This article has been originally posted on MandrakeSecure by Vincent Danen.
Thanks to him for allowing me to repost this article here on MUO.
The Mandrake-Security package, more commonly known as
msec, has been one of the base packages in
Mandrake Linux since it was first introduced in version 7.0. Since that time,
msec has undergone a lot of changes, most notably the transformation from
being a series of shell scripts in 8.1 to the python-based system it is currently
in 8.2.
Please note that this paper describes msec 0.19 and
will be modified to reflect changes in newer versions as they appear. There
are some differences between this version of msec and earlier versions so
while much of the information provided is applicable to previous versions
of msec, it may not be exact.
The basic functionality of msec has, however, remained
the same. Every user, consciously or not, has used msec to some degree. DrakX,
the Mandrake Linux GUI installer, when asking what security level you wish
to have on your system (Low, Medium, High) is calling msec to secure your
system.
section index top
However, one source of confusion with msec is what exactly
it does. It's nice to know you can select a low security setting for next
to no system security, or a high security setting for a paranoid system,
but what exactly does msec do to differentiate a low setting from a high
setting, or any of those in between? The following table illustrates the
basic differences between the six security levels available:
|
Level 0 |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
Level 5 |
root umask |
002 |
002 |
022 |
022 |
022 |
077 |
User umask |
002 |
002 |
022 |
022 |
077 |
077 |
Shell timeout |
0 |
0 |
0 |
0 |
3600 |
900 |
Deny Services |
none |
none |
none |
none |
local |
all |
su Only For wheel Group |
no |
no |
no |
no |
no |
yes |
Shell History Size |
default |
default |
default |
default |
10 |
10 |
Direct root Login |
yes |
yes |
yes |
yes |
no |
no |
sulogin For Single User |
no |
no |
no |
no |
yes |
yes |
User List in [kg]dm |
yes |
yes |
yes |
yes |
no |
no |
Ignore ICMP Echo |
no |
no |
no |
no |
yes |
yes |
Ignore Bogus Error Responses |
no |
no |
no |
no |
yes |
yes |
Allow Reboot by User |
yes |
yes |
yes |
yes |
no |
no |
Allow crontab/at |
yes |
yes |
yes |
yes |
no |
no |
Password Aging |
no |
no |
no |
no |
60 days |
30 days |
Password Required |
no |
yes |
yes |
yes |
yes |
yes |
Allow Autologin |
yes |
yes |
yes |
no |
no |
no |
Console Log |
no |
no |
no |
yes |
yes |
yes |
Warnings in syslog |
no |
no |
yes |
yes |
yes |
yes |
Warnings in security.log |
no |
yes |
yes |
yes |
yes |
yes |
Issues |
yes |
yes |
yes |
local |
local |
no |
IP Spoofing Protection |
no |
no |
no |
yes |
yes |
yes |
Log Strange IP Packets |
no |
no |
no |
yes |
yes |
yes |
Periodic Security Check |
no |
yes |
yes |
yes |
yes |
yes |
Allow X TCP Connections |
yes |
local |
local |
local |
no |
no |
Connect to X Display |
all |
localhost |
localhost |
localhost |
localhost |
no |
"." in $PATH |
yes |
yes |
no |
no |
no |
no |
Run msec tests via cron |
no |
no |
no |
some |
yes |
yes |
The following table shows the periodic checks that msec
performs for the various security levels:
|
Level 0 |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
Level 5 |
CHECK_SECURITY |
no |
yes |
yes |
yes |
yes |
yes |
CHECK_PERMS |
no |
no |
no |
yes |
yes |
yes |
CHECK_SUID_ROOT |
no |
no |
yes |
yes |
yes |
yes |
CHECK_SUID_MD5 |
no |
no |
yes |
yes |
yes |
yes |
CHECK_SUID_GROUP |
no |
no |
no |
yes |
yes |
yes |
CHECK_WRITEABLE |
no |
no |
yes |
yes |
yes |
yes |
CHECK_UNOWNED |
no |
no |
no |
yes |
yes |
yes |
CHECK_PROMISC |
no |
no |
no |
yes |
yes |
yes |
CHECK_OPEN_PORT |
no |
no |
no |
yes |
yes |
yes |
CHECK_PASSWD |
no |
no |
no |
yes |
yes |
yes |
CHECK_SHADOW |
no |
no |
no |
yes |
yes |
yes |
TTY_WARN |
no |
no |
no |
no |
yes |
yes |
MAIL_WARN |
no |
no |
no |
yes |
yes |
yes |
SYSLOG_WARN |
no |
no |
yes |
yes |
yes |
yes |
RPM_CHECK |
no |
no |
no |
yes |
yes |
yes |
CHKROOTKIT_CHECK |
no |
no |
no |
yes |
yes |
yes |
section index top
There are two additional variables that may be configured
by the user: MAIL_USER and PERM_LEVEL. Let's take a look at what each configurable
variable actually does:
MAIL_USER: this is the user to send the daily
reports to. If this is not set, the email is sent to the root user (which,
hopefully, is being forwarded to another user since root should not really
receive mail).
