What follows is the description of the different security features brought by each level. These features are of two types: system hardening which changes the system, and checks run periodically which do not.
The hardening system type changes the permissions, owners, groups of the files and directories on the system according to the security level.
It also changes the configuration files to respect the security level defined and re-launch the needed programs to take the changes into account. The hardening system type is run every hour. All the changes are logged to syslog.
Feature \ Level | 0 | 1 | 2 | 3 | 4 | 5 |
---|---|---|---|---|---|---|
umask for users | 002 | 002 | 002 | 002 | 077 | 077 |
umask for root | 002 | 002 | 002 | 002 | 002 | 077 |
access without password | yes | |||||
authorized to connect to X server | all | local | local | none | none | none |
X server listens to connections from | all | all | all | all | local | local |
shell timeout | none | none | none | none | 3600 | 900 |
su only from members of the wheel group | yes | |||||
shell history size | 10 | 10 | ||||
sulogin in runlevel 1 | yes | yes | ||||
forbid user list in the display managers | yes | yes | ||||
ignore ICMP echo | yes | yes | ||||
ignore bogus ICMP error message | yes | yes | ||||
direct root login | yes | yes | yes | yes | ||
enable libsafe | yes | yes | ||||
forbid at and crontab for the users | yes | yes | ||||
password aging (days) | 60 | 30 | ||||
forbid autologin | yes | yes | yes | |||
allow issues (text login prompts) | all | all | all | local | local | none |
. in $PATH | yes | yes | ||||
warnings in file /var/log/security.log | yes | yes | yes | yes | yes | |
warnings directly on tty | yes | yes | yes | yes | ||
warnings in syslog | yes | yes | yes | yes | ||
warnings sent by e-mail to | yes | yes | yes | yes | ||
all system events additionally logged to /dev/tty12 | yes | yes | yes | |||
only root can Ctrl-Alt-Del | yes | yes | ||||
unknown services are disabled | yes | yes | ||||
grants connection from | all | all | all | all | local | none |
Simply sets the umask for normal users to the value corresponding to the security level.
Same as above, but for root.
Access to the accounts are granted without asking for a password.
all: everybody from everywhere can open an X window on your screen.
local: only people connected at localhost may open an X window on your screen.
none: nobody can.
all: the X server listens to connections from tcp.
local: the X server listens to connections from the UNIX socket.
If the user is inactive for a certain amount of seconds, the shell exits.
Only members of the wheel group are allowed to use su to take the root identity.
The number of commands saved at the end of a shell run.
The sulogin is used to protect access to a single user's initlevel (you have to enter the root password to have access).
Forbid the display of the list of users on the system in KDM and GDM.
Don't answer to ping requests.
Don't handle bogus ICMP error message.
Allow direct root login without using the su program.
Enable libsafe protection (only activated if the libsafe package is installed).
Users cannot use the at and crontab programs. However, they can be used by the root account. If you want to authorize only some users, add them in /etc/at.allow and /etc/cron.allow respectively.
The passwords expire after a fixed amount of days; the users need to change them before the expiration date if they don't want to see their accounts deactivated.
The autologin program is forbidden.
If set to none, no banners are displayed. If set to local, only a login banner is displayed on the console. If set to all, a login banner is displayed on all login prompts.
The . entry is added to the $PATH environment variable, allowing easy execution of programs within the current working directory (it is also, to some extent, a security hole).
Each warning which the daily check comes upon is logged into the /var/log/security.log file.
Each warning issued by the daily check is directly printed to the root user's console.
Warnings issued during the daily check are directed to the syslog service.
Warnings issued by the daily check are also sent by e-mail to root.
During the installation of a package, the services are added through chkconfig --add <service> only if the name of the service appears in the /etc/security/msec/server file.
all: all computers are allowed to connect to open ports.
local: only the localhost is allowed to connect to open ports.
none: no computers are allowed to connect to open ports.
This protection is granted by the tcp wrappers package. If you want to grant access to a service while none are allowed, use the /etc/hosts.allow file. For example, if you want to grant ssh connections from everywhere, add the following line to /etc/hosts.allow:
sshd: ALL |
If the security level is greater than 0, the checks are run every night.
Feature \ Level | 0 | 1 | 2 | 3 | 4 | 5 |
---|---|---|---|---|---|---|
global security check | yes | yes | yes | yes | yes | |
suid root files check | yes | yes | yes | yes | ||
suid root files MD5 check | yes | yes | yes | yes | ||
writable files check | yes | yes | yes | yes | ||
permissions check | yes | yes | yes | |||
suid group files check | yes | yes | yes | yes | ||
unowned files check | yes | yes | ||||
promiscuous check | yes | yes | ||||
listening port check | yes | yes | yes | |||
passwd file integrity check | yes | yes | yes | |||
shadow file integrity check | yes | yes | yes | |||
integrity check from the RPM database | yes | yes | yes |
Note that seven out of the twelve periodic checks can detect changes on the system. They store the configuration of the system during the last check (one day ago) and warn you of any changes that occurred in the meantime in files located in the /var/log/security/ directory. These checks are:
suid root files check
suid root files MD5 check
writable files check
sgid files check
unowned files check
listening port check
integrity check from the RPM database
"NFS filesystems globally exported": this is regarded as insecure as there is no restriction as to who may mount these filesystems.
"NFS mounts with missing nosuid": these filesystems are exported without the nosuid option, which forbids suid programs to work on the machine.
"Host trusting files contain + sign": that means that one of the following files: /etc/hosts.equiv, /etc/shosts.equiv, /etc/hosts.lpd contains hosts allowed to connect without proper authentication.
"Executables found in the aliases files": it issues a warning, naming the executables run through the two /etc/aliases and /etc/postfix/aliases files.
Checks for new or removed suid root files on the system. If such files are found, a list of these files are issued as a warning.
Checks the MD5 signature of each suid root file on the system. If the signature has changed, it means that a modification has been made to this program, possibly a back-door. A warning is then issued.
Check whether files are world-writable on the system. If so, issues a warning containing the list of these naughty files.
This one checks permissions for some special files such as .netrc or users' configuration files. It also checks permissions of users' home directories. If their permissions are too loose or the owners unusual, it issues a warning.
Check for new or removed sgid files on the system. If such files are found, a list of these files are issued as a warning.
This check searches for files owned by users or groups not known by the system. If such files are found, the owner is automatically changed to the nobody.nogroup user/group.
This test checks every Ethernet card to determine whether they are in "promiscuous" mode. This mode allows the card to intercept every packet received by the card, even those that are not directed to it. It may mean that a sniffer is running on your machine. Note that this check is set up to be run every minute.
Issues a warning with all listening ports.
Verifies that each user has a password (not a blank or an easy-to-guess password) an checks that it is shadowed.
Verifies that each user into the shadow file has a password (not a blank one).
Verifies that no file from installed packages has changed and verifies that no package has been installed/removed/updated since last run.