Contents of /msec/trunk/TODO

 Some new stuff I thought should be implemented as well... And yes they keep
on a coming!!!!!!!!! : )

 ######## Begin new stuff ##############
#!/bin/bash

#Logging

echo "Would you like set to up addtional logging ?"
echo "Logging will still go to its respected places in /var/log as well."
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
echo "Would you like for auth and warnings to be logged to tty11 ?"
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
AddRules "authpriv.* /dev/tty11" /etc/syslog.conf
echo "Would you like kernel logging to go tty10 ?"
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
AddRules "kern.* /dev/tty10" /etc/syslog.conf 
echo "Would you like mail logging to go tty9 ?"
echo "This is only useful if you're running a mail server(sendmail)."
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
AddRules "mail.* /dev/tty9" /etc/syslog.conf
/etc/rc.d/init.d/syslog restart > /dev/null
fi
 fi
  fi
#End of logging

Is BSD style process accounting on by default in Mandrake ?
echo "We can setup your system to log who does what commands and when..."
echo "May we set up proccess accounting ?"
echo "The log file will get filled up VERY quickly 
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs
it's own script though
echo "/var/log/pacct { " >> /etc/logrotate.conf 
echo "     postrotate" >> /etc/logrotate.conf
echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf
echo >> /etc/logrotate.conf
echo >> "}" /etc/logrotate.conf
#Got a be a cleaner way to do this : )
fi
#End BSD style process accounting

#PAM stuff
#default file size limit 
dfsize=40000 
echo "We help prevent certain types of DoS attacks through the use of
PAM(Pluggable Authentication Modules.)"
echo "By setting a limit on how big user files may get and how many processes a
user may run."
echo "Would you like to set up some PAM configuration ?"
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
AddRules "# Limit user processes" /etc/security/limits.conf
AddRules "*   soft    nproc   100" /etc/security/limits.conf
AddRules "*   hard    nproc   150" /etc/security/limits.conf
echo "Would you like to set a maximum file size a user is allowed ?"
WaitAnswer;clear
if [[ ${answer} == yes ]]; then
echo "What shall be the maximum file size(default it 40000 = 40MB)"
echo -n "Size[40000]: "
read fsize
if [[ -z ${fsize} ]]; then
AddRules "# limits size of any one of users' files" /etc/security/limits.conf
AddRules "*     hard    $dfsize" /etc/security/limits.conf
else
AddRules "# limits size of any one of users' files" /etc/security/limits.conf
AddRules "*     hard    $fsize" /etc/security/limits.conf 
fi
 fi
  fi
#End PAM stuff


**********************************

 ###########Begin modified custom.sh######################
#!/bin/bash

#
# Security level implementation...
# Writen by Vandoorselaere Yoann
#

if [[ -f /usr/share/lsec/lib.sh ]]; then
    . /usr/share/lsec/lib.sh
else
    echo "Can't find /usr/share/lsec/lib.sh, exiting."
    exit 1
fi

clear

WRITE_CRON="false"

###
echo  "This script allows you to customize the security on your system. "
echo  "If you feel at all you don't know what you're doing abort now!!! "
echo  "'ctrl-c' to abort"
echo -n "Otherwise, please press [enter] to continue "
read FOO
clear

###
echo "Do you want all system events to be logged on tty12 ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "*.* /dev/tty12" /etc/syslog.conf
fi

###
echo "Do you want to be notified by mail of _all_ root logins ?"
echo "(This is strongle recommended)"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
if [[ -s /root/.bashrc ]]; then
cp /root/.bashrc /tmp/bashrc
sed '/root login/d' /tmp/bashrc > /root/.bashrc
AddRules 'echo "root login Check your syslog /var/log/messages" | /bin/mail -s
"Root Login" root' /root/.bashrc
rm -f /tmp/bashrc
echo "Done"
fi
fi


###
echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
echo "( or if a user present in /etc/shutdown.allow is logged locally )"
WaitAnswer; clear
tmpfile=`mktemp /tmp/secure.XXXXXX`
cp /etc/inittab ${tmpfile}
if [[ ${answer} == yes ]]; then
    cat ${tmpfile} | \
    sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r
now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
else
    cat ${tmpfile} | \
    sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r
now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
fi
rm -f ${tmpfile}

#Compile tools
#More needs to be added and this is very sloppy but you get the idea : )
mgtools()
{
mgcon=mgcon1
echo "Do you want only root to have access to the system compiler(gcc/g++) ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
chmod 0700 /usr/bin/gcc
chmod 0700 /usr/bin/g++
fi
}
gtools()
{
gcon=gcon0
dgrp=devel
echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may"
echo "be used by a certain group ?"
echo -n "yes/no: "
read answer
if [[ ${answer} == yes ]]; then
gcon=gcon1
echo
echo -n "What shall the name of this group be [devel]: "
read grp
if [[ -z ${grp} ]]; then
groupadd ${dgrp}
.. /etc/security/lsec/perm.ctoolsd
else
groupadd ${grp}
.. /etc/security/lsec/perm.ctools
fi
fi
}
gtools
#if [[ ${gcon} = gcon1 ]]; then
#ntools
#else
#mgtools
#fi

#network tools
mntools()
{
echo "Do you want to disable 'ping' to all users except root ?"
WaitAnswer; clear
if [[ $answer} == yes ]]; then
chmod 0700 /bin/ping
fi

echo "Do you want to disable 'traceroute' to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/sbin/traceroute
fi

echo "Do you want to disable 'who' to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/bin/who
fi

echo "Do you want to disable 'w' to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/bin/w
fi

echo "Do you want to disable 'finger' to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/bin/finger
fi

echo "Do you want to disable telnet client to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/bin/telnet
fi

echo "Do you want to disable ssh client to all users except root ?"
WaitAnswer; clear
if [[ $answer == yes ]]; then
chmod 0700 /usr/bin/ssh
fi
}
ntools()
{
ncon=ncon0
ngrpd=netsys
echo "Do you want to set up network tools so that they may be used only"
echo "by users of a certain group ?"
echo -n "yes/no: "
read answer
if [[ ${answer} == yes ]]; then
ncon=ncon1
echo
echo -n "What shall the name of this group be [netsys]: "
read ngrp
if [[ -z ${ngrp} ]]; then
groupadd ${ngrpd}
.. /etc/security/lsec/perm.netsysd
else
groupadd ${ngrp}
.. /etc/security/lsec/perm.netsysd
fi
fi
}
if [[ ${gcon} = gcon1 ]]; then
ntools
else
mgtools
fi

if [[ ${mgcon} = mgcon1 ]]; then
ntools
else
mntools
fi

if [[ $ncon = ncon1 ]]; then
echo "Done"
else
mntools
fi

###
echo "Do you want to deny any machine to connect to yours ?"
WaitAnswer
if [[ ${answer} == yes ]]; then
    echo "Do you want only localhost to be allowed ?"
    WaitAnswer; clear
    if [[ ${answer} == yes ]]; then
        AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
    else
        AddRules "ALL:ALL:DENY" /etc/hosts.deny
    fi
fi

###
echo "Do you want root console login to be allowed ?" 
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "tty1" /etc/securetty quiet
    AddRules "tty2" /etc/securetty quiet
    AddRules "tty3" /etc/securetty quiet
    AddRules "tty4" /etc/securetty quiet
    AddRules "tty5" /etc/securetty quiet
    AddRules "tty6" /etc/securetty 
fi
###

if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
echo "Do you want to enable the libsafe stack overflow protection ?"
echo "This stack overflow protection work by catching dangerous function call"
echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
echo "and verify the address & the size of the destination buffer in the stack"
echo "this is done by searching in the stack frame the one which contain the"
echo "destination address, and by substracting the frame address to the
destination buffer one" 
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
fi
fi

###
echo "Do you want your system to daily check important security problem ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf
        WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check new open port listening ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf
        WRITE_CRON="true"
fi

###
echo "Do you want your system to check for grave permission problem on
sensibles files ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf
        WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check SUID Root file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf
    WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check suid files md5 checksum changes ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf
        WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check SUID Group file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf
    WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check Writeable file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf
    WRITE_CRON="true"
fi

###
echo "Do you want your system to daily check Unowned file change ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf
    WRITE_CRON="true"
fi

###
echo "Do you want your system to verify every minutes if a network interface"
echo "is in promiscuous state (which mean someone is probably running a sniffer
on your machine ) ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf
    AddRules "*/1 * * * *    root    nice --adjustment=+19
/usr/share/lsec/promisc_check.sh" /etc/crontab
fi
###

###
echo "Do you want security report to be done in syslog ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf
else
    AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf
fi
###

echo "Do you want security report to be done by mail ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf
else
    AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf
fi
###

if [[ ${WRITE_CRON} == "true" ]]; then
    AddRules "0 0-23 * * *    root    nice --adjustment=+19
/usr/share/lsec/security.sh" /etc/crontab
fi

LiloUpdate;
/sbin/lilo >& /dev/null

###
echo "Do you want to disable all services except(gpm,xfs,keytable,"
echo "network,crond, and syslogd ?"
echo "This is _highly_ recommended if you have not configured other"
echo "said services."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
        echo -n "Disabling all service, except : {"
        chkconfig --list | awk '{print $1}' | while read service; do
                if grep -qx ${service} /etc/security/lsec/server.4; then
                echo -n " ${service}"
                fi
        done
        echo " } : "

        chkconfig --list | awk '{print $1}' | while read service; do
        chkconfig --del "${service}"
        if ! chkconfig --add "${service}"; then
                echo -e "\t- Services ${service} is now disabled."
        fi
        done
   chkconfig --add gpm
   chkconfig --add xfs
   chkconfig --add network
   chkconfig --add keytable
   chkconfig --add syslog
   chkconfig --add crond  
 echo -e "done.\n";
fi

###
echo "Do you want an easy, normal, restricted, or paranoid umask ?"
echo "easy ( 002 )   = user = rwx, group = rwx, other = rx"
echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx" 
echo "paranoid ( 077 ) = user = rwx, group = , other ="
answer="nothing"
while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" !=
"restricted" && "${answer}" != "paranoid"  ]]; do
        echo -n "easy/normal/restricted/paranoid : "
    read answer
done
case "${answer}" in
        "easy")
        AddRules "umask 002" /etc/profile
        ;;
        "normal")
        AddRules "umask 022" /etc/profile
        ;;
        "restricted")
        AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi"
/etc/profile
        ;;
        "paranoid")
        AddRules "umask 077" /etc/profile
        ;;
esac

###
echo "Do you want a "." in your PATH variable ?"
echo "This permit you to not use ./progname & to just type progname"
echo "However this is a *high* security risk."
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
    AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet
else
    AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
fi

AddRules "export PATH SECURE_LEVEL" /etc/profile

echo "Do you want normal, restricted, or paranoid file permissions ?"
while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" !=
"paranoid" ]]; do
echo -n "normal/restricted/paranoid : "
    read answer
done
case "${answer}" in
        "normal")
         /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3
        ;;
        "strict")
         /usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4
        ;;
        "paranoid")#!/bin/bash
/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5
        ;;
esac
#EOF
# /etc/security/msec/perm.ctools
chown root.$grp /usr/bin/gcc
chmod 750 /usr/bin/gcc
chown root.$grp /usr/bin/cc
chmod 750 /usr/bin/cc
chown root.$grp /usr/bin/g++
chmod 750 /usr/bin/g++

# /etc/security/msec/perm.ctoolsd
chown root.$dgrp /usr/bin/gcc
chmod 750 /usr/bin/gcc
chown root.$dgrp /usr/bin/cc
chmod 750 /usr/bin/cc
chown root.$dgrp /usr/bin/g++
chmod 750 /usr/bin/g++


# /etc/security/msec/perm.netsys
chown root.$ngrp /usr/bin/ping
chmod 750 /usr/bin/gcc
chown root.$ngrp /usr/bin/w
chmod 750 /usr/bin/w
chown root.$ngrp /usr/bin/w
chmod 750 /usr/bin/who
chown root.$ngrp /usr/bin/telnet
chmod 750 /usr/bin/telnet
chown root.$ngrp /usr/bin/ssh
chmod 750 /usr/bin/ssh
chown root.$ngrp /usr/sbin/traceroute
chmod 750 /usr/sbin/traceoute
chown root.$ngrp /usr/bin/finger
chmod 750 /usr/bin/finger

# /etc/security/msec/perm.netsys.d
chown root.$ngrpd /bin/ping
chmod 750 /usr/bin/gcc
chown root.$ngrpd /usr/bin/w
chmod 750 /usr/bin/w
chown root.$ngrpd /usr/bin/w
chmod 750 /usr/bin/who
chown root.$ngrpd /usr/bin/telnet
chmod 750 /usr/bin/telnet
chown root.$ngrpd /usr/bin/ssh
chmod 750 /usr/bin/ssh
chown root.$ngrpd /usr/sbin/traceroute
chmod 750 /usr/sbin/traceroute
chown root.$ngrpd /usr/bin/finger
chmod 750 /usr/bin/finger

######## END


1	Some new stuff I thought should be implemented as well... And yes they keep
2	on a coming!!!!!!!!! : )
3
4	######## Begin new stuff ##############
5	#!/bin/bash
6
7	#Logging
8
9	echo "Would you like set to up addtional logging ?"
10	echo "Logging will still go to its respected places in /var/log as well."
11	WaitAnswer;clear
12	if [[ ${answer} == yes ]]; then
13	echo "Would you like for auth and warnings to be logged to tty11 ?"
14	WaitAnswer;clear
15	if [[ ${answer} == yes ]]; then
16	AddRules "authpriv.* /dev/tty11" /etc/syslog.conf
17	echo "Would you like kernel logging to go tty10 ?"
18	WaitAnswer;clear
19	if [[ ${answer} == yes ]]; then
20	AddRules "kern.* /dev/tty10" /etc/syslog.conf
21	echo "Would you like mail logging to go tty9 ?"
22	echo "This is only useful if you're running a mail server(sendmail)."
23	WaitAnswer;clear
24	if [[ ${answer} == yes ]]; then
25	AddRules "mail.* /dev/tty9" /etc/syslog.conf
26	/etc/rc.d/init.d/syslog restart > /dev/null
27	fi
28	fi
29	fi
30	#End of logging
31
32	Is BSD style process accounting on by default in Mandrake ?
33	echo "We can setup your system to log who does what commands and when..."
34	echo "May we set up proccess accounting ?"
35	echo "The log file will get filled up VERY quickly
36	WaitAnswer;clear
37	if [[ ${answer} == yes ]]; then
38	AddRules "/sbin/accton /var/log/pacct" /etc/rc.d/rc.local #This probablly needs
39	it's own script though
40	echo "/var/log/pacct { " >> /etc/logrotate.conf
41	echo " postrotate" >> /etc/logrotate.conf
42	echo " /usr/sbin/accton /var/log/pacct" >> /etc/logrotate.conf
43	echo >> /etc/logrotate.conf
44	echo >> "}" /etc/logrotate.conf
45	#Got a be a cleaner way to do this : )
46	fi
47	#End BSD style process accounting
48
49	#PAM stuff
50	#default file size limit
51	dfsize=40000
52	echo "We help prevent certain types of DoS attacks through the use of
53	PAM(Pluggable Authentication Modules.)"
54	echo "By setting a limit on how big user files may get and how many processes a
55	user may run."
56	echo "Would you like to set up some PAM configuration ?"
57	WaitAnswer;clear
58	if [[ ${answer} == yes ]]; then
59	AddRules "# Limit user processes" /etc/security/limits.conf
60	AddRules "* soft nproc 100" /etc/security/limits.conf
61	AddRules "* hard nproc 150" /etc/security/limits.conf
62	echo "Would you like to set a maximum file size a user is allowed ?"
63	WaitAnswer;clear
64	if [[ ${answer} == yes ]]; then
65	echo "What shall be the maximum file size(default it 40000 = 40MB)"
66	echo -n "Size[40000]: "
67	read fsize
68	if [[ -z ${fsize} ]]; then
69	AddRules "# limits size of any one of users' files" /etc/security/limits.conf
70	AddRules "* hard $dfsize" /etc/security/limits.conf
71	else
72	AddRules "# limits size of any one of users' files" /etc/security/limits.conf
73	AddRules "* hard $fsize" /etc/security/limits.conf
74	fi
75	fi
76	fi
77	#End PAM stuff
78
79
80
81	**********************************
82
83	###########Begin modified custom.sh######################
