Msec

 < Day Day Up > 



Mandrake has produced an excellent collection of Python scripts that are collectively known as msec—the Mandrake security tools. Msec is a well-designed tool that handles many routine tasks required by certain security practices and can implement many good access restriction policies. However, it can also become an administration nightmare if incorrectly implemented. If you choose to take advantage of msec, realize that it creates a secure environment by default—new services may still introduce new vulnerabilities and security patches must still be installed.

Implementation

Msec is installed by default on all Mandrake Linux distributions. The first encounter with msec occurs during the installation process when you receive the prompt that asks for the level of security you want to use. This level ranges from 0 (no security) to 5 (strict security). Level 3 is probably the best choice, because it is easier to increase the level (go to 4 or 5) than decrease a level that you have discovered is too restrictive.

Msec security is defined in the /var/lib/msec/security.conf file. This file can be overridden by the /etc/security/msec/security.conf file. The core of msec’s utilities exist in the /usr/share/msec directory:

[mike@corrino msec]$ ls cleanold.sh       level.0      man.py       perm.5 compile.py        level.1      man.pyo      Perms.py compile.pyo       level.2      mseclib.py   Perms.pyo ConfigFile.py     level.3      mseclib.pyo  promisc_check.sh ConfigFile.pyo    level.4      msec.py      security_check.sh Config.py         level.5      perm.0       security.sh Config.pyo        libmsec.py   perm.1       shadow.py diff_check.sh     libmsec.pyo  perm.2       shadow.pyo draksec_help.py   Log.py       perm.3 draksec_help.pyo  Log.pyo      perm.4

Perm.n files

Msec affects many environment variables and file permissions. Consequently, you may notice that even if you manually change the permissions for the /etc/inetd file, msec will silently (although a log entry will be generated) change the ownership to root.root and the mode to 644. The file ownership and permissions are controlled by the perm.0, perm.1, perm.2, perm.3, perm.4, and perm.5 files in the /usr/share/msec directory. Each file suffix (0–5) corresponds to the current msec level. You can modify these files if you want to add or remove certain entries. Note that if you change the msec level to 4 or 5, you will have to add users to the ntools or ctools user groups to access common network or compiler binaries. For example, Table 9-1 contains a few entries and their settings under levels 3, 4, and 5.

Table 9-1: Select /usr/share/msec/perm.n File Entries

File or Directory

Owner.Group
(3)

Perm.
(3)

Owner.Group
(4)

Perm.
(4)

Owner.Group
(5)

Perm.
(5)

/usr/bin/

root.root

755

root.adm

751

root.root

711

/usr/bin/cc

root.root

755

root.ctools

750

root.ctools

750

/usr/bin/finger

root.root

755

root.ntools

750

root.ntools

750

/usr/bin/g++*

root.root

755

root.ctools

750

root.ctools

750

/usr/bin/gcc*

root.root

755

root.ctools

750

root.ctools

750

/usr/bin/ssh

root.root

755

root.ntools

750

root.ntools

750

/usr/bin/telnet

root.root

755

root.ntools

750

root.ntools

750

/usr/bin/w

root.root

755

root.ntools

750

root.ntools

750

/usr/bin/who

root.root

755

root.ntools

750

root.ntools

750

Level.n files

Also found in the /usr/share/msec directory are six files (level.0 through level.5) that define each possible security setting for the corresponding msec level. These are plain text files with easily understood variables and values. For example, Table 9-2 shows the settings for password management under levels 3, 4, and 5.

Table 9-2: Select /usr/share/msec/level.n File Entries

Level.n File Entry

Description

Level 3

Level 4

Level 5

enable_password

Yes/No.
User accounts must have a password.

Yes

Yes

Yes

password_aging

Maximum age of a password (days).
Time before expiration when users are prompted to change passwords (days).

99999

60 30

30 15

password_history

Number of previous passwords to store. Users cannot create a new password that matches one in the history file.

0

0

5

password_length

Minimum number of characters.
Minimum number of digits.
Minimum number of uppercase letters.

4 0 0

6 1 1

8 1 1

Most of the remaining settings have either Boolean values (yes or no) or have clear possibilities. For example, set_user_umask accepts a three-digit UMASK value such as 022 or 027.

If you choose to modify the level.n files to define a custom policy, be sure to document changes so that other administrators can understand the impact and implications of each modified setting.

Note 

If you read through the man pages carefully, you will discover that the recommended method for modifying the permissions (perm.n) and settings (level.n) for a particular msec level is to create two files: /etc/security/msec/perm.local and /etc/security/msec/level.local. This is the best way to make system-specific changes without corrupting the original msec definitions.

Tip 

Within each of the perm.n files, the asterisk (*) serves as a wildcard to match zero or more characters and the question mark (?) serves as a wildcard to match zero or one character. Thus, /usr/bin/gcc* matches /usr/bin/gcc, /usr/bin/gcc-3.2.2, and /usr/bin/gcc3.2-version. The string /usr/lib/rpm/rpm? matches /usr/lib/rpm/rpm, /usr/lib/rpm/rpmb, /usr/lib/rpm/rpmd, and so on.

/etc/security/msec/security.conf

Now that we’ve covered some of the specific point tests that msec performs, let’s take a look at security checks controlled by the security.conf file. Each test, described in Table 9-3, is performed on a periodic basis.

Check the /var/lib/msec/security.conf file for the default settings at your particular msec level.

Table 9-3: Some /etc/security/msec/security.conf Settings

Setting

Default
(Level 3)

Description

CHECK_SHADOW

Yes

Verify that no user has an empty password in the /etc/shadow file.

CHECK_SUID_MD5

Yes

Verify the checksums generated for each suid and sgid file. Checksums are generated daily.

CHECK_UNOWNED

No

Check for unowned files. If the UID of a file's owner or group does not exist in the /etc/passwd file, it is considered unowned. Files with nobody UID or nogroup GID are also considered unowned.

CHECK_SECURITY

Yes

Perform daily security checks. This entry triggers all other entries. If this is set to No, other checks will not be performed.

CHECK_PASSWD

Yes

Verify that no user has an empty password, in either the /etc/passwd or /etc/shadow file. Also check for accounts other than root with UID 0.

SYSLOG_WARN

Yes

Send all reports to syslog.

CHECK_SUID_ROOT

Yes

Check for new or removed suid root files.

CHECK_PERMS

Yes

Check file permissions in users' home directories.

MAIL_EMPTY_CONTENT

No

Mail a report even if nothing has changed from the previous time msec tests were performed.

CHECK_WRITABLE

Yes

Check for world-writeable files (o+w)

CHKROOTKIT_CHECK

Yes

Perform root kit checks. The chkrootkit application must be installed in the /usr/sbin directory (http://www.chkrootkit.org). Note that chkrootkit can identify the default configuration of most root kits, but many root kits can be trivially modified to avoid detection. This is by no means fool-proof!

CHECK_PROMISC

No

Check if the network device(s) are running in promiscuous mode. Runs the /sbin/ip link list command to check for the PROMISC flag on an interface. This is reliable, but the PROMISC flag can be suppressed by certain root kits.

CHECK_SGID

Yes

Check for new or removed SGID root files.

RPM_CHECK

Yes

Check the RPM database's integrity and monitor whether any files have been modified.

TTY_WARN

No

Send reports to the TTY.

MAIL_WARN

Yes

Send reports to an e-mail address.

CHECK_OPEN_PORT

Yes

Check for open ports with the netstat command. This tests for ports that have been opened or closed compared to the previous time the test was performed.



 < Day Day Up > 



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2004
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net