| Linux-Mandrake: |
| User Guide and |
| Reference Manual |
MandrakeSoft
January 2000 http://www.linux-mandrake.com
While Linux is being used for a very wide range of applications, from basic office work to high availability servers, came the need for different security levels. It is obvious that constraints inherent to highly secured servers do not match the needs of a secretary. On the other hand, a big public server is more sensitive to malicious people than my isolated Linux box.
It is with that aim that the MSEC package was designed. It is made of two parts:
Note that the user may also define his own security level, adjusting parameters to his own needs.
MSEC is a base RPM. That means that if you previously installed Linux-Mandrake, MSEC is already installed on your system.
Installing the RPM will create a msec directory into the
directory /etc/security, containing all that is needed to secure
your system.
Then just login as root and type
/etc/security/msec/init.sh x, x being the security
level you want or custom to create your own security level.
The script will begin to remove all modifications made by a previous
security level change, and apply the features of the chosen security
level to your system. If you choose custom, then you will be
asked a series of questions for each security feature MSEC
proposes. In the end, these features will be applied to your system.
Note that whatever the level you choose, your configuration will be
stored into /etc/security/msec/security.conf.
This level is to be used with care. It makes your system easier to use, but extremely insecure. In particular, you shouldn't use this without security level if you answer "yes" to any of the following questions:
As you can see, this security level shouldn't be set by default because it may result in big problems for your data.
The main security improvement compared with level 0 is that now, the access to the data of any user is granted via username and password. Therefore, it may be used by various people, and it is less sensitive to mistakes. However, it shouldn't be used on a computer that is connected to a modem or LAN (Local Area Network).
Few major improvements for this security level; it mainly provides additional security warnings and checks. It is more secure for multi-users use.
This is the standard security level, recommended for a computer that will be used to connect to the Internet as a client. Most of the security checks are periodically run, specifically one that checks for open ports on the system. However, these open ports are kept opened and access to them is granted to everyone.
From the user's point of view, the system is now a little bit more closed, so he'll need basic knowledge of the Linux system to achieve some special operations. The security here offered is comparable with the one of a standard Red Hat or any previous Linux-Mandrake distribution.
With this security level, the use of this system as a server becomes possible. The security is now high enough to use the system as a server which will accept connections from many clients. By default, only connections from the computer itself will be granted. However, advanced services have been disabled, and the system administrator will have to activate the desired ones by hand in configuration files. He also will have to define for whom the access will be granted.
Security checks will warn system administrator of possible security holes or intrusions on the system.
We build on Level 4 features and now the system is entirely closed. Security features are at their maximum. The system administrator has to activate ports, and grant connections to give other computers access to services offered by this machine.
What follows is the description of the different security features each level brings to the system. These features are of various types:
root, writeable, unowned,
| Security | 0 | 1 | 2 | 3 | 4 | 5 |
| Featurelevel | ||||||
global security | yes | yes | yes | yes | yes | |
| check | ||||||
umask for users | 002 | 002 | 022 | 022 | 077 | 077 |
umask for | 002 | 002 | 022 | 022 | 022 | 077 |
shell without | yes | |||||
| password | ||||||
authorized to | ||||||
| connect to | all | local | local | none | none | none |
| X display | ||||||
user in | yes | yes | yes | |||
| group | ||||||
| yes | yes | ||||
warnings in file | yes | yes | yes | yes | yes | |
| /var/log/security.log | ||||||
warnings directly | yes | yes | ||||
| on tty | ||||||
warnings in | yes | yes | yes | yes | ||
warnings sent by | yes | yes | yes | |||
e-mail to root | ||||||
suid | yes | yes | yes | yes | ||
suid | yes | yes | yes | yes | ||
| MD5 check | ||||||
writeable files check | yes | yes | yes | yes | ||
permissions check | yes | yes | yes | |||
suid group files check | yes | yes | yes | |||
unowned files check | yes | yes | ||||
promiscuous check | yes | yes | ||||
listening port check | yes | yes | yes | |||
| yes | yes | yes | |||
| integrity check | ||||||
| yes | yes | yes | |||
| integrity check | ||||||
system security check | yes | yes | yes | |||
| every day at midnight | ||||||
all system events | yes | yes | ||||
| additionally logged to | ||||||
/dev/tty12 | ||||||
unknown services | yes | yes | ||||
| are disabled | ||||||
boot password (LILO) | yes | yes | ||||
grants connection to | all | all | all | all | local | none |
Note that six out of the ten periodical checks can detect changes on the
system. They store into files located in the /var/log/security/
directory the configuration of the system during the last check (one day
ago), and warn you of any changes occurred in the meantime. These checks
are:
root file check
root file MD5 check
nosuid": these
filesystems are exported without the nosuid option, which
forbids suid programs to work on the machine.
