Description
The Mandriva security package (aka msec) is intended to control and manage the security of the system. It was initially introduced in Mandrake 8, being one of the first system security utilities of its kind, and was heavily modified and redesigned for Mandriva 2009.1. Msec uses the concept of *security levels*, which are intended to configure a set of system permissions, which can be audited for changes or enforcement.
Current configuration for msec is stored in /etc/security/msec/security.conf
file, which can be created either manually, using msecgui
graphical interface, or with help of the msec -f
command, which will configure the system security according to predefined levels. By default, the following levels are available:
- Level 'None'. This level is intended if you do not want to use msec to control system security, and prefer tuning it on your own. It disables all security checks and puts no restrictions or constraints on system configuration and settings. Please use this level only if you know what you are doing, as it would leave your system vulnerable to attack. In
msecgui
, select the Disable msec option to activate this level. The default configuration for this level is stored in/etc/security/msec/level.none
. - Level 'Standard'. This is the default configuration when installed and is intended for casual users. It constrains several system settings and executes daily security checks which detect changes in system files, system accounts, and vulnerable directory permissions. This level is similar to levels 2 and 3 from past msec versions. The default configuration for this level is stored in
/etc/security/msec/level.standard
. - Level 'Secure': This level is intended when you want to ensure your system is secure, yet usable. It further restricts system permissions and executes more periodic checks. Moreover, access to the system is more restricted. This level is similar to levels 4 (High) and 5 (Paranoid) from old msec versions. The configuration for this level is defined by the
/etc/security/msec/level.secure
file. - Moreover, you can define your own custom security levels, saving them into specific files in
/etc/security/msec/level.LEVELNAME
. This function is intended for power users which require a customized or more secure system configuration.
Using MSEC
Msec
is the main script of the msec package. It enables the system administrator to change the security level for that system. You must be root to run msec
.
Launch msec
to check and fix current system configuration. This will allow you to identify the system settings that are different from the system security configuration. For example, if you changed settings related to remote root login in ssh, msec
would warn you that the configuration for remote root access differs from settings defined in /etc/security/msec/security.conf
. As msec has no way to know whether it was you who changed that file or a malicious attacker, you should change that setting in /etc/security/msec/security.conf
as well, either manually or using msecgui
.
If you just want to see what has changed from the previous security configuration, you may use msec -p
, which will allow you to preview all changes.
The result of periodic checks performed by msec can be sent by email, and are also stored in /var/log/security.log
file. The email address which should receive the results of such checks can be configured using msecgui
, or by editing /etc/security/msec/security.conf
directly.
All actions performed by msec
can be logged to different locations. By default, everything is logged to the /var/log/msec.log
file, classifying the changes according to their impact into INFO, WARNING, ERROR or CRITICAL categories.
Another important part of msec package is msecperms
, which is intended for file and directory permissions checking and enforcment. It works in similar a way to msec
, and checks the system permissions according to /etc/security/msec/perms.conf
file. Like msec
, the settings can be configured either using msecgui
graphical interface, or by running msecperms -f
command, which will configure the settings according to a predefined level. Also like msec configuration, the permission settings for each level are defined by /etc/security/msec/perm.LEVELNAME
file and the none, standard and secure levels are available by default.
By default, msecperms
only checks for changes to system permissions. If you want it to restore default permissions to files when a change is detected, you could use the *force* option. If you are switching to a new security level or scheme, or simply want to set default permissions on everything, you may run msecperms -e
, which will enforce permissions according to the current security scheme.
MSEC rules and settings
The following functionality is supported by msec:
Setting | Value |
---|---|
ENABLE_IP_SPOOFING_PROTECTION | Enable/Disable name resolution spoofing protection. |
MAIL_EMPTY_CONTENT | Enables sending of empty mail reports. |
ACCEPT_BROADCASTED_ICMP_ECHO | Accept/Refuse broadcasted ICMP echo. |
ALLOW_XSERVER_TO_LISTEN | The argument specifies if clients are authorized to connect to the X server on the TCP port 6000 or not. |
CHECK_CHKROOTKIT | Enables checking for known rootkits using chkrootkit . |
CHECK_SUID_ROOT | Enables checking for additions/removals of suid root files. |
ENABLE_AT_CRONTAB | Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). |
ACCEPT_BOGUS_ERROR_RESPONSES | Accept/Refuse bogus IPv4 error messages. |
CHECK_SUID_MD5 | Enables checksum verification for suid files. |
MAIL_USER | Defines email to receive security notifications. |
ALLOW_AUTOLOGIN | Allow/Forbid autologin. |
ENABLE_PAM_WHEEL_FOR_SU | Enabling su only from members of the wheel group or allow su from any user.. |
CREATE_SERVER_LINK | Creates the symlink /etc/security/msec/server to point to /etc/security/msec/server.SERVER_LEVEL . The /etc/security/msec/server is used by chkconfig --add to decide to add a service if it is present in the file during the installation of packages. |
SHELL_TIMEOUT | Set the shell timeout. A value of zero means no timeout. |
CHECK_USER_FILES | Enables permission checking on users' files that should not be owned by someone else, or writable. |
CHECK_SHADOW | Enables checking for empty passwords. |
ENABLE_PASSWORD | Use password to authenticate users. Take EXTREMELY care when disabling passwords, as it will leave the machine COMPLETELY vulnerable. |
WIN_PARTS_UMASK | Set umask option for mounting VFAT and NTFS partitions. A value of None means default umask. |
CHECK_OPEN_PORT | Enables checking for open network ports. |
ENABLE_LOG_STRANGE_PACKETS | Enable/Disable the logging of IPv4 strange packets. |
CHECK_RPM | Enables verification of installed packages. |
MAIL_WARN | Enables security results submission by email. |
PASSWORD_LENGTH | Set the password minimum length and minimum number of digit and minimum number of capitalized letters. |
ROOT_UMASK | Set the root umask. |
CHECK_SGID | Enables checking for additions/removals of sgid files. |
CHECK_PROMISC | Activate/Disable ethernet cards promiscuity check. |
ALLOW_X_CONNECTIONS | Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection). |
CHECK_WRITABLE | Enables checking for files/directories writable by everybody. |
ALLOW_X_CONNECTIONS | Allow/Forbid X connections. Accepted arguments: yes (all connections are allowed), local (only local connection), no (no connection). |
ENABLE_CONSOLE_LOG | Enable/Disable syslog reports to console terminal 12. |
ENABLE_DNS_SPOOFING_PROTECTION | Enable/Disable IP spoofing protection. |
BASE_LEVEL | Defines the base security level, on top of which the current configuration is based. |
CHECK_PERMS | Enables periodic permission checking for system files. |
SHELL_HISTORY_SIZE | Set shell commands history size. A value of -1 means unlimited. |
ALLOW_REBOOT | Allow/Forbid system reboot and shutdown to local users. |
SYSLOG_WARN | Enables logging to system log. |
CHECK_SHOSTS | Enables checking for dangerous options in users' .rhosts/.shosts files. |
CHECK_PASSWD | Enables password-related checks, such as empty passwords and strange super-user accounts. |
PASSWORD_HISTORY | Set the password history length to prevent password reuse. This is not supported by pam_tcb. |
ENABLE_DNS_SPOOFING_PROTECTION | Enable/Disable IP spoofing protection. |
CHECK_SECURITY | Enables daily security checks. |
ALLOW_ROOT_LOGIN | Allow/Forbid direct root login. |
CHECK_UNOWNED | Enables checking for unowned files. |
ALLOW_USER_LIST | Allow/Forbid the list of users on the system on display managers (kdm and gdm). |
NOTIFY_WARN | Enables support for security notifications using libnotify. This allows the security notifications to be delivered directly to the users' desktop. |
ALLOW_REMOTE_ROOT_LOGIN | Allow/Forbid remote root login via sshd. You can specify yes, no and without-password. See sshd_config(5) man page for more information. |
ENABLE_MSEC_CRON | Enable/Disable msec hourly security check. |
ENABLE_SULOGIN | Enable/Disable sulogin(8) in single user level. |
ALLOW_XAUTH_FROM_ROOT | Allow/forbid to export display when passing from the root account to the other users. See pam_xauth(8) for more details. |
USER_UMASK | Set the user umask. |
ACCEPT_ICMP_ECHO | Accept/Refuse ICMP echo. |
AUTHORIZE_SERVICES | Configure access to tcp_wrappers services (see hosts.deny(5)). If arg = yes, all services are authorized. If arg = local, only local ones are, and if arg = no, no services are authorized. In this case, To authorize the services you need, use /etc/hosts.allow (see hosts.allow(5)). |
TTY_WARN | Enables periodic security check results to terminal. |
Files
/usr/sbin/msec
the msec application responsible for security settings audit and configuration.
/usr/sbin/msecperms
the msec application responsible for file and directory permission configuration and enforcement
/usr/sbin/msecgui
graphical interface to msec (available in msec-gui package).
/etc/security/msec/security.conf
Contains the current security configuration.
/etc/security/msec/perms.conf
Contains the current security configuration.
/etc/security/msec/level.none
Contains the security configuration for none security level.
/etc/security/msec/level.standard
Contains the security configuration for standard security level.
/etc/security/msec/level.secure
Contains the security configuration for secure security level.
/etc/security/msec/perm.none
Contains the permission configuration for none security level.
/etc/security/msec/perm.standard
Contains the permission configuration for standard security level.
/etc/security/msec/perm.secure
Contains the permission configuration for secure security level.
Originals authors
This page was originally written on Mandriva's wiki by the following peoples:
- Mark_1830
- Eugeni Dodonov
- YuriMyasoedov
- Thierry Vignaud
- Vdanen
Thanks to them.