david harris msec docs

	Level 0	Level 1	Level 2	Level 3	Level 4	Level 5
root umask set_root_umask(umask) Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}	002	002	022	022	022	077
User umask set_user_umask(umask) Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}	002	002	022	022	077	077
Shell timeout set_shell_timeout() Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}	0	0	0	0	3600	900
Deny Services authorize_services(arg) (Remember to reverse the logic for authorize_services as it is opposite deny services, which is what this row lists.) Sets /etc/hosts.deny	none	none	none	none	local	all
su Only For wheel Group enable_pam_wheel_for_su(arg) Sets /etc/pam.d/su	no	no	no	no	no	yes
Shell History Size set_shell_history_size(size)	default	default	default	default	10	10
Direct root Login allow_root_login(arg) Sets: /etc/ssh/sshd_config, /etc/securetty, /etc/pam.d/kde, /etc/pam.d/gdm, /etc/pam.d/xdm, /etc/bastille-no-login BUG: remember to fix PermitRootLogin in /etc/ssh/sshd_config	yes	yes	yes	yes	no	no
sulogin For Single User enable_sulogin(arg) Sets: /etc/inittab Enable/Disable sulogin(8) in single user level.	no	no	no	no	yes	yes
User List in [kg]dm allow_user_list(arg) Allow/Forbid the list of users on the system on display managers (kdm and gdm).	yes	yes	yes	yes	no	no
Ignore ICMP Echo accept_icmp_echo(arg) Accept/Refuse icmp echo. Sets: /etc/sysctl.conf BUG: remember to run “sysctl -e -p /etc/sysctl.conf”	no	no	no	no	yes	yes
Ignore Bogus Error Responses accept_bogus_error_responses(arg) Accept/Refuse bogus IPv4 error messages. Sets: /etc/sysctl.conf BUG: remember to run “sysctl -e -p /etc/sysctl.conf”	no	no	no	no	yes	yes
Allow Reboot by User allow_reboot(arg) Allow/Forbid reboot by the console user. Sets: /etc/shutdown.allow and kernel.sysrq in /etc/sysctl.conf and /usr/share/config/kdm/kdmrc and /etc/X11/gdm/gdm.conf BUG: remember to run “sysctl -e -p /etc/sysctl.conf”	yes	yes	yes	yes	no	no
Allow crontab/at enable_at_crontab(arg) Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)). Sets: /etc/cron.allow and /etc/at.allow	yes	yes	yes	yes	no	no
Password Aging password_aging(max, inactive=-1) To disable: password_aging(99999) Set password aging to max days and delay to change to inactive. Sets: /etc/login.defs and uses /usr/bin/chage	no	no	no	no	60 days	30 days
Password Required enable_password(arg) Use password to authenticate users. (If this is set to “no” then any password will be accepted as OK.) Sets: /etc/pam.d/system-auth	no	yes	yes	yes	yes	yes
Allow Autologin allow_autologin(arg) Allow/Forbid autologin. Sets: /etc/sysconfig/autologin	yes	yes	yes	no	no	no
Console Log enable_console_log(arg, expr='.') Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details). Sets: /etc/syslog.conