12.3. Security Levels Features

What follows is the description of the different security features brought by each level. These features are of two types: system hardening which changes the system, and checks run periodically which do not.

12.3.1. Hardening System

The hardening system type changes the permissions, owners, groups of the files and directories on the system according to the security level.

It also changes the configuration files to respect the security level defined and re-launch the needed programs to take the changes into account. The hardening system type is run every hour. All the changes are logged to syslog.

Feature \ Level012345
umask for users002002002002077077
umask for root002002002002002077
access without passwordyes     
authorized to connect to X serverall locallocalnone none none
X server listens to connections fromall allallalllocallocal
shell timeoutnonenonenonenone3600900
su only from members of the wheel group     yes
shell history size    10 10
sulogin in runlevel 1    yesyes
forbid user list in the display managers    yesyes
ignore ICMP echo    yesyes
ignore bogus ICMP error message    yesyes
direct root loginyesyesyesyes  
enable libsafe    yesyes
forbid at and crontab for the users    yesyes
password aging (days)    6030
forbid autologin   yesyesyes
allow issues (text login prompts)allallalllocallocalnone
. in $PATH yesyes    
warnings in file /var/log/security.log  yesyesyesyesyes
warnings directly on tty  yesyesyesyes
warnings in syslog   yesyesyesyes
warnings sent by e-mail to   yesyesyesyes
all system events additionally logged to /dev/tty12    yesyesyes
only root can Ctrl-Alt-Del     yesyes
unknown services are disabled    yesyes
grants connection fromall all all all localnone

12.3.1.1. umask For Users

Simply sets the umask for normal users to the value corresponding to the security level.

12.3.1.2. umask For Root

Same as above, but for root.

12.3.1.3. Access Without Password

Access to the accounts are granted without asking for a password.

12.3.1.4. Authorization to Connect to The X Server

  1. all: everybody from everywhere can open an X window on your screen.

  2. local: only people connected at localhost may open an X window on your screen.

  3. none: nobody can.

12.3.1.5. X Server Listens to Connections From...

  1. all: the X server listens to connections from tcp.

  2. local: the X server listens to connections from the UNIX socket.

12.3.1.6. Shell Timeout

If the user is inactive for a certain amount of seconds, the shell exits.

12.3.1.7. su Only From Members of The Wheel Group

Only members of the wheel group are allowed to use su to take the root identity.

12.3.1.8. Shell History Size

The number of commands saved at the end of a shell run.

12.3.1.9. sulogin in Runlevel 1

The sulogin is used to protect access to a single user's initlevel (you have to enter the root password to have access).

12.3.1.10. Forbid User List in The Display Managers

Forbid the display of the list of users on the system in KDM and GDM.

12.3.1.11. Ignore ICMP Echo

Don't answer to ping requests.

12.3.1.12. Ignore Bogus ICMP Error Message

Don't handle bogus ICMP error message.

12.3.1.13. Direct Root Login

Allow direct root login without using the su program.

12.3.1.14. Enable libsafe

Enable libsafe protection (only activated if the libsafe package is installed).

12.3.1.15. Forbid at And crontab For The Users

Users cannot use the at and crontab programs. However, they can be used by the root account. If you want to authorize only some users, add them in /etc/at.allow and /etc/cron.allow respectively.

12.3.1.16. Password Aging

The passwords expire after a fixed amount of days; the users need to change them before the expiration date if they don't want to see their accounts deactivated.

12.3.1.17. Forbid autologin

The autologin program is forbidden.

12.3.1.18. allow Issues

If set to none, no banners are displayed. If set to local, only a login banner is displayed on the console. If set to all, a login banner is displayed on all login prompts.

12.3.1.19. . in $PATH

The . entry is added to the $PATH environment variable, allowing easy execution of programs within the current working directory (it is also, to some extent, a security hole).

12.3.1.20. Warnings in The security.log File

Each warning which the daily check comes upon is logged into the /var/log/security.log file.

12.3.1.21. Warnings Directly on tty

Each warning issued by the daily check is directly printed to the root user's console.

12.3.1.22. Warnings in syslog

Warnings issued during the daily check are directed to the syslog service.

12.3.1.23. Warnings Sent by E-mail to Root

Warnings issued by the daily check are also sent by e-mail to root.

12.3.1.24. Unknown Services Are Disabled

During the installation of a package, the services are added through chkconfig --add <service> only if the name of the service appears in the /etc/security/msec/server file.

12.3.1.25. Grants Connection To...

  1. all: all computers are allowed to connect to open ports.

  2. local: only the localhost is allowed to connect to open ports.

  3. none: no computers are allowed to connect to open ports.

This protection is granted by the tcp wrappers package. If you want to grant access to a service while none are allowed, use the /etc/hosts.allow file. For example, if you want to grant ssh connections from everywhere, add the following line to /etc/hosts.allow:

sshd: ALL

12.3.2. Periodic Checks

If the security level is greater than 0, the checks are run every night.

Feature \ Level012345
global security check yesyesyesyesyes
suid root files check  yesyesyesyes
suid root files MD5 check  yesyesyesyes
writable files check  yesyesyesyes
permissions check   yesyesyes
suid group files check  yesyesyesyes
unowned files check    yesyes
promiscuous check    yesyes
listening port check   yesyesyes
passwd file integrity check   yesyesyes
shadow file integrity check   yesyesyes
integrity check from the RPM database   yesyesyes

Note that seven out of the twelve periodic checks can detect changes on the system. They store the configuration of the system during the last check (one day ago) and warn you of any changes that occurred in the meantime in files located in the /var/log/security/ directory. These checks are:

12.3.2.1. Global Security Check

  1. "NFS filesystems globally exported": this is regarded as insecure as there is no restriction as to who may mount these filesystems.

  2. "NFS mounts with missing nosuid": these filesystems are exported without the nosuid option, which forbids suid programs to work on the machine.

  3. "Host trusting files contain + sign": that means that one of the following files: /etc/hosts.equiv, /etc/shosts.equiv, /etc/hosts.lpd contains hosts allowed to connect without proper authentication.

  4. "Executables found in the aliases files": it issues a warning, naming the executables run through the two /etc/aliases and /etc/postfix/aliases files.

12.3.2.2. suid root Files Check

Checks for new or removed suid root files on the system. If such files are found, a list of these files are issued as a warning.

12.3.2.3. suid root File MD5 Check

Checks the MD5 signature of each suid root file on the system. If the signature has changed, it means that a modification has been made to this program, possibly a back-door. A warning is then issued.

12.3.2.4. Writable Files Check

Check whether files are world-writable on the system. If so, issues a warning containing the list of these naughty files.

12.3.2.5. Permissions Check

This one checks permissions for some special files such as .netrc or users' configuration files. It also checks permissions of users' home directories. If their permissions are too loose or the owners unusual, it issues a warning.

12.3.2.6. sgid Files Check

Check for new or removed sgid files on the system. If such files are found, a list of these files are issued as a warning.

12.3.2.7. Unowned Files Check

This check searches for files owned by users or groups not known by the system. If such files are found, the owner is automatically changed to the nobody.nogroup user/group.

12.3.2.8. Promiscuous Check

This test checks every Ethernet card to determine whether they are in "promiscuous" mode. This mode allows the card to intercept every packet received by the card, even those that are not directed to it. It may mean that a sniffer is running on your machine. Note that this check is set up to be run every minute.

12.3.2.9. Listening Port Check

Issues a warning with all listening ports.

12.3.2.10. passwd File Integrity Check

Verifies that each user has a password (not a blank or an easy-to-guess password) an checks that it is shadowed.

12.3.2.11. shadow File Integrity Check

Verifies that each user into the shadow file has a password (not a blank one).

12.3.2.12. Integrity Check From The RPM Database

Verifies that no file from installed packages has changed and verifies that no package has been installed/removed/updated since last run.


Tux on Star from MandrakeSoft Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
Unless otherwise stated, all the content of these pages and all images are Copyright MandrakeSoft S.A. and MandrakeSoft Inc. 2002.
http://www.mandrakelinux.com/