Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email 



MANDRIVA SECURITY SETTINGS ( MSEC )


Mandriva/Mandrake has a clever tool to control the security settings system-wide, it is called MSEC. There are 6 preconfigured levels you can choose from to secure your computer.

I recently noticed that with a few of the installs of Mandriva 2005, the default security level ( on the 5th screen during the install (see Here ) is set to "high" . . . where for a regular desktop "normal" should be enough . . .

Just to show you the different Mandriva security settings ( Msec ) here is a table of the levels 0 to 5 where 5 is "paranoid" and 0 is "none" . . . . 2 is the "normal" level you want . . .

QUOTE


****************************
Security level 0 :

- no password
- umask is 002 ( user = read,write | group = read,write | other = read )
- easy file permission.
- everybody authorized to connect to X display.
- . in $PATH

****************************
Security level 1 :

- Global security check.
- umask is 002 ( user = read,write | group = read,write | other = read )
- easy file permission.
- localhost authorized to connect to X display and X server listens to tcp connections.
- . in $PATH
- Warning in /var/log/security.log

****************************
Security level 2 ( Aka normal system ) :

- Global security check
- Suid root file check
- Suid root file md5sum check
- Writable file check
- Warning in syslog
- Warning in /var/log/security.log

- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
- localhost authorized to connect to X display and X server listens to tcp connections.

****************************
Security level 3  ( Aka more secure system ) :

- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- rpm database checks
- send the results of checks by mail if they aren't empty

- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
- X server listens to tcp connections.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
- no autologin

- home directories are accesible but not readable by others and group members.

****************************
Security level 4 ( Aka Secured system ) :

- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty to show that the checks were run.
- umask 022 ( user = read,write | group = read | other = read ) for root
- umask 077 ( user = read,write | group =  | other =  ) for normal users
- restricted file permissions.
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- localhost authorized to connect to X display.
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- remote root login only with a pass phrase
- no list of users in kdm and gdm
- password aging at 60 days
- shell history limited to 10
- shell timeout 3600 seconds
- at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow
* - Services not contained in /etc/security/msec/server.4 are disabled during package installation (  considered as not really secure ) ( but the user can reenable it with chkconfig -add ).
- Connection to the system denyied for all except localhost (authorized services must be in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).

- most sensible files and directories are restricted to the members of the adm group.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

*******************************
Security level 5 ( Aka Paranoid system ) :

- Global security check
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check
- Writable file check
- Unowned file check
- Promiscuous check
- Listening port check
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty to show that the checks were run.

- umask 077 ( user = read,write | group =  | other =  )
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- no list of users in kdm and gdm
- password aging at 30 days
- password history to 5
- shell history limited to 10
- shell timeout 900 seconds
- su to root only allowed to members of the wheel group (activated only if the wheel group isn't empty)
* - Services not contained in /etc/security/msec/server.5 are disabled during package installation ( considered as not really secure ) ( but the user can reenable it with chkconfig -add ).
- Connection to the system denyied for all (authorized services must be in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .

- most sensible files and directories are restricted to the root account.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

******************

* level4/level5 : "services disabled" explanations :

- Some server aren't really considered as secure, these one, should for example be compiled from sources.
  server considered as secure are specified in /etc/security/msec/server.4/5

  When enabling level4/5, all servers which aren't considered as secure are disabled ( NOT uninstalled, just disabled ) user can reenable them using the chkconfig utility ( server will be launched at next boot ).

  In these level, we are also denying rpm to enable any server considered as insecure
  ( off course rpm can install the server ).
  The user have the choise : chkconfig --add servername will enable the server.
  Or add the server in the secured server list


*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
***




If you want to change the msec settings after the install you can give the command ( as root ):

CODE
# msec 2




Bruno


-- Jun 14 2005 ( Revised Dec 13 2005 ) --


Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email