On Sun, 2002-11-03 at 09:57, Rod Giffin wrote: > On Sun, 2002-11-03 at 11:55, Jack Coates wrote: > > On Sun, 2002-11-03 at 07:18, Rod Giffin wrote: > > > On Sun, 2002-11-03 at 09:11, . wrote: > > > > I could use some help with msec. I found in the documentation how > > > > you can use the /etc/security/msec/perm.local file to allow for > > > > modifying permissions of a file. My problem is with modifying a file. > > > > I've got a firewall running at security level 3. I want to modify > > > some > > > > files like /etc/syslogd.conf and /etc/issue{.net}; However, msec > > > keeps > > > > "undoing" my changes. > > > > > > > > Any help would be greately appreciated. > > > > > > I've got the same problem I think. It appears to me that msec and > > > shorewall for instance, work against each other. I think the idea > > > behind msec is good, but somehow I think it's default configuration is a > > > little overboard. > > > > > > Rod. > > > > > > > Haven't had any problems here -- what are you seeing? > > I'm now sure that I should not have included Shorewall in the statement > above. It is working as advertised. It's msec I'm having the biggest > problem with. > > Just for example, during the install process (and afterwords in the > configuration center) I told the system I wanted higher security - the > instructions say that this is sufficient security for a server connected > to the internet. Apparantly you can't believe everything you read, > because that setting causes the line: ALL:ALL EXCEPT 127.0.0.1:DENY > to be added to hosts.deny. That is inappropriate for a server that > might say, be used as a dns/e-mail server. I havn't found out where to > change this yet, and any change I do in that file are commented out by > crond's msec scripts every hour.
Heh :-) I definitely agree that the descriptions could use a little toning down. Level 3 is perfectly acceptable for a system connected to the Internet if you're also using shorewall and iptables. Levels 4 and 5 are an exercise in masochism and I only use them for building chroot servers, honeypots, IDS nodes, things like that. They'd be worth investigating for a server where you give shell to lots of untrusted users. > > Short of removing the msec's scripts from crond, which is also self > defeating, I'm at a loss. There is a bit of documentation on msec on > www.mandrakesecure.net, but the fix for my problem isn't exactly jumping > off of the page at me. At the moment, the only solution I can see is > changing the security level from 4 back to 2 and hope Shorewall drops > any unwanted traffic on the floor. At least it will allow my remote > users to retrieve their e-mail, and my dns will work. > You can make permanent detailed changes to its behavior by editing the /usr/share/msec/perm.[level] files. Some high-level stuff can be changed in /etc/sysconfig/msec, but the perm files are where you really customize behaviour (for instance if you want a shared GID-writable directory under /home you'll need to change the policy file). > One other issue I had was with the Postfix install, but I've installed > drakwizard on a test system here and see that the wizard provides the > proper postfix configuration files. I don't actually have the time > anymore to figure out what it adds, so I'm going to have to drive to my > system (20 miles away) and install and run the wizard manually rather > than by webmin or ssh. Very disappointing. I use Mandrake specifically > because it has been easy to administer remotely. > > Rod. huh? I've never used the wizard for postfix, so I can't say what it does or doesn't do, but you shouldn't need to drive to a server to install software or configure it -- have you tried urpmi? Anyway, postfix's config file is very clear and easy to work with, and the defaults are quite sane. -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com