Vandoorselaere Yoann (author of MSEC) wrote:
> > Saturday I saw many postings identical
> > to my problem on DejaNews when searching on 'squid and permission'.
>
> Oh oh :)
> I think i know the problem you got :)
>
> >
> > Additionally, would you advise using LIDS (
> > http://www.soaring-bird.com.cn/oss_proj/lids/ ) on Mandrake 7.0.2
> > server:high, or does MSEC do essentially the same thing?
>
> No,
> i'm not really agree with some security stuff inside
> the kernel which could be done in user space.
> Also, if one of the feature of LIDS is really usefull
> and doesn't blow things up, it will clearly be integrated in the
> main kernel tree.
>
> LIDS do not necessarily do intrusion detection.
> It prevent.
>
> If you want a good intrusion detection system,
> go to http://prelude.sourceforge.net.
>
> This is a project i'm working on personnaly from 2 years now,
> and which is now sponsored by Mandrakesoft.
>
> When it is ready, it should beat all actually existing IDS :-)
>
> > --
> > Carl A. Cook
> > [EMAIL PROTECTED]
> >
> > Help, I've fallen and I can't get up!
>
> outch
>
> >
> >
> > Looks like MSEC is a great idea. I just installed Mandrake
> > 7.0.2 and set to server:highsecurity. (for my firewall)
> thanks :)
>
> >
> > But am having a problem with Squid... it can't get to the access.log,
> > and further investigation shows it can't access the cache.log either.
> > (permissions problem) I can squid -z though.
>
> try :
>
> chmod 711 /var/log
> chown root.root /var/log
>
> and if it doesn't work,
> fill a *real* bug report with the squid logfile.
> ( just the interesting part )
>
> >
> > I have set the log & spool directories' permissions to global
> > everything. I changed squid.conf 'cache effective user' and 'group' to
> > squid:squid and to nobody:nogroup, each time chowning the log & cache
> > dir to match, and no effect on the problem. Squid will not run.
> >
> > I think this MSEC has everything to do with the problem, but can't
> > figure out how. It doesn't seem to have a daemon; (is it a kernel
> > patch?
> nope
>
> > Some 'invisible hand' is affecting me and not leaving any hints) Only
> > two terse setup proggies & sparse docs. I find
> > /etc/security/msec/user.conf has two usernames in it... <mine> & samba.
> > But when I manually add squid, it doesn't help. When I enable squid for
> >
> > levels 3, 4, & 5 using chkconfig it doesn't help. (And why are levels
> > 0-6
> > available? What are they... MSEC, or services levels?)
>
> Don't touch to these file,
> the problem isn't related to them.
>
> >
> > Also Netscape always segfaults, possibly because it can't write to its
> > config directory. (permissions?)
>
> uhhh.
> Never *ever* put high security on a workstation !
> I've already said it : system security 5 is paranoia mode :)
>
> >
> > And xfs will not recognize a new ttf dir, when installed with
> > chkfontpath. (permissions?) Sometimes xfs won't start at all and
> > causes
> > X to crash on startup with "could not find 'fixed' font". That problem
> > has spontaneously healed... twice.
>
> Please give real report,
> saying it will not fix it.
>
> I need a dump of what X / xfs are saying.
>
> >
> > I have httpd nicely routed through TCPWrappers and the inside machines
> > can see it, but noone outside can. (permissions again?)
>
> please give more detailled report,
> Do you have some usefull log ?
>
> >
> > And why CAN I ping my firewall's outside interface from an inside
> > machine, with firewalling, masquarading, & ip_forwarding OFF??!! What's
>
> Are you sure ip forwarding is off ?
> i'm not...
>
> just do :
>
> cat /proc/sys/net/ipv4/ip_forward
>
> and give me the result back.
>
> >
> > moving packets between inside and outside interfaces?
> > I think I must not be filtering packets!
>
> msec doesn't configure your firewall,
> you have to do it yourself.
>
> >
> > I can't prove whether selecting 'high' security makes it MSEC level 3,
> > or
> > 4.
>
> it is 4.
>
> see ya
>
> --
> -- Yoann, http://prelude.sourceforge.net
> It is well known that M$ products don't call free() after a malloc().
> The Unix community wish them good luck for their future developments.
S/MIME Cryptographic Signature