+ sign": that
means that one of the following files: /etc/hosts.equiv,
/etc/shosts.equiv, /etc/hosts.lpd contains
hosts allowed to connect without proper authentication.
/etc/aliases and /etc/postfix/aliases.Simply sets the umask for normal users to the value corresponding to the security level.
root"The same, but for root.
Access to the consoles are granted without asking for a password.
all: everybody from everywhere can open an X
window on your screen.
local: only people connected at localhost may
open an X window on your screen.
none: nobody can do that.audio group"Each user is a member of the audio, urpmi and
cdrom groups. That means that all users are granted some
special privileges regarding sound card, packages, etc.
. in '$PATH'"the . entry is added to the '$PATH' environment
variable, allowing easy execution of programs within the current working
directory (it is also, to some extent, a security hole).
/var/log/security.log"Each warning issued by MSEC is logged into the file bearing the
name /var/log/security.log.
Each warning issued by MSEC is directly printed on the current console.
Warnings of MSEC are directed to the syslog service.
root"Warnings issued by MSEC are also sent by e-mail to root.
root files check"Checks for new or removed suid root files on the
system. If such files are found, a list of these files are issued
as a warning.
root file MD5 check"Checks the MD5 signature of each suid root
file that is on the system. If the signature has changed, it means
that a modification has been made to this program, possibly a
backdoor. A warning is then issued.
Check whether files are world writeable on the system. If so, issues a warning containing the list of these naughty files.
This one checks permissions for some special files such as .netrc
or users' configuration files. It also checks permissions of users' home
directories. If their permissions are too loose or the owners unusual,
it issues a warning.
Check for new or removed suid group files on the system. If such files are found, a list of these files are issued as a warning.
This check searches for files owned by users or groups not known by the
system. If such files are found, the owner is automatically changed to
user/group nobody.
This test checks every Ethernet card to determine whether they are in "promiscuous" mode. This mode allows the card to intercept every packet received by the card, even those that are not directed to it. It may mean that a sniffer is running on your machine. Note that this check is set up to be run every minute.
Issues a warning with all listening ports.
passwd file integrity check"Verifies that each user has a password (not a blank or an easy to guess one) an checks that it is shadowed.
shadow file integrity check"Verifies that each user into the shadow file has a password (not
a blank or an easy to guess one).
All previous checks will be performed everyday at midnight. This
relies on the addition of a cron script in the crontab
file.
All services not into /etc/security/msec/init-sh/server.4 for
level 4 or server.5 for level 5 will be disabled. They are not
removed, but simply not started when loading a runlevel. If you
need some of them, just add them again with the chkconfig
utility (you might also need to restart them with init scripts
in /etc/rc.d/init.d).
Allows you to setup a password for LILO. Prevents (unexperienced) people from rebooting the machine, but in the other hand, the machine won't be able to reboot by itself.
all: all computers are allowed to connect to open
ports.
local: only the localhost is allowed to connect
to open ports.
none: no computers are allowed to connect to open
ports.