On Sun, 2003-10-19 at 20:25, Michael Holt wrote: > Ok, I�ve read all the posts I could find and it looks like no one > has had any luck with msec? I�ve been doing fine forever at > �high� security; now a friend from work is dogging me about making > things more secure. Since he�s an m$ guy, I want to prove how > much better *nix can do things and so I am off and ready to make > that server of mine so secure that you can�t get ANYTHING done! > Well, I�ve succeeded! I can�t get anything done! > > Ok, sorry �bout that; now here�s my problem: > When I go to msec level 4 - I can�t login to squirrelmail, use > ssh, use ftp - I�m just about completely locked out. I�ve tried > commenting out the line msec put in /etc/hosts.deny denying all, > but it gets overwritten. I read a post about using chattr +i, but > I�m using xfs so that�s no good. I tried adding > �authorize_services (all)�, but that didn�t help. I would really > like to have secure level 4 or maybe even 5, but I need to be able > to use my computer and I don�t know how to manually set the same > environments without using msec. What can I do to fix this mess? > I want the wheel group, etc. > > Thanks in advance!
Start by read the /usr/share/msec/perm.* files, then apply changes to /etc/security/perm.local. Next, did you know that all the msec stuff is in script? Read it, quite enlightening. /usr/sbin/msec is the wrapper that figures out what to do, then calls python and bash scripts that live in /usr/share/msec. msec.py is the really powerful one. Look out for password aging, for instance :-) The bad news is that IIRC some of this stuff is dependent on kernel patches like GRSecurity, and so msec is toggling kernel flags that can only be touched during bootup. -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
