MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Security

MSEC I

* Introduction
* What Does msec Do?
* Configurable Variables

Related Resources:

Original article on MandrakeSecure
Official Mandrake Linux msec Documentation
Files in '/usr/share/doc/msec-[...]

Revision / Modified: May 14, 2002
Author: Vincent Danen

 

This article has been originally posted on MandrakeSecure by Vincent Danen. Thanks to him for allowing me to repost this article here on MUO.

* Introduction

The Mandrake-Security package, more commonly known as msec, has been one of the base packages in Mandrake Linux since it was first introduced in version 7.0. Since that time, msec has undergone a lot of changes, most notably the transformation from being a series of shell scripts in 8.1 to the python-based system it is currently in 8.2.

Please note that this paper describes msec 0.19 and will be modified to reflect changes in newer versions as they appear. There are some differences between this version of msec and earlier versions so while much of the information provided is applicable to previous versions of msec, it may not be exact.

The basic functionality of msec has, however, remained the same. Every user, consciously or not, has used msec to some degree. DrakX, the Mandrake Linux GUI installer, when asking what security level you wish to have on your system (Low, Medium, High) is calling msec to secure your system.

* section index * top

* What Does msec Do?

However, one source of confusion with msec is what exactly it does. It's nice to know you can select a low security setting for next to no system security, or a high security setting for a paranoid system, but what exactly does msec do to differentiate a low setting from a high setting, or any of those in between? The following table illustrates the basic differences between the six security levels available:

  Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
root umask 002 002 022 022 022 077
User umask 002 002 022 022 077 077
Shell timeout 0 0 0 0 3600 900
Deny Services none none none none local all
su Only For wheel Group no no no no no yes
Shell History Size default default default default 10 10
Direct root Login yes yes yes yes no no
sulogin For Single User no no no no yes yes
User List in [kg]dm yes yes yes yes no no
Ignore ICMP Echo no no no no yes yes
Ignore Bogus Error Responses no no no no yes yes
Allow Reboot by User yes yes yes yes no no
Allow crontab/at yes yes yes yes no no
Password Aging no no no no 60 days 30 days
Password Required no yes yes yes yes yes
Allow Autologin yes yes yes no no no
Console Log no no no yes yes yes
Warnings in syslog no no yes yes yes yes
Warnings in security.log no yes yes yes yes yes
Issues yes yes yes local local no
IP Spoofing Protection no no no yes yes yes
Log Strange IP Packets no no no yes yes yes
Periodic Security Check no yes yes yes yes yes
Allow X TCP Connections yes local local local no no
Connect to X Display all localhost localhost localhost localhost no
"." in $PATH yes yes no no no no
Run msec tests via cron no no no some yes yes

The following table shows the periodic checks that msec performs for the various security levels:

  Level 0 Level 1 Level 2 Level 3 Level 4 Level 5
CHECK_SECURITY no yes yes yes yes yes
CHECK_PERMS no no no yes yes yes
CHECK_SUID_ROOT no no yes yes yes yes
CHECK_SUID_MD5 no no yes yes yes yes
CHECK_SUID_GROUP no no no yes yes yes
CHECK_WRITEABLE no no yes yes yes yes
CHECK_UNOWNED no no no yes yes yes
CHECK_PROMISC no no no yes yes yes
CHECK_OPEN_PORT no no no yes yes yes
CHECK_PASSWD no no no yes yes yes
CHECK_SHADOW no no no yes yes yes
TTY_WARN no no no no yes yes
MAIL_WARN no no no yes yes yes
SYSLOG_WARN no no yes yes yes yes
RPM_CHECK no no no yes yes yes
CHKROOTKIT_CHECK no no no yes yes yes

* section index * top

* Configurable Variables

There are two additional variables that may be configured by the user: MAIL_USER and PERM_LEVEL. Let's take a look at what each configurable variable actually does:

MAIL_USER: this is the user to send the daily reports to. If this is not set, the email is sent to the root user (which, hopefully, is being forwarded to another user since root should not really receive mail).

PERM_LEVEL: This is used to determine the file to use in order to fix permissions, owners, and groups. If set, it will use the file/etc/security/msec/perm.$PERM_LEVEL. If it is not set, it will use the SECURE_LEVEL variable instead (which is your current msec security level). Additionally, for extra system-specific configuration, the file/etc/security/msec/perm.local is used also, if it exists.

CHECK_SECURITY: If set, msec will execute the security_check.sh script with all CHECK_* variables taken into account. These tests include:

  • Check if any NFS filesystems are globally exported (without restrictions for who may mount them)
  • Check if NFS mounts are missing the "nosuid" option
  • Check if host trusting files containing the "+" character which allows hosts to connect without proper authentication (the files checked are/etc/hosts.equiv, /etc/shosts.equiv, and/etc/hosts.lpd)
  • Check if executables are found in the /etc/aliases or/etc/postfix/aliases files and reports the found executable

CHECK_PERMS: If set, msec will check the permissions of certain files in each user's home directory and report it's findings. It does not change the permissions, but simply reports that there are potential problems. It checks:

  • Files that should not be owned by someone other than the home directory owner, or readable: .netrc, .rhosts, .shosts, .Xauthority, .gnupg/secring.gpg, .pgp/secring.pgp, .ssh/identity, .ssh/id_dsa, .ssh/id_rsa, .ssh/random_seed
  • Files that should not be owned by someone other than the home directory owner, or writeable: .bashrc, .bash_profile, .bash_login, .bash_logout, .cshrc, .emacs, .exrc, .forward, .klogin, .login, .logout, .profile, .tcshrc, .fvwmrc, .inputrc, .kshrc, .nexrc, .screenrc, .ssh, .ssh/config, .ssh/authorized_keys, .ssh/environment, .ssh/known_hosts, .ssh/rc, .twmrc, .xsession, .xinitrc, .Xdefaults
  • Checks home directories; directories should not be owned by someone else or writeable

CHECK_SUID_ROOT: If set, msec will check and report on any changes to files that are suid root. This tells you if new suid root files appear on the system or if previously-existing suid root files have been removed.

CHECK_SUID_MD5: If set, msec will compare the md5sum of suid root files to previously computed values. This will tell you if a suid root file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_SUID_GROUP: If set, msec will compare the md5sum of sgid files to previously computed values. This will tell you if a sgid file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_WRITEABLE: If set, msec will look for and report and world-writeable files found on your system.

CHECK_UNOWNED: If set, msec will look for files that are owned by uids and gids not referenced in /etc/passwd (ie. unknown users). If such files are found, msec will automatically change the user/group to "nobody".

CHECK_PROMISC: If set, msec will check each ethernet card to determine whether or not they are in promiscuous mode. Cards in promiscuous mode are allowed to intercept every packet received, including those that are not specifically directed to it. This is usually the case when a packet sniffer is being run on your system. At the same time, this could also mean that you have prelude running on your system.

CHECK_OPEN_PORT: If set, msec will report any changes to open ports on your system. This will help you track if a server has been re-started, or if a new server is starting to listen on any given port. This can provide false positives if servers have been re-started automatically by logrotate.

CHECK_PASSWD: If set, msec will verify that each user has a password and that the password is shadowed. This is an integrity check against/etc/passwd and discourages the system from having blank passwords.

CHECK_SHADOW: If set, msec will verify that each user has a password and that it is not blank. This is an integrity check against/etc/shadow.

TTY_WARN: If set, msec will write it's report to any console that has root logged on.

MAIL_WARN: If set, msec will send email warnings to the user specified by the MAIL_USER variable.

SYSLOG_WARN: If set, msec will also write it's report to syslog.

RPM_CHECK: If set, msec will check what packages have been changed on the system since yesterday (even re-installs of the same package). It will also check if any files belonging to packages have been modified.

CHKROOTKIT_CHECK: If set, msec will search your system for known rootkits.

These settings are written to the files /etc/sysconfig/msec and/var/lib/msec/security.conf; each time you change the msec active security level, it will be re-written with the new defaults. The/etc/sysconfig/msec file is sourced in various shell scripts while the/var/lib/msec/security.conf and /etc/security/msec/security.confare sourced in the CHECK_SECURITY daily check.

One final thing to note. The settings are now also enforced every hour, for maximum protection, and every change that msec makes is logged to syslog. An easy way to view what changes msec is making on your system is to do:

[root@mdk82]# cd /var/log
[root@mdk82]# grep " msec" messages

* section index * top

* Customizing, Security Levels

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.