84	#!/bin/bash
85
86	#
87	# Security level implementation...
88	# Writen by Vandoorselaere Yoann
89	#
90
91	if [[ -f /usr/share/lsec/lib.sh ]]; then
92	. /usr/share/lsec/lib.sh
93	else
94	echo "Can't find /usr/share/lsec/lib.sh, exiting."
95	exit 1
96	fi
97
98	clear
99
100	WRITE_CRON="false"
101
102	###
103	echo "This script allows you to customize the security on your system. "
104	echo "If you feel at all you don't know what you're doing abort now!!! "
105	echo "'ctrl-c' to abort"
106	echo -n "Otherwise, please press [enter] to continue "
107	read FOO
108	clear
109
110	###
111	echo "Do you want all system events to be logged on tty12 ?"
112	WaitAnswer; clear
113	if [[ ${answer} == yes ]]; then
114	AddRules ". /dev/tty12" /etc/syslog.conf
115	fi
116
117	###
118	echo "Do you want to be notified by mail of _all_ root logins ?"
119	echo "(This is strongle recommended)"
120	WaitAnswer; clear
121	if [[ ${answer} == yes ]]; then
122	if [[ -s /root/.bashrc ]]; then
123	cp /root/.bashrc /tmp/bashrc
124	sed '/root login/d' /tmp/bashrc > /root/.bashrc
125	AddRules 'echo "root login Check your syslog /var/log/messages" \| /bin/mail -s
126	"Root Login" root' /root/.bashrc
127	rm -f /tmp/bashrc
128	echo "Done"
129	fi
130	fi
131
132
133	###
134	echo "Do you want to only allow ctrl-alt-del if root is logged locally ?"
135	echo "( or if a user present in /etc/shutdown.allow is logged locally )"
136	WaitAnswer; clear
137	tmpfile=`mktemp /tmp/secure.XXXXXX`
138	cp /etc/inittab ${tmpfile}
139	if [[ ${answer} == yes ]]; then
140	cat ${tmpfile} \| \
141	sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r
142	now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
143	else
144	cat ${tmpfile} \| \
145	sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r
146	now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
147	fi
148	rm -f ${tmpfile}
149
150	#Compile tools
151	#More needs to be added and this is very sloppy but you get the idea : )
152	mgtools()
153	{
154	mgcon=mgcon1
155	echo "Do you want only root to have access to the system compiler(gcc/g++) ?"
156	WaitAnswer; clear
157	if [[ ${answer} == yes ]]; then
158	chmod 0700 /usr/bin/gcc
159	chmod 0700 /usr/bin/g++
160	fi
161	}
162	gtools()
163	{
164	gcon=gcon0
165	dgrp=devel
166	echo "Do you want to setup compiling tools(gcc,g++,etc..) so that they may"
167	echo "be used by a certain group ?"
168	echo -n "yes/no: "
169	read answer
170	if [[ ${answer} == yes ]]; then
171	gcon=gcon1
172	echo
173	echo -n "What shall the name of this group be [devel]: "
174	read grp
175	if [[ -z ${grp} ]]; then
176	groupadd ${dgrp}
177	.. /etc/security/lsec/perm.ctoolsd
178	else
179	groupadd ${grp}
180	.. /etc/security/lsec/perm.ctools
181	fi
182	fi
183	}
184	gtools
185	#if [[ ${gcon} = gcon1 ]]; then
186	#ntools
187	#else
188	#mgtools
189	#fi
190
191	#network tools
192	mntools()
193	{
194	echo "Do you want to disable 'ping' to all users except root ?"
195	WaitAnswer; clear
196	if [[ $answer} == yes ]]; then
197	chmod 0700 /bin/ping
198	fi
199
200	echo "Do you want to disable 'traceroute' to all users except root ?"
201	WaitAnswer; clear
202	if [[ $answer == yes ]]; then
203	chmod 0700 /usr/sbin/traceroute
204	fi
205
206	echo "Do you want to disable 'who' to all users except root ?"
207	WaitAnswer; clear
208	if [[ $answer == yes ]]; then
209	chmod 0700 /usr/bin/who
210	fi
211
212	echo "Do you want to disable 'w' to all users except root ?"
213	WaitAnswer; clear