PERM_LEVEL: This is used to determine the file
to use in order to fix permissions, owners, and groups. If set, it will use
the file/etc/security/msec/perm.$PERM_LEVEL. If it is not set, it
will use the SECURE_LEVEL variable instead (which is your current msec security
level). Additionally, for extra system-specific configuration, the file/etc/security/msec/perm.local
is used also, if it exists.
CHECK_SECURITY: If set, msec will execute the
security_check.sh script with all CHECK_* variables
taken into account. These tests include:
- Check if any NFS filesystems are globally exported
(without restrictions for who may mount them)
- Check if NFS mounts are missing the "nosuid" option
- Check if host trusting files containing the "+" character
which allows hosts to connect without proper authentication (the files checked
are/etc/hosts.equiv, /etc/shosts.equiv, and/etc/hosts.lpd)
- Check if executables are found in the /etc/aliases
or/etc/postfix/aliases files and reports the found executable
CHECK_PERMS: If set, msec will check the permissions
of certain files in each user's home directory and report it's findings.
It does not change the permissions, but simply reports that there are potential
problems. It checks:
- Files that should not be owned by someone other than
the home directory owner, or readable: .netrc, .rhosts, .shosts, .Xauthority,
.gnupg/secring.gpg, .pgp/secring.pgp, .ssh/identity, .ssh/id_dsa, .ssh/id_rsa,
.ssh/random_seed
- Files that should not be owned by someone other than
the home directory owner, or writeable: .bashrc, .bash_profile, .bash_login,
.bash_logout, .cshrc, .emacs, .exrc, .forward, .klogin, .login, .logout,
.profile, .tcshrc, .fvwmrc, .inputrc, .kshrc, .nexrc, .screenrc, .ssh, .ssh/config,
.ssh/authorized_keys, .ssh/environment, .ssh/known_hosts, .ssh/rc, .twmrc,
.xsession, .xinitrc, .Xdefaults
- Checks home directories; directories should not be
owned by someone else or writeable
CHECK_SUID_ROOT: If set, msec will check and
report on any changes to files that are suid root. This tells you if new
suid root files appear on the system or if previously-existing suid root
files have been removed.
CHECK_SUID_MD5: If set, msec will compare the
md5sum of suid root files to previously computed values. This will tell you
if a suid root file has changed, even if the size and timestamp are similar,
but has not been newly added or removed from the system.
CHECK_SUID_GROUP: If set, msec will compare the
md5sum of sgid files to previously computed values. This will tell you if
a sgid file has changed, even if the size and timestamp are similar, but
has not been newly added or removed from the system.
CHECK_WRITEABLE: If set, msec will look for and
report and world-writeable files found on your system.
CHECK_UNOWNED: If set, msec will look for files
that are owned by uids and gids not referenced in /etc/passwd (ie.
unknown users). If such files are found, msec will automatically change the
user/group to "nobody".
CHECK_PROMISC: If set, msec will check each ethernet
card to determine whether or not they are in promiscuous mode. Cards in promiscuous
mode are allowed to intercept every packet received, including those that
are not specifically directed to it. This is usually the case when a packet
sniffer is being run on your system. At the same time, this could also mean
that you have prelude running on your system.
CHECK_OPEN_PORT: If set, msec will report any
changes to open ports on your system. This will help you track if a server
has been re-started, or if a new server is starting to listen on any given
port. This can provide false positives if servers have been re-started automatically
by logrotate.
CHECK_PASSWD: If set, msec will verify that each
user has a password and that the password is shadowed. This is an integrity
check against/etc/passwd and discourages the system from having blank
passwords.
CHECK_SHADOW: If set, msec will verify that each
user has a password and that it is not blank. This is an integrity check
against/etc/shadow.
TTY_WARN: If set, msec will write it's report
to any console that has root logged on.
MAIL_WARN: If set, msec will send email warnings
to the user specified by the MAIL_USER variable.
SYSLOG_WARN: If set, msec will also write it's
report to syslog.
RPM_CHECK: If set, msec will check what packages
have been changed on the system since yesterday (even re-installs of the
same package). It will also check if any files belonging to packages have
been modified.
CHKROOTKIT_CHECK: If set, msec will search your
system for known rootkits.
These settings are written to the files /etc/sysconfig/msec
and/var/lib/msec/security.conf; each time you change the msec active
security level, it will be re-written with the new defaults. The/etc/sysconfig/msec
file is sourced in various shell scripts while the/var/lib/msec/security.conf
and /etc/security/msec/security.confare sourced in the CHECK_SECURITY
daily check.
One final thing to note. The settings are now also enforced
every hour, for maximum protection, and every change that msec makes is logged
to syslog. An easy way to view what changes msec is making on your system
is to do:
[root@mdk82]# cd /var/log
[root@mdk82]# grep " msec" messages
section index top
Customizing, Security
Levels
|