-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le Samedi 17 Ao�t 2002 22:18, Levi Ramsey a �crit :
> On Sat Aug 17 12:22 -0700, Ben Reser wrote:
> > My guess is that msec actually removed the suid group flag. Are the
> > files still on your system? No matter what msec probably ought to be
> > clarified...
>
> Could we please have real msec documentation for 9.0? At least
> man-pages describing the various configuration options and the formats
> of the configuration files (or, barring that, config files with
> comments, much like apache).
I found the mseclib man page, which describe this and used it to create a
sample /etc/security/msec.local file.
I attach it as a proposal.
> msec is one of the critical parts of a Mandrake system, especially since
> it performs system altering maintenance. To leave a user-space utility
> of its importance undocumented is unforgivable, imho.
It was not undocumented, just a little hard to find.
CU
CPHIL
- --
Le juge pensait impassible "qu'on me prenne pour une guenon,
c'est compl�tement impossible" la suite lui prouva que non.
-- Georges Brassens "Le gorille"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9XxkoYJwqltj/jHgRAgkAAJ9HRGkgbQ6CJQ+G6mN2v3fG+/GVkQCgw2Vh
ZQ3zWHLXqZX8/ymOm5c2VBQ=
=XqdE
-----END PGP SIGNATURE-----
# DESCRIPTION
# mseclib is a python library to access the function used by the msec
# program. This functions can be used in /etc/security/msec/level.local
# to override the behaviour of the msec program or in standalone scripts.
# The first argument of the functions takes a value of 1 or 0 or -1 (or
# yes/no/ignore) except when specified otherwise.
# IMPORTANT NOTE : Values showed in this file DO NOT reflect default values
# of your system as these values are controlled by your msec level.
# Value proposed are just a guess of what you may want by editing this file.
from mseclib import *
# Accept/Refuse bogus IPv4 error messages.
# accept_bogus_error_responses('no')
# Accept/Refuse broadcasted icmp echo.
# accept_broadcasted_icmp_echo('no')
# Accept/Refuse icmp echo.
# accept_icmp_echo('no')
# Allow/Forbid autologin.
# allow_autologin('no')
# If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg =
# NONE no issues are allowed else only /etc/issue is allowed.
# allow_issues('ALL')
# Allow/Forbid reboot by the console user.
# allow_reboot('no')
# Allow/Forbid remote root login.
# allow_remote_root_login('no')
# Allow/Forbid direct root login.
# allow_root_login('yes')
# Allow/Forbid the list of users on the system on display managers
# (kdm and gdm).
# allow_user_list('no')
# Allow/Forbid X connections. First arg specifies what is done on the
# client side: ALL (all connections are allowed), LOCAL (only local
# connection) and NONE (no connection).
# second argument is "listen_tcp"
# allow_x_connections(local, None)
# he argument specifies if clients are authorized to connect to the X
# server on the tcp port 6000 or not.
# allow_xserver_to_listen('yes')
# Authorize all services controlled by tcp_wrappers (see
# hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and
# none if arg = NONE. To authorize the services you need, use
# /etc/hosts.allow (see hosts.allow(5)).
# authorize_services(local)
# If SERVER_LEVEL (or SECURE_LEVEL if absent) is greater than 3 in
# /etc/security/msec/security.conf, creates the symlink /etc/secu-
# rity/msec/server to point to /etc/secu-
# rity/msec/server.<SERVER_LEVEL>. The /etc/security/msec/server is
# used by chkconfig --add to decide to add a service if it is present
# in the file during the installation of packages.
# create_server_link('yes')
# Enable/Disable crontab and at for users. Put allowed users in
# /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).
# enable_at_crontab('yes')
# Enable/Disable syslog reports to console 12. expr is the expression
# describing what to log (see syslog.conf(5) for more details) and
# dev the device to report the log.
