|
To override any of these defaults, you will need to
create the file/etc/security/msec/level.local with your overrides.
For example, you could have a level.local file that looks something
like this:
from mseclib import *
set_security_conf('MAIL_USER', 'vdanen')
set_security_conf('CHECK_PROMISC', 'no')
allow_reboot(1)
This tells msec that all msec emails must go to the
user vdanen and that we will never do the Promiscuous check (CHECK_PROMISC)
regardless of what security level we have defined. This also tells msec to
allow user reboots regardless of the security level.
To have a better idea of the different commands you
can use in thelevel.local file, read the mseclib manpage (man mseclib).
It describes all of the functions you can set in the file and what each function
is for.
Instead of using level.local, you can also use
/etc/security/msec/security.conf in a different
format that is easier to use. It is not quite as versatile as level.local,
as it is used to set shell variables that msec uses, but in most cases it
will be enough to usesecurity.conf instead of level.local.
For example, instead of using the above in level.local you could use
in security.confthe following:
MAIL_USER=vdanen
CHECK_PROMISC=no
and in level.local just use:
from mseclib import *
allow_reboot(1)
If you want to override some permissions, you can do
this with the/etc/security/msec/perm.local file. Each level has it's
own set of different file permissions for some certain files. If you want
to take a look at the defaults for each level, look at the /usr/share/msec/perm.*
files. They contain the file name (or directory), the user/group that should
own it, and the numeric permissions for the file or directory. Let's say,
for example, that you are using level 4 but don't want to have /boot with
only 700 permissions, which is the default in level 4. You would create your
/etc/security/msec/perm.local file and write in
it the following:
/boot/ root.root 755
Then you would execute msec (just type "msec" at the
command prompt as root), and if you look at the permissions of the /boot
directory now, you will see it is 755, so normal users can look in there.
 section index  top
Historically, msec's security levels had names that
somewhat distinguished what they did. For level 0, the name was "Welcome
to Crackers", for level 1 it was "Poor", for level 2 it was "Low", for level
3 it was "Medium", for level 4 it was "High", and for level 5 it was "Paranoid".
These names fit quite nicely with what each level is for. So how do you determine
what level is right for you? There is obviously some thought behind each
level, and you must determine the trade-off between security and ease of
use for yourself. Here we will describe some typical scenarios for each security
level.
Level 0: Welcome to Crackers. This level is the
least secure level and should be used with extreme caution. It will make
your system extremely easy to use, but at the expense of security. You should
ask yourself the following questions, and if you answer yes to any of them,
you should not use this level:
- Is my computer connected to the internet?
- Is my computer connected to other computers by a
network?
- Will this computer be used by someone other than
me (intentionally or otherwise)?
- Is there confidential data on this computer that
I don't want others having access to?
- I have little Linux experience and like to do everything
as root (aka I don't know what I'm doing and can break things)?
Level 1: Poor. The increased security over level
0 here is that access to user data is protected by usernames and passwords.
This makes the system usable by multiple users locally, but should not be
used if the system is on a network (internet or LAN).
Level 2: Low. The increased security over level
1 is that msec provides more security warnings and checks. This level is
appropriate for multi-user local use.
Level 3: Medium. This is the recommended minimum
security level for computers connected to a network. Most of the security
checks are used in this level, such as checking for open ports. However,
in this level, open ports are kept open and global access to them is granted,
so this level, by default, is not generally good for systems connected to
the internet unless you are behind an appropriate firewall (ie. there is
a physical firewall system between you and the internet, not a firewall running
on the local computer). This security level makes a nice base if you want
to secure your system yourself by manually modifying configuration files
for various services, etc. This security level is typically what most distributions
use as a default, so it is comparable to older pre-msec versions of Mandrake
Linux, or other distributions such as Red Hat or SuSE.
Level 4: High. This is the recommended security
level for network server systems or systems permanently connected to the
internet. This level will allow connections to pre-determined servers via
remote, and all locally. By default, a number of services are disabled, so
as an administrator you will need to enable them by hand. The security checks
msec performs are more advanced as well, as indicated by the above tables.
Level 5: Paranoid. This is the highest security
level and it locks down the entire system. All of the security checks are
enabled and the administrator will have to activate ports manually to enable
services, and explicitly grant access to those services.
section index top
msec has a new feature that will only enable secure
services upon installation. This is only active in security levels 4 and
5. Basically, this means that only some pre-defined services will be enabled
when the server package is installed. For instance, if you select level 4
and then install proftpd, proftpd would not be enabled immediately. Typically,
when a server is installed, the RPM scripts enable the server so if you don't
want it running, you will have to disable it. msec works contrary to this
and will only enable services that are listed in the /etc/security/msec/server.[level]
file. The only real difference between level 4 and level 5 is that in level
5 sshd is not enabled.
This does not mean you cannot enable the service yourself!
This only prevents it from being activated upon installation, which is good
practice anyways. To enable a particular service, simply use:
# chkconfig -add service
where "service" is the name of the service to enable
(ie. proftpd, http, etc.). If you upgrade a package (ie. it already existed
on the system), then msec will do nothing regarding service activation. This
means that if you've already enabled httpd, then upgrade apache, you do not
need to re-enable it.
section index top
Changing a security level on your Mandrake Linux system
is very simple. All you need to do is execute msec and tell it what security
level you wish to use. This can be done by executing msec [level]
where [level] is the security level you wish to switch to. You can also have
msec tell you exactly what it's doing when you change the security level.
Here is a sample output of changing to security level 4:
[root@mdk82]# msec -o log=stderr 4
As you can see, msec is a very useful starting point
for securing your system. It cannot do everything to secure your system,
and it is not meant as that sort of tool. System security requires due diligence
by the system administrator. But msec will give you an excellent starting
point from which to further secure your system, and it provides some great
defaults depending on the type of system you wish to use.
section index top
|
