On Fri, 2002-02-08 at 04:20, Pixel wrote:
> Bryan Paxton <[EMAIL PROTECTED]> writes:
>
> AFAIK, there's not much difference between level 2 and 3 with current msec.
> The major differences:
> - X port 6000 is closed in level 3 (and i won't accept a default install which
> breaks xhost +foobox)
That's highly insecure (DoS attacks mostly). This was being discussed on
discuss@, however QA needs to be done, simply because, you're right
(though you didn't specifically say) some X11 apps will get cranky if
they're not able to auth themselves (which is a good thing(tm)).
Though, I have yet to run into any app that will only complain in the
background, but still run perfectly fine...
> - ssh-server allows login as root in level 2
HIGHLY insecure... Allowing remote root login on any service is BAD BAD
BAD. ssh is the Secure Shell, but past has proven that it has been
vulnerable to attacks, and we will see more in the future.
Plus, the primary audience which mdk is aimed at, it just doesn't make
any friggin sense.
I was/am asking that PermitRootLogin be set to No in all levels...
Some other diffs between level 2 and 3:
--- perm.2 Mon Jan 28 12:09:34 2002
+++ perm.3 Mon Jan 28 12:09:34 2002
@@ -1,6 +1,6 @@
-# Welcome in Level 2
+# Welcome in Level 3
###
-/ root.root
755
+/ root.adm
755
/bin/ root.root
755
/bin/ping root.root
4755
/bin/rpm rpm.rpm
755
@@ -35,7 +35,7 @@
/etc/profile.d/* root.root
755
/etc/rc.d/ root.root
755
/etc/rc.d/init.d/ root.root
755
-/etc/rc.d/init.d/* root.root
744
+/etc/rc.d/init.d/* root.root
700
/etc/rc.d/init.d/mandrake_consmap root.root
644
/etc/securetty root.root
644
/etc/sendmail.cf root.mail
644
@@ -45,10 +45,10 @@
/etc/ssh/ssh_host_*key.pub root.root
644
/etc/ssh/sshd_config root.root
644
/etc/sysconfig root.root
755
-/etc/syslog.conf root.root
644
+/etc/syslog.conf root.adm
640
/etc/updatedb.conf root.root
644
/home/ root.root
755
-/home/* current
755
+/home/* current
711
/lib/ root.root
755
/mnt/ root.root
755
/proc root.root
555
@@ -77,7 +77,7 @@
/var/ root.root
755
/var/lock/subsys root.root
755
/var/log/ root.root
755
-/var/log/* root.adm
640
+/var/log/* root.root
640
/var/log/*/* current
640
/var/log/*/*/* current
640
/var/log/*/. current
755
Not too much there, but still, differences...
Below are some more differences (from the original msec shell scripts,
not sure how much diff is in the python code):
--- level2.sh Sun Dec 2 00:03:03 2001
+++ level3.sh Sun Dec 2 00:03:03 2001
@@ -6,7 +6,6 @@
#
-
if [[ -f /usr/share/msec/lib.sh ]]; then
. /usr/share/msec/lib.sh
else
@@ -14,89 +13,91 @@
exit 1
fi
-# login as root on console granted...
-echo "Login as root is granted :"
+echo "Loging all messages on tty12 : "
+AddRules "*.* /dev/tty12" /etc/syslog.conf
+
+# login as root from the console allowed
+echo "Login as root is allowed (on the console) : "
AddRules "tty1" /etc/securetty quiet
AddRules "tty2" /etc/securetty quiet
AddRules "tty3" /etc/securetty quiet
AddRules "tty4" /etc/securetty quiet
AddRules "tty5" /etc/securetty quiet
-AddRules "tty6" /etc/securetty
+AddRules "tty6" /etc/securetty
AddRules "vc/1" /etc/securetty quiet
AddRules "vc/2" /etc/securetty quiet
AddRules "vc/3" /etc/securetty quiet
AddRules "vc/4" /etc/securetty quiet
AddRules "vc/5" /etc/securetty quiet
-AddRules "vc/6" /etc/securetty
+AddRules "vc/6" /etc/securetty
# Security check
echo "Updating file check variable : "
echo -e "\t- Check security : yes."
AddRules "CHECK_SECURITY=yes" /etc/security/msec/security.conf quiet
-echo -e "\t- Check important permissions : no."
- AddRules "CHECK_PERMS=no" /etc/security/msec/security.conf quiet
+echo -e "\t- Check important permissions : yes."
+ AddRules "CHECK_PERMS=yes" /etc/security/msec/security.conf quiet
+
echo -e "\t- Check suid root file : yes."