214	if [[ $answer == yes ]]; then
215	chmod 0700 /usr/bin/w
216	fi
217
218	echo "Do you want to disable 'finger' to all users except root ?"
219	WaitAnswer; clear
220	if [[ $answer == yes ]]; then
221	chmod 0700 /usr/bin/finger
222	fi
223
224	echo "Do you want to disable telnet client to all users except root ?"
225	WaitAnswer; clear
226	if [[ $answer == yes ]]; then
227	chmod 0700 /usr/bin/telnet
228	fi
229
230	echo "Do you want to disable ssh client to all users except root ?"
231	WaitAnswer; clear
232	if [[ $answer == yes ]]; then
233	chmod 0700 /usr/bin/ssh
234	fi
235	}
236	ntools()
237	{
238	ncon=ncon0
239	ngrpd=netsys
240	echo "Do you want to set up network tools so that they may be used only"
241	echo "by users of a certain group ?"
242	echo -n "yes/no: "
243	read answer
244	if [[ ${answer} == yes ]]; then
245	ncon=ncon1
246	echo
247	echo -n "What shall the name of this group be [netsys]: "
248	read ngrp
249	if [[ -z ${ngrp} ]]; then
250	groupadd ${ngrpd}
251	.. /etc/security/lsec/perm.netsysd
252	else
253	groupadd ${ngrp}
254	.. /etc/security/lsec/perm.netsysd
255	fi
256	fi
257	}
258	if [[ ${gcon} = gcon1 ]]; then
259	ntools
260	else
261	mgtools
262	fi
263
264	if [[ ${mgcon} = mgcon1 ]]; then
265	ntools
266	else
267	mntools
268	fi
269
270	if [[ $ncon = ncon1 ]]; then
271	echo "Done"
272	else
273	mntools
274	fi
275
276	###
277	echo "Do you want to deny any machine to connect to yours ?"
278	WaitAnswer
279	if [[ ${answer} == yes ]]; then
280	echo "Do you want only localhost to be allowed ?"
281	WaitAnswer; clear
282	if [[ ${answer} == yes ]]; then
283	AddRules "ALL:ALL EXCEPT localhost:DENY" /etc/hosts.deny
284	else
285	AddRules "ALL:ALL:DENY" /etc/hosts.deny
286	fi
287	fi
288
289	###
290	echo "Do you want root console login to be allowed ?"
291	WaitAnswer; clear
292	if [[ ${answer} == yes ]]; then
293	AddRules "tty1" /etc/securetty quiet
294	AddRules "tty2" /etc/securetty quiet
295	AddRules "tty3" /etc/securetty quiet
296	AddRules "tty4" /etc/securetty quiet
297	AddRules "tty5" /etc/securetty quiet
298	AddRules "tty6" /etc/securetty
299	fi
300	###
301
302	if [[ -f /usr/lib/libsafe.so.1.2 ]]; then
303	echo "Do you want to enable the libsafe stack overflow protection ?"
304	echo "This stack overflow protection work by catching dangerous function call"
305	echo "like strcpy, strcat, getwd, gets, [vf]scanf, realpath, [v]sprintf"
306	echo "and verify the address & the size of the destination buffer in the stack"
307	echo "this is done by searching in the stack frame the one which contain the"
308	echo "destination address, and by substracting the frame address to the
309	destination buffer one"
310	WaitAnswer; clear
311	if [[ ${answer} == yes ]]; then
312	AddRules "export LD_PRELOAD=/usr/lib/libsafe.so.1.2" /etc/profile
313	fi
314	fi
315
316	###
317	echo "Do you want your system to daily check important security problem ?"
318	WaitAnswer; clear
319	if [[ ${answer} == yes ]]; then
320	AddRules "CHECK_SECURITY=yes" /etc/security/lsec/security.conf
321	WRITE_CRON="true"
322	fi
323
324	###
325	echo "Do you want your system to daily check new open port listening ?"
326	WaitAnswer; clear
327	if [[ ${answer} == yes ]]; then
328	AddRules "CHECK_OPEN_PORT=yes" /etc/security/lsec/security.conf
329	WRITE_CRON="true"
330	fi
331
332	###
333	echo "Do you want your system to check for grave permission problem on
334	sensibles files ?"
335	WaitAnswer; clear
336	if [[ ${answer} == yes ]]; then
