From Mandriva

WARNING: This page was written for Mandriva Linux 8.2 and in some respects may be outdated

Contents 1 Description 2 Rules 3 Security Reports 4 Files

Description

The Mandriva security package (aka msec) is a set of tools that manages the security of the system. Mandriva offers by default 6 level of security, whose name describe their efficiency:

1. Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. However, it makes the system very easy to use, and can be set if your computer is not connected to a network (Ithe Internet or a LAN); is used by only one person.
2. Level 1: Poor. Now, the system is usable by multiple users locally, but should not be used if the system is on a network (the Internet or a LAN).
3. Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use.
4. Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind a hardware firewall. This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default (other distributions such as Red Hat or SuSE).
5. Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.
6. Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services.

msec is the main script of the msec package. It enables the system administrator to change the security level for that system. msec is provided with six preconfigured security levels. These levels range from poor security and ease of use, to paranoid config, suitable for very sensitive server applications.

You must be root to run msec. Launch msec x to set you security level to x (x=[0-5]). It'll modify your system according to security level x features. Called without argument, it will enforce the current security level without lowering security. All the changes are logged to syslog at the AUTH facility when called non interactivelly (by cron for example) or at the LOCAL1 facility when called interactivelly (on the command line or from Mandriva Linux Control Center for example). For a fine description of each security level, consult the documenta- tion under /usr/share/doc/msec-*/security.txt.

If you want to make changes to the current level, use /etc/security/msec/perm.local to override the permissions/owners/groups and /etc/security/msec/level.local to override the rules.

Available options

all-local-files	if is 1, consider that all the files are local.
log	if is different of syslog do not log to syslog but to the standard error output.
nolocal	do not load the /etc/security/msec/level.local rules.
non-local-fstypes	a list of non local file system types separated by spaces.
print	if is equal to 1, output the default values of the rules.
root	use as the root of the file system.

Rules

accept_bogus_error_responses(arg) 

Accept/Refuse bogus IPv4 error messages.

accept_broadcasted_icmp_echo(arg) 

Accept/Refuse broadcasted icmp echo.

accept_icmp_echo(arg) 

Accept/Refuse icmp echo.

allow_autologin(arg) 

Allow/Forbid autologin.

allow_issues(arg) 

If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed.

allow_reboot(arg) 

Allow/Forbid reboot by the console user.

allow_remote_root_login(arg) 

Allow/Forbid remote root login.

allow_root_login(arg) 

Allow/Forbid direct root login.

allow_user_list(arg) 

Allow/Forbid the list of users on the system on display managers (kdm and gdm).

allow_x_connections(arg, listen_tcp=None) 

Allow/Forbid X connections. First arg specifies what is done on the client side: ALL (all connections are allowed), LOCAL (only local connection) and NONE (no connection).

allow_xserver_to_listen(arg) 

The argument specifies if clients are authorized to connect to the X server on the tcp port 6000 or not. authorize_services(arg) Authorize all services controlled by tcp_wrappers (see hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and none if arg = NONE. To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)).

create_server_link() 

If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 in /etc/security/msec/security.conf, creates the symlink /etc/security/msec/server to point to /etc/security/msec/server. The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages.

enable_at_crontab(arg) 

Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).

enable_console_log(arg, expr='*.*', dev='tty12') 

Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details) and dev the device to report the log.

enable_dns_spoofing_protection(arg, alert=1) 

Enable/Disable name resolution spoofing protection. If alert is true, also reports to syslog.

enable_ip_spoofing_protection(arg, alert=1) 

Enable/Disable IP spoofing protection.

enable_libsafe(arg) 

Enable/Disable libsafe if libsafe is found on the system.

enable_log_strange_packets(arg) 

Enable/Disable the logging of IPv4 strange packets.

enable_msec_cron(arg) 

Enable/Disable msec hourly security check.

enable_pam_wheel_for_su(arg) 

Enabling su only from members of the wheel group or allow su from any user.

enable_password(arg) 

Use password to authenticate users.

enable_promisc_check(arg) 

Activate/Disable ethernet cards promiscuity check.

enable_security_check(arg) 

Activate/Disable daily security check.

enable_sulogin(arg) 

Enable/Disable sulogin(8) in single user level.

no_password_aging_for(name) 

Add the name as an exception to the handling of password aging by msec.

password_aging(max, inactive=-1) 

Set password aging to max days and delay to change to inactive.

password_history(arg) 

Set the password history length to prevent password reuse.

password_length(length, ndigits=0, nupper=0) 

Set the password minimum length and minimum number of digit and minimum number of capitalized letters.

set_root_umask(umask) 

Set the root umask.

set_security_conf(var, value) 

Set the variable var to the value value in /var/lib/msec/security.conf. The best way to override the default setting is to use create /etc/security/msec/security.conf with the value you want.

The following variables are currently recognized by msec:

CHECK_UNOWNED	if set to yes, report unowned files.
CHECK_SHADOW	if set to yes, check empty password in /etc/shadow.
CHECK_SUID_MD5	if set to yes, verify checksum of the suid/sgid files.
CHECK_SECURITY	if set to yes, run the daily security checks.
CHECK_PASSWD	if set to yes, check for empty passwords, for no password in /etc/shadow and for users with the 0 id other than root.
SYSLOG_WARN	if set to yes, report check result to syslog.
CHECK_SUID_ROOT	if set to yes, check additions/removals of suid root files.
CHECK_PERMS	if set to yes, check permissions of files in the users' home.
CHKROOTKIT_CHECK	if set to yes, run chkrootkit checks.
CHECK_PROMISC	if set to yes, check if the network devices are in promiscuous mode.
RPM_CHECK	if set to yes, run some checks against the rpm database.
TTY_WARN	if set to yes, reports check result to tty.
CHECK_WRITABLE	if set to yes, check files/directories writable by everybody.
MAIL_WARN	if set to yes, report check result by mail.
MAIL_USER	if set, send the mail report to this email address else send it to root.
CHECK_OPEN_PORT	if set to yes, check open ports.
CHECK_SGID	if set to yes, check additions/removals of sgid files.
set_shell_history_size(size)	Set shell commands history size. A value of -1 means unlimited.
set_shell_timeout(val)	Set the shell timeout. A value of zero means no timeout.
set_user_umask(umask)	Set the user umask.

Security Reports

In Mandrake Control Centre --> Security --> Draksec there is a box labelled Security Administrator, and a tick box labelled Receive Alerts. Tick the box and enter a user name, and daily emails will be sent to that user analysing the security status. In order to receive the mails your mail client must be configured to 'merge' mails from the spool file. (Sylpheed for example can do this).

Alternatively enter any valid email address in the box, and so long as an SMTP mail server such as Postfix or Sendmail is running, then emails will be sent to your mail account. If you have no mail server running do not despair. Install the ssmtp RPM using Mandrake Software Manager and configure /etc/ssmtp/ssmtp.conf and you will be able to send mails.

Files

/usr/sbin/msec

/var/lib/msec/security.conf Contains the configuration of the current active security level. These settings can be overridden in /etc/security/msec/security.conf.