7.3. Security levels features

What follows is the description of the different security features each level brings to the system. These features are of various types:

Feature \ Level012345
global security check  yesyesyesyes
umask for users002002002002077077
umask for root002002002002002077
shell without passwordyes     
authorized to connect to X displayall locallocalnone none none
user in audio groupyesyesyes   
. in $PATHyesyes    
warnings in file /var/log/security.log yesyesyesyesyes
warnings directly on tty  yesyesyesyes
warnings in syslog  yesyesyesyes
warnings sent by e-mail to root  yesyesyesyes
suid root files check  yesyesyesyes
suid root files MD5 check  yesyesyesyes
writable files check   yesyesyes
permissions check   yesyesyes
suid group files check   yesyesyes
unowned files check   yesyesyes
promiscuous check   yesyesyes
listening port check   yesyesyes
passwd file integrity check   yesyesyes
shadow file integrity check   yesyesyes
system security check every day at midnight   yesyesyes
all system events additionally logged to /dev/tty12   yesyesyes
Only root can ctrl-alt-del    yesyes
unknown services are disabled    yesyes
boot password (GRUB/LILO)    yesyes
grants connection fromall all all all localnone

Note that six out of the ten periodic checks can detect changes on the system. They store in files located in the /var/log/security/ directory the configuration of the system during the last check (one day ago) and warn you of any changes that occurred in the meantime. These checks are:

7.3.1. "global security check"

  1. "NFS filesystems globally exported": this is regarded as insecure as there is no restriction as to who may mount these filesystems.

  2. "NFS mounts with missing nosuid": these filesystems are exported without the nosuid option, which forbids suid programs to work on the machine.

  3. "Host trusting files contain + sign": that means that one of the following files: /etc/hosts.equiv,

    /etc/shosts.equiv, /etc/hosts.lpd contains hosts allowed to connect without proper authentication.

  4. "Executables found in the aliases files": it issues a warning naming the executables run through the two files /etc/aliases and /etc/postfix/aliases.

7.3.2. "umask for users"

Simply sets the umask for normal users to the value corresponding to the security level.

7.3.3. "umask for root"

The same, but for root.

7.3.4. "shell without password"

Access to the consoles are granted without asking for a password.

7.3.5. "authorized to connect to X display"

  1. all: everybody from everywhere can open an X window on your screen.

  2. local: only people connected at localhost may open an X window on your screen.

  3. none: nobody can do that.

7.3.6. "users in audio group"

Each user is a member of the audio, urpmi and cdrom groups. That means that all users are granted some special privileges regarding sound card, packages, etc.

7.3.7. ". in $PATH"

the . entry is added to the $PATH environment variable, allowing easy execution of programs within the current working directory (it is also, to some extent, a security hole).

7.3.8. "warnings in /var/log/security.log"

Each warning issued by MSEC is logged into the file bearing the name /var/log/security.log.

7.3.9. "warnings directly on tty"

Each warning issued by MSEC is directly printed on the current console.

7.3.10. "warnings in syslog"

Warnings of MSEC are directed to the syslog service.

7.3.11. "warnings sent by e-mail to root"

Warnings issued by MSEC are also sent by e-mail to root.

7.3.12. "suid root files check"

Checks for new or removed suid root files on the system. If such files are found, a list of these files are issued as a warning.

7.3.13. "suid root file MD5 check"

Checks the MD5 signature of each suid root file that is on the system. If the signature has changed, it means that a modification has been made to this program, possibly a back door. A warning is then issued.

7.3.14. "writable files check"

Check whether files are world writable on the system. If so, issues a warning containing the list of these naughty files.

7.3.15. "permissions check"

This one checks permissions for some special files such as .netrc or users' configuration files. It also checks permissions of users' home directories. If their permissions are too loose or the owners unusual, it issues a warning.

7.3.16. "suid group files check"

Check for new or removed suid group files on the system. If such files are found, a list of these files are issued as a warning.

7.3.17. "unowned files check"

This check searches for files owned by users or groups not known by the system. If such files are found, the owner is automatically changed to user/group nobody.

7.3.18. "promiscuous check"

This test checks every Ethernet card to determine whether they are in "promiscuous" mode. This mode allows the card to intercept every packet received by the card, even those that are not directed to it. It may mean that a sniffer is running on your machine. Note that this check is set up to be run every minute.

7.3.19. "listening port check"

Issues a warning with all listening ports.

7.3.20. "passwd file integrity check"

Verifies that each user has a password (not a blank or an easy to guess one) an checks that it is shadowed.

7.3.21. "shadow file integrity check"

Verifies that each user into the shadow file has a password (not a blank one or an easy one to guess).

7.3.22. "system security check every day at midnight"

All previous checks will be performed everyday at midnight. This relies on the addition of a cron script in the crontab file.

7.3.23. "services not known disabled"

All services not in /etc/security/msec/init-sh/server.4 for level 4 or server.5 for level 5 will be disabled. They are not removed, but simply not started when loading a runlevel. If you need some of them, just add them again with the chkconfig utility (you might also need to restart them with init scripts in /etc/rc.d/init.d).

7.3.24. "boot password"

There are two different behaviors depending on the Boot Loader you use:

GRUB

At boot time, GRUB will ask you the password only if you manually pass options to the kernel. This allows your system to reboot by itself without the need of an operator, however preventing non-authorized people who reboot the machine in an unusual way (fail safe mode for example).

LILO

Allows you to setup a password for LILO. Prevents (inexperienced) people from rebooting the machine, but on the other hand, the machine won't be able to reboot by itself.

7.3.25. "grants connection to"

  1. all: all computers are allowed to connect to open ports.

  2. local: only the localhost is allowed to connect to open ports.

  3. none: no computers are allowed to connect to open ports.


Tux on Star from MandrakeSoft Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
Unless otherwise stated, all the content of these pages and all images are Copyright MandrakeSoft S.A. and MandrakeSoft Inc. 2000.
http://www.linux-mandrake.com/