSWD if set to yes, check for empty passwords, for no pass- word in /etc/shadow and for users with the 0 id other than root. SYSLOG_WARN if set to yes, report check result to syslog. CHECK_SUID_ROOT if set to yes, check additions/removals of suid root files. CHECK_PERMS if set to yes, check permissions of files in the users' home. CHKROOTKIT_CHECK if set to yes, run chkrootkit checks. CHECK_PROMISC if set to yes, check if the network devices are in promiscuous mode. RPM_CHECK if set to yes, run some checks against the rpm database. TTY_WARN if set to yes, reports check result to tty. CHECK_WRITABLE if set to yes, check files/directories writable by everybody. MAIL_WARN if set to yes, report check result by mail. MAIL_USER if set, send the mail report to this email address else send it to root. CHECK_OPEN_PORT if set to yes, check open ports. CHECK_SGID if set to yes, check additions/removals of sgid files. set_shell_history_size(size) Set shell commands history size. A value of -1 means unlimited. set_shell_timeout(val) Set the shell timeout. A value of zero means no timeout. set_user_umask(umask) Set the user umask. Files /usr/sbin/msec_ /var/lib/msec/security.conf_ Contains the configuration of the current active security level. These settings can be overridden in /etc/security/msec/security.conf. __________________ "You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane."