On Sun, 2002-11-03 at 09:57, Rod Giffin wrote:
> On Sun, 2002-11-03 at 11:55, Jack Coates wrote:
> > On Sun, 2002-11-03 at 07:18, Rod Giffin wrote:
> > > On Sun, 2002-11-03 at 09:11, . wrote:
> > > > I could use some help with msec. I found in the documentation how
> > > > you can use the /etc/security/msec/perm.local file to allow for
> > > > modifying permissions of a file. My problem is with modifying a file.
> > > > I've got a firewall running at security level 3. I want to modify
> > > some
> > > > files like /etc/syslogd.conf and /etc/issue{.net}; However, msec
> > > keeps
> > > > "undoing" my changes.
> > > >
> > > > Any help would be greately appreciated.
> > >
> > > I've got the same problem I think. It appears to me that msec and
> > > shorewall for instance, work against each other. I think the idea
> > > behind msec is good, but somehow I think it's default configuration is a
> > > little overboard.
> > >
> > > Rod.
> > >
> >
> > Haven't had any problems here -- what are you seeing?
>
> I'm now sure that I should not have included Shorewall in the statement
> above. It is working as advertised. It's msec I'm having the biggest
> problem with.
>
> Just for example, during the install process (and afterwords in the
> configuration center) I told the system I wanted higher security - the
> instructions say that this is sufficient security for a server connected
> to the internet. Apparantly you can't believe everything you read,
> because that setting causes the line: ALL:ALL EXCEPT 127.0.0.1:DENY
> to be added to hosts.deny. That is inappropriate for a server that
> might say, be used as a dns/e-mail server. I havn't found out where to
> change this yet, and any change I do in that file are commented out by
> crond's msec scripts every hour.
Heh :-) I definitely agree that the descriptions could use a little
toning down. Level 3 is perfectly acceptable for a system connected to
the Internet if you're also using shorewall and iptables. Levels 4 and 5
are an exercise in masochism and I only use them for building chroot
servers, honeypots, IDS nodes, things like that. They'd be worth
investigating for a server where you give shell to lots of untrusted
users.
>
> Short of removing the msec's scripts from crond, which is also self
> defeating, I'm at a loss. There is a bit of documentation on msec on
> www.mandrakesecure.net, but the fix for my problem isn't exactly jumping
> off of the page at me. At the moment, the only solution I can see is
> changing the security level from 4 back to 2 and hope Shorewall drops
> any unwanted traffic on the floor. At least it will allow my remote
> users to retrieve their e-mail, and my dns will work.
>
You can make permanent detailed changes to its behavior by editing the
/usr/share/msec/perm.[level] files. Some high-level stuff can be changed
in /etc/sysconfig/msec, but the perm files are where you really
customize behaviour (for instance if you want a shared GID-writable
directory under /home you'll need to change the policy file).
> One other issue I had was with the Postfix install, but I've installed
> drakwizard on a test system here and see that the wizard provides the
> proper postfix configuration files. I don't actually have the time
> anymore to figure out what it adds, so I'm going to have to drive to my
> system (20 miles away) and install and run the wizard manually rather
> than by webmin or ssh. Very disappointing. I use Mandrake specifically
> because it has been easy to administer remotely.
>
> Rod.
huh? I've never used the wizard for postfix, so I can't say what it does
or doesn't do, but you shouldn't need to drive to a server to install
software or configure it -- have you tried urpmi? Anyway, postfix's
config file is very clear and easy to work with, and the defaults are
quite sane.
--
Jack Coates
Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
