Sophie

Sophie

distrib > Mageia > 5 > x86_64 > media > core-release > by-pkgid > 58e0e82442075ea00d287d903bae8f4e > files > 36

msec-1.11-2.mga5.x86_64.rpm

****************************
Security level 0 :

- no password
- umask is 002 ( user = read,write | greoup = read,write | other = read ) 
- easy file permission.
- everybody authorized to connect to X display.
- . in $PATH

****************************
Security level 1 :

- Global security check.
- umask is 002 ( user = read,write | greoup = read,write | other = read ) 
- easy file permission.
- localhost authorized to connect to X display and X server listens to
tcp connections.
- . in $PATH
- Warning in /var/log/security.log

****************************
Security level 2 ( Aka normal system ) :

- Global security check
- Suid root file check
- Suid root file md5sum check
- Writable file check
- Warning in syslog
- Warning in /var/log/security.log 

- umask is 022 ( user = read,write | group = read | other = read )
- easy file permission.
- localhost authorized to connect to X display and X server listens to
tcp connections.

****************************
Security level 3  ( Aka more secure system ) :

- Global security check 
- Permissions check
- Suid root file check
- Suid root file md5sum check
- Suid group file check 
- Writable file check 
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- rpm database checks
- send the results of checks by mail if they aren't empty

- umask is 022 ( user = read,write | group = read | other = read )
- Normal file permission.
- X server listens to tcp connections.
- All system events additionally logged to /dev/tty12
- Some system security check launched every midnight from the ( crontab ).
- no autologin

- home directories are accesible but not readable by others and group members.

****************************
Security level 4 ( Aka Secured system ) :

- Global security check 
- Permissions check
- Suid root file check 
- Suid root file md5sum check
- Suid group file check
- Writable file check
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check 
- Shadow file integrity check 
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty
 to show that the checks were run.

- umask 022 ( user = read,write | group = read | other = read ) for root
- umask 077 ( user = read,write | group =  | other =  ) for normal users
- restricted file permissions.
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- localhost authorized to connect to X display.
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- remote root login only with a pass phrase
- no list of users in kdm and gdm
- password aging at 60 days
- shell history limited to 10
- shell timeout 3600 seconds
- at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow
* - Services not contained in /etc/security/msec/server.4 are disabled during
package installation (  considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all except localhost (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).

- most sensible files and directories are restricted to the members of the adm group.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

*******************************
Security level 5 ( Aka Paranoid system ) :

- Global security check
- Permissions check 
- Suid root file check 
- Suid root file md5sum check
- Suid group file check 
- Writable file check
- Unowned file check 
- Promiscuous check 
- Listening port check 
- Passwd file integrity check 
- Shadow file integrity check
- Warning in syslog
- Warning in /var/log/security.log
- Warning directly on tty
- rpm database checks
- Send the results of checks by mail even if they are empty
 to show that the checks were run.

- umask 077 ( user = read,write | group =  | other =  )
- Highly restricted file permission
- All system events additionally logged to /dev/tty12
- System security check every midnight ( crontab ).
- X server doesn't listen for tcp connections
- no autologin
- sulogin in single user
- no direct root login
- no list of users in kdm and gdm
- password aging at 30 days
- password history to 5
- shell history limited to 10
- shell timeout 900 seconds
- su to root only allowed to members of the wheel group (activated only if the wheel group
isn't empty)
* - Services not contained in /etc/security/msec/server.5 are disabled during
package installation (  considered as not really secure ) ( but the user can reenable it with
chkconfig -add ).
- Connection to the system denyied for all (authorized services must be
in /etc/hosts.allow).
- ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ) .

- most sensible files and directories are restricted to the root account.
- home directories are not accesible by others and group members.
- X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
- network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
- compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
- rpm command restricted to the members of the rpm group.
- forbid exporting X display when switching from root to another user

******************

* level4/level5 : "services disabled" explanations :

- Some server aren't really considered as secure,
  these one, should for example be compiled from sources.
  server considered as secure are specified in /etc/security/msec/server.4/5
  
  When enabling level4/5, all servers which aren't considered as secure are
  disabled ( NOT uninstalled, just disabled ) user can reenable them using the
  chkconfig utility ( server will be launched at next boot ).
 
  In these level, we are also denying rpm to enable any server considered as insecure 
  ( off course rpm can install the server ).
  The user have the choise : chkconfig --add servername will enable the server.
  Or add the server in the secured server list







*** Future Release : ***
- Automatic tty locking ( unlock by passwd ) after X time of inactivity.
***

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional