Msec

From Mandriva Community Wiki

Jump to: navigation, search
Draksec
Image:Draksec-icon.png
msec: The Mandriva Linux Security package


Contents

Description

The Mandriva security package (aka msec) is intended to control and manage the security of the system. It was initially introduced in Mandrake 8, being one of the first system security utilities of its kind, and was heavily modified and redesigned for Mandriva 2009.1. Msec uses the concept of *security levels*, which are intended to configure a set of system permissions, which can be audited for changes or enforcement.

Current configuration for msec is stored in /etc/security/msec/security.conf file, which can be created either manually, using msecgui graphical interface, or with help of the msec -f command, which will configure the system security according to predefined levels. By default, the following levels are available:

  1. Level 'None'. This level is intended if you do not want to use msec to control system security, and prefer tuning it on your own. It disables all security checks and puts no restrictions or constraints on system configuration and settings. Please use this level only if you are know what you are doing, as it would leave your system vulnerable to attack. In msecgui, select the Disable msec option to activate this level. The default configuration for this level is stored in /etc/security/msec/level.none.
  2. Level 'Standard'. This is the default configuration when installed and is intended for casual users. It constrains several system settings and executes daily security checks which detect changes in system files, system accounts, and vulnerable directory permissions. This level is similar to levels 2 and 3 from past msec versions. The default configuration for this level is stored in /etc/security/msec/level.standard.
  3. Level 'Secure': This level is intended when you want to ensure your system is secure, yet usable. It further restricts system permissions and executes more periodic checks. Moreover, access to the system is more restricted. This level is similar to levels 4 (High) and 5 (Paranoid) from old msec versions. The configuration for this level is defined by the /etc/security/msec/level.secure file.
  4. Moreover, you can define your own custom security levels, saving them into specific files in /etc/security/msec/level.LEVELNAME. This function is intended for power users which require a customized or more secure system configuration.

Using MSEC

Msec is the main script of the msec package. It enables the system administrator to change the security level for that system. You must be root to run msec.

Launch msec to check and fix current system configuration. This will allow you to identify the system settings that are different from system security configuration. For example, if you changed settings related to remote root login in ssh, msec would warn you that the configuration for remote root access differs from settings defined in /etc/security/msec/security.conf. As msec has no way to know whether it was you who changed that file or a malicious attacker, you should change that setting in /etc/security/msec/security.conf as well, either manually or using msecgui.

If you want just see what has changed from the previous security configuration, you may use msec -p, which will allow you to preview all changes.

The result of periodic checks performed by msec can be sent by email, and are also stored in /var/log/security.log file. The email address which should receive the results of such checks can be configured using msecgui, or by editing /etc/security/msec/security.conf directly.

All actions performed by msec can be logged to different locations. By default, everything is logged to the /var/log/msec.log file, classifying the changes according to their impact into INFO, WARNING, ERROR or CRITICAL categories.

Another important part of msec package is msecperms, which is intended for file and directory permissions checking and enforcment. It works in similar a way to msec, and checks the system permissions according to /etc/security/msec/perms.conf file. Like msec, the settings can be configured either using msecgui graphical interface, or by running msecperms -f command, which will configure the settings according to a predefined level. Also like msec configuration, the permission settings for each level are defined by /etc/security/msec/perm.LEVELNAME file and the none, standard and secure levels are available by default.

By default, msecperms only checks for changes to system permissions. If you want it to restore default permissions to files when a change is detected, you could use the *force* option. If you are switching to a new security level or scheme, or simply want to set default permissions on everything, you may run msecperms -e, which will enforce permissions according to current security scheme.

Security Reports

If you enabled the security reports either in /etc/security/msec/security.conf, or using msecgui, daily security emails will be sent either to a local account, which is defined in the Notifications tab of msecgui (or in MAIL_USER setting of /etc/security/msec/security.conf). In order to receive the mails your mail client must be configured to 'merge' mails from the spool file. (Sylpheed for example can do this).

Alternatively enter any valid email address in the box, and so long as an SMTP mail server such as Postfix or Sendmail is running, then emails will be sent to your mail account. If you have no mail server running do not despair. Install the ssmtp RPM using Mandrake Software Manager and configure /etc/ssmtp/ssmtp.conf and you will be able to send mails.

Graphical interface (msecgui)

WARNING: the graphical interface for msecgui is likely to change before final Mandriva 2009.1 release.

The graphical interface to msec is available in msecgui, which is provided by msec-gui package. This application is intended to be uses by root, as it allows you to configure all aspects of msec security.

The application uses a tabbed graphical interface, as can be seen next

Msecgui graphical interface

Different msec functionalities are separated into tabs, grouping together options related to local security, network security, periodic checks, notifications and permission checking.

Msecgui network security tab

Msecgui permission configuration tab

If any permission is different from the default configuration of your level, it will be shown as customized. This allows you to quickly check for settings that are different from default system security.

If you have changed the settings, msecgui allows you to preview the changes before saving them.

Msecgui preview changes

MSEC rules and settings

The following functionality is supported by msec:

SettingValue
ENABLE_IP_SPOOFING_PROTECTION Enable/Disable name resolution spoofing protection.
MAIL_EMPTY_CONTENT Enables sending of empty mail reports.
ACCEPT_BROADCASTED_ICMP_ECHO Accept/Refuse broadcasted ICMP echo.
ALLOW_XSERVER_TO_LISTEN The argument specifies if clients are authorized to connect to the X server on the TCP port 6000 or not.
CHECK_CHKROOTKIT Enables checking for known rootkits using chkrootkit.
CHECK_SUID_ROOT Enables checking for additions/removals of suid root files.
ENABLE_AT_CRONTAB Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
ACCEPT_BOGUS_ERROR_RESPONSES Accept/Refuse bogus IPv4 error messages.
CHECK_SUID_MD5 Enables checksum verification for suid files.
MAIL_USER Defines email to receive security notifications.
ALLOW_AUTOLOGIN Allow/Forbid autologin.
ENABLE_PAM_WHEEL_FOR_SU Enabling su only from members of the wheel group or allow su from any user..
CREATE_SERVER_LINK Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.SERVER_LEVEL. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages.
SHELL_TIMEOUT Set the shell timeout. A value of zero means no timeout.
CHECK_USER_FILES Enables permission checking on users' files that should not be owned by someone else, or writable.
CHECK_SHADOW Enables checking for empty passwords.
ENABLE_PASSWORD Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable.
WIN_PARTS_UMASK Set umask option for mounting VFAT and NTFS partitions. A value of None means default umask.
CHECK_OPEN_PORT Enables checking for open network ports.
ENABLE_LOG_STRANGE_PACKETS Enable/Disable the logging of IPv4 strange packets.
CHECK_RPM Enables verification of installed packages.
MAIL_WARN Enables security results submission by email.
PASSWORD_LENGTH Set the password minimum length and minimum number of digit and minimum number of capitalized letters.
ROOT_UMASK Set the root umask.
CHECK_SGID Enables checking for additions/removals of sgid files.
CHECK_PROMISC Activate/Disable ethernet cards promiscuity check.
ALLOW_X_CONNECTIONS Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection).
CHECK_WRITABLE Enables checking for files/directories writable by everybody.
ALLOW_X_CONNECTIONS Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection).
ENABLE_CONSOLE_LOG Enable/Disable syslog reports to console terminal 12.
ENABLE_DNS_SPOOFING_PROTECTION Enable/Disable IP spoofing protection.
BASE_LEVEL Defines the base security level, on top of which the current configuration is based.
CHECK_PERMS Enables periodic permission checking for system files.
SHELL_HISTORY_SIZE Set shell commands history size. A value of -1 means unlimited.
ALLOW_REBOOT Allow/Forbid system reboot and shutdown to local users.
SYSLOG_WARN Enables logging to system log.
CHECK_SHOSTS Enables checking for dangerous options in users' .rhosts/.shosts files.
CHECK_PASSWD Enables password-related checks, such as empty passwords and strange super-user accounts.
PASSWORD_HISTORY Set the password history length to prevent password reuse. This is not supported by pam_tcb.
ENABLE_DNS_SPOOFING_PROTECTION Enable/Disable IP spoofing protection.
CHECK_SECURITY Enables daily security checks.
ALLOW_ROOT_LOGIN Allow/Forbid direct root login.
CHECK_UNOWNED Enables checking for unowned files.
ALLOW_USER_LIST Allow/Forbid the list of users on the system on display managers (kdm and gdm).
NOTIFY_WARN Enables support for security notifications using libnotify. This allows the security notifications to be delivered directly to the users' desktop.
ALLOW_REMOTE_ROOT_LOGIN Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information.
ENABLE_MSEC_CRON Enable/Disable msec hourly security check.
ENABLE_SULOGIN Enable/Disable sulogin(8) in single user level.
ALLOW_XAUTH_FROM_ROOT Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details.
USER_UMASK Set the user umask.
ACCEPT_ICMP_ECHO Accept/Refuse ICMP echo.
AUTHORIZE_SERVICES Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)).
TTY_WARN Enables periodic security check results to terminal.

Files

/usr/sbin/msec the msec application responsible for security settings audit and configuration.

/usr/sbin/msecperms the msec application responsible for file and directory permission configuration and enforcement

/usr/sbin/msecgui graphical interface to msec (available in msec-gui package).

/etc/security/msec/security.conf Contains the current security configuration.

/etc/security/msec/perms.conf Contains the current security configuration.

/etc/security/msec/level.none Contains the security configuration for none security level.

/etc/security/msec/level.standard Contains the security configuration for standard security level.

/etc/security/msec/level.secure Contains the security configuration for secure security level.

/etc/security/msec/perm.none Contains the permission configuration for none security level.

/etc/security/msec/perm.standard Contains the permission configuration for standard security level.

/etc/security/msec/perm.secure Contains the permission configuration for secure security level.

Personal tools
In other languages