337	AddRules "CHECK_PERMS=yes" /etc/security/lsec/security.conf
338	WRITE_CRON="true"
339	fi
340
341	###
342	echo "Do you want your system to daily check SUID Root file change ?"
343	WaitAnswer; clear
344	if [[ ${answer} == yes ]]; then
345	AddRules "CHECK_SUID_ROOT=yes" /etc/security/lsec/security.conf
346	WRITE_CRON="true"
347	fi
348
349	###
350	echo "Do you want your system to daily check suid files md5 checksum changes ?"
351	WaitAnswer; clear
352	if [[ ${answer} == yes ]]; then
353	AddRules "CHECK_SUID_MD5=yes" /etc/security/lsec/security.conf
354	WRITE_CRON="true"
355	fi
356
357	###
358	echo "Do you want your system to daily check SUID Group file change ?"
359	WaitAnswer; clear
360	if [[ ${answer} == yes ]]; then
361	AddRules "CHECK_SUID_GROUP=yes" /etc/security/lsec/security.conf
362	WRITE_CRON="true"
363	fi
364
365	###
366	echo "Do you want your system to daily check Writeable file change ?"
367	WaitAnswer; clear
368	if [[ ${answer} == yes ]]; then
369	AddRules "CHECK_WRITEABLE=yes" /etc/security/lsec/security.conf
370	WRITE_CRON="true"
371	fi
372
373	###
374	echo "Do you want your system to daily check Unowned file change ?"
375	WaitAnswer; clear
376	if [[ ${answer} == yes ]]; then
377	AddRules "CHECK_UNOWNED=yes" /etc/security/lsec/security.conf
378	WRITE_CRON="true"
379	fi
380
381	###
382	echo "Do you want your system to verify every minutes if a network interface"
383	echo "is in promiscuous state (which mean someone is probably running a sniffer
384	on your machine ) ?"
385	WaitAnswer; clear
386	if [[ ${answer} == yes ]]; then
387	AddRules "CHECK_PROMISC=yes" /etc/security/lsec/security.conf
388	AddRules "/1 * * * root nice --adjustment=+19
389	/usr/share/lsec/promisc_check.sh" /etc/crontab
390	fi
391	###
392
393	###
394	echo "Do you want security report to be done in syslog ?"
395	WaitAnswer; clear
396	if [[ ${answer} == yes ]]; then
397	AddRules "SYSLOG_WARN=yes" /etc/security/lsec/security.conf
398	else
399	AddRules "SYSLOG_WARN=no" /etc/security/lsec/security.conf
400	fi
401	###
402
403	echo "Do you want security report to be done by mail ?"
404	WaitAnswer; clear
405	if [[ ${answer} == yes ]]; then
406	AddRules "MAIL_WARN=yes" /etc/security/lsec/security.conf
407	else
408	AddRules "MAIL_WARN=no" /etc/security/lsec/security.conf
409	fi
410	###
411
412	if [[ ${WRITE_CRON} == "true" ]]; then
413	AddRules "0 0-23 * * * root nice --adjustment=+19
414	/usr/share/lsec/security.sh" /etc/crontab
415	fi
416
417	LiloUpdate;
418	/sbin/lilo >& /dev/null
419
420	###
421	echo "Do you want to disable all services except(gpm,xfs,keytable,"
422	echo "network,crond, and syslogd ?"
423	echo "This is _highly_ recommended if you have not configured other"
424	echo "said services."
425	WaitAnswer; clear
426	if [[ ${answer} == yes ]]; then
427	echo -n "Disabling all service, except : {"
428	chkconfig --list \| awk '{print $1}' \| while read service; do
429	if grep -qx ${service} /etc/security/lsec/server.4; then
430	echo -n " ${service}"
431	fi
432	done
433	echo " } : "
434
435	chkconfig --list \| awk '{print $1}' \| while read service; do
436	chkconfig --del "${service}"
437	if ! chkconfig --add "${service}"; then
438	echo -e "\t- Services ${service} is now disabled."
439	fi
440	done
441	chkconfig --add gpm
442	chkconfig --add xfs
443	chkconfig --add network
444	chkconfig --add keytable
445	chkconfig --add syslog
446	chkconfig --add crond
447	echo -e "done.\n";
448	fi
449
450	###
451	echo "Do you want an easy, normal, restricted, or paranoid umask ?"
452	echo "easy ( 002 ) = user = rwx, group = rwx, other = rx"
453	echo "normal ( 022 ) = user = rwx, group = rx, other = rx"
454	echo "restricted ( for users ) ( 077 ) = user = rwx, group =, other ="
455	echo "restricted ( for root ) ( 022 ) = user = rwx, = group = rx, other = rx"
456	echo "paranoid ( 077 ) = user = rwx, group = , other ="
457	answer="nothing"
458	while [[ "${answer}" != "easy" && "${answer}" != "normal" && "${answer}" !=
459	"restricted" && "${answer}" != "paranoid" ]]; do
460	echo -n "easy/normal/restricted/paranoid : "
461	read answer
462	done
463	case "${answer}" in
464	"easy")
465	AddRules "umask 002" /etc/profile
466	;;
467	"normal")
468	AddRules "umask 022" /etc/profile
469	;;
470	"restricted")
471	AddRules "if [[ \${UID} == 0 ]]; then umask 022; else umask 077; fi"
472	/etc/profile
473	;;
474	"paranoid")
475	AddRules "umask 077" /etc/profile
476	;;
477	esac
478
479	###
480	echo "Do you want a "." in your PATH variable ?"
481	echo "This permit you to not use ./progname & to just type progname"
482	echo "However this is a high security risk."
483	WaitAnswer; clear
484	if [[ ${answer} == yes ]]; then
485	AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games:." /etc/profile quiet
486	else
487	AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/profile quiet
488	fi
489
490	AddRules "export PATH SECURE_LEVEL" /etc/profile
491
492	echo "Do you want normal, restricted, or paranoid file permissions ?"
493	while [[ "${answer}" != "normal" && "${answer}" != "strict" && "${answer}" !=
494	"paranoid" ]]; do
495	echo -n "normal/restricted/paranoid : "
496	read answer
497	done
498	case "${answer}" in
499	"normal")
500	/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.3
501	;;
502	"strict")
503	/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.4
504	;;
505	"paranoid")#!/bin/bash
506	/usr/share/lsec/file_perm.sh /etc/security/lsec/perm.5
507	;;
508	esac
509	#EOF
510	# /etc/security/msec/perm.ctools
511	chown root.$grp /usr/bin/gcc
512	chmod 750 /usr/bin/gcc
513	chown root.$grp /usr/bin/cc
514	chmod 750 /usr/bin/cc
515	chown root.$grp /usr/bin/g++
516	chmod 750 /usr/bin/g++
517
518	# /etc/security/msec/perm.ctoolsd
519	chown root.$dgrp /usr/bin/gcc
520	chmod 750 /usr/bin/gcc
521	chown root.$dgrp /usr/bin/cc
522	chmod 750 /usr/bin/cc
523	chown root.$dgrp /usr/bin/g++
524	chmod 750 /usr/bin/g++
525
526
527	# /etc/security/msec/perm.netsys
528	chown root.$ngrp /usr/bin/ping
529	chmod 750 /usr/bin/gcc
530	chown root.$ngrp /usr/bin/w
531	chmod 750 /usr/bin/w
532	chown root.$ngrp /usr/bin/w
533	chmod 750 /usr/bin/who
534	chown root.$ngrp /usr/bin/telnet
535	chmod 750 /usr/bin/telnet
536	chown root.$ngrp /usr/bin/ssh
537	chmod 750 /usr/bin/ssh
538	chown root.$ngrp /usr/sbin/traceroute
539	chmod 750 /usr/sbin/traceoute
540	chown root.$ngrp /usr/bin/finger
541	chmod 750 /usr/bin/finger
542
543	# /etc/security/msec/perm.netsys.d
544	chown root.$ngrpd /bin/ping
545	chmod 750 /usr/bin/gcc
546	chown root.$ngrpd /usr/bin/w
547	chmod 750 /usr/bin/w
548	chown root.$ngrpd /usr/bin/w
549	chmod 750 /usr/bin/who
550	chown root.$ngrpd /usr/bin/telnet
551	chmod 750 /usr/bin/telnet
552	chown root.$ngrpd /usr/bin/ssh
553	chmod 750 /usr/bin/ssh
554	chown root.$ngrpd /usr/sbin/traceroute
555	chmod 750 /usr/sbin/traceroute
556	chown root.$ngrpd /usr/bin/finger
557	chmod 750 /usr/bin/finger
558
559	######## END
560
561