AddRules "CHECK_SUID_ROOT=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid root file integrity (backdoor check) : yes."
AddRules "CHECK_SUID_MD5=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check suid group file : yes."
- AddRules "CHECK_SUID_GROUP=no" /etc/security/msec/security.conf quiet
+ AddRules "CHECK_SUID_GROUP=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check world writable file : yes."
AddRules "CHECK_WRITEABLE=yes" /etc/security/msec/security.conf quiet
echo -e "\t- Check unowned file : no."
AddRules "CHECK_UNOWNED=no" /etc/security/msec/security.conf quiet
echo -e "\t- Check promiscuous mode : no."
- AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check listening port : no."
- AddRules "CHECK_OPEN_PORT=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check passwd file integrity : no."
- AddRules "CHECK_PASSWD=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Check shadow file integrity : no."
- AddRules "CHECK_SHADOW=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning on tty : no."
+ AddRules "CHECK_PROMISC=no" /etc/security/msec/security.conf quiet
+echo -e "\t- Check listening port : yes."
+ AddRules "CHECK_OPEN_PORT=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check passwd file integrity : yes."
+ AddRules "CHECK_PASSWD=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Check shadow file integrity : yes."
+ AddRules "CHECK_SHADOW=yes" /etc/security/msec/security.conf quiet
+echo -e "\t- Security warning on tty : yes."
AddRules "TTY_WARN=no" /etc/security/msec/security.conf quiet
-echo -e "\t- Security warning by mail : no."
- AddRules "MAIL_WARN=no" /etc/security/msec/security.conf quiet
+echo -e "\t- Security warning by mail : yes."
+ AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf quiet
+ AddRules "MAIL_USER=root" /etc/security/msec/security.conf quiet
echo -e "\t- Security warning in syslog : yes."
AddRules "SYSLOG_WARN=yes" /etc/security/msec/security.conf
# end security check
-export SECURE_LEVEL=2
-echo "Setting secure level variable to 2 :"
-AddRules "SECURE_LEVEL=2" /etc/sysconfig/msec
+# Crontab
+echo "Adding permission check in crontab (scheduled every midnight) :"
+AddRules "0 4 * * * root /usr/share/msec/security.sh" /etc/crontab
+
+export SECURE_LEVEL=3
+echo "Setting secure level variable to 3 :"
+AddRules "SECURE_LEVEL=3" /etc/sysconfig/msec
echo "Setting umask to 022 (u=rw,g=r,o=r) :"
AddRules "UMASK_ROOT=022" /etc/sysconfig/msec
AddRules "UMASK_USER=022" /etc/sysconfig/msec
-# Xserver
-echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
-
-# group
-echo "Adding system users to specifics groups :"
-/usr/share/msec/grpuser.sh --refresh
-grpconv
-echo -e "done.\n"
-
# icmp echo
echo "Enabling icmp echo :"
AddRules "net.ipv4.icmp_echo_ignore_all=0" /etc/sysctl.conf
-AddRules "net.ipv4.icmp_echo_ignore_broadcasts=0" /etc/sysctl.conf
+AddRules "net.ipv4.icmp_echo_ignore_broadcasts=1" /etc/sysctl.conf
# bad error
-echo "Disabling bad error message Protection :"
-AddRules "net.ipv4.icmp_ignore_bogus_error_responses=0" /etc/sysctl.conf
+echo "Enabling bad error message Protection :"
+AddRules "net.ipv4.icmp_ignore_bogus_error_responses=1" /etc/sysctl.conf
# log strange packets
-echo "Disabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
-AddRules "net.ipv4.conf.all.log_martians=0" /etc/sysctl.conf
+echo "Enabling logging Spoofed Packets, Source Routed Packets, Redirect Packets :"
+AddRules "net.ipv4.conf.all.log_martians=1" /etc/sysctl.conf
LoadSysctl
-AllowAutologin
-
# Do not boot on a shell
AllowReboot
+
+ForbidAutologin
+
+# Group were modified in lib.sh...
+grpconv
+
AllowUserList
-RootSshLogin 2
+RootSshLogin 3
Aside from the two you already mentioned, there are some other differences there.
Some important ones are:
ForbidAutoLogin
Some of the sysctl kernel options regarding ip packets.
umask defaults
And the security checks
There are a few other changes in there, which do boost security a lil
more, but aren't too important.
Cheers
--
Bryan Paxton
Public PGP key: http://www.deadhorse.net/bpaxton.gpg
"Winning gives birth to hostility. Losing, one lies down in pain. The
calmed
lie down with ease, having set winning & losing aside."
Dhp. 201