# enable_console_log(arg, expr='*.*', dev='tty12')
# enable_console_log('yes', '*.*','tty12')
# Enable/Disable name resolution spoofing protection. If alert is
# true, also reports to syslog.
# enable_dns_spoofing_protection(arg, alert=1)
# enable_dns_spoofing_protection('yes', 1)
# Enable/Disable libsafe if libsafe is found on the system.
# enable_libsafe('yes')
# Enable/Disable the logging of IPv4 strange packets.
# enable_log_strange_packets('yes')
# Enable/Disable msec hourly security check.
# enable_msec_cron('yes')
# Enabling su only from members of the wheel group or allow su from
# any user.
# enable_pam_wheel_for_su('no')
# Use password to authenticate users.
# enable_password('yes')
# Activate/Disable ethernet cards promiscuity check.
# enable_promisc_check('yes')
# Activate/Disable daily security check.
# enable_security_check('yes')
# Enable/Disable sulogin(8) in single user level.
# enable_sulogin('yes')
# Add the name as an exception to the handling of password aging by
# msec.
# no_password_aging_for(nobody)
# Set password aging to max days and delay to change to inactive.
# password_aging(max, inactive=-1)
# password_aging(60, -1)
# Set the password history length to prevent password reuse.
# password_history('yes')
# Set the password minimum length and minimum number of digit and
# minimum number of capitalized letters.
# password_length(length, ndigits=0, nupper=0)
# password_length(8, 0, 0)
# Set the root umask.
# set_root_umask(077)
# Set the variable var to the value value in /var/lib/msec/secu-
# rity.conf. The best way to override the default setting is to use
# create /etc/security/msec/security.conf with the value you want.
# set_security_conf(var, value)
# CHECK_UNOWNED if set to yes, report unowned files.
# set_security_conf(CHECK_UNOWNED, 'yes')
# CHECK_SHADOW if set to yes, check empty password in /etc/shadow.
# set_security_conf(CHECK_SHADOW, 'yes')
#
# CHECK_SUID_MD5 if set to yes, verify checksum of the suid/sgid
# files.
# set_security_conf(CHECK_SUID_MD5, 'yes')
#
# CHECK_SECURITY if set to yes, run the daily security checks.
# set_security_conf(CHECK_SECURITY, 'yes')
#
# CHECK_PASSWD if set to yes, check for empty password, or a password
# while it should be in /etc/shadow or other users with id 0.
# set_security_conf(CHECK_PASSWD, 'yes')
#
# SYSLOG_WARN if set to yes, report check result to syslog.
# set_security_conf(SYSLOG_WARN, 'yes')
#
# CHECK_SUID_ROOT if set to yes, check additions/removals of suid
# root files.
# set_security_conf(CHECK_SUID_ROOT, 'yes')
# CHECK_PERMS if set to yes, check permissions of files in the users'
# home.
# set_security_conf(CHECK_PERMS, 'yes')
#
# CHKROOTKIT_CHECK if set to yes, run chkrootkit checks.
# set_security_conf(CHKROOTKIT_CHECK, 'yes')
#
# CHECK_PROMISC if set to yes, check if the network devices are in
# promiscuous mode.
# set_security_conf(CHECK_PROMISC, 'yes')
#
# RPM_CHECK if set to yes, run some checks against the rpm database.
# set_security_conf(RPM_CHECK, 'yes')
#
# TTY_WARN if set to yes, reports check result to tty.
# set_security_conf(TTY_WARN, 'yes')
#
# CHECK_WRITEABLE if set to yes, check files/directories writable by
# everybody.
# set_security_conf(CHECK_WRITEABLE, 'yes')
#
# MAIL_WARN if set to yes, report check result by mail.
# set_security_conf(MAIL_WARN, 'yes')
#
# MAIL_USER if set, send the mail report to this email address else
# send it to root.
# set_security_conf(MAIL_USER, 'not_root')
#
# CHECK_OPEN_PORT if set to yes, check open ports.
# set_security_conf(CHECK_OPEN_PORT, 'yes')
# CHECK_SUID_GROUP if set to yes, check additions/removals of sgid
# files.
# set_security_conf(CHECK_SUID_GROUP, 'yes')
# Set shell commands history size. A value of -1 means unlimited.
# set_shell_history_size(1000)
# Set the shell timeout. A value of zero means no timeout.
# set_shell_timeout(1200)
# Set the user umask.
# set_user_umask(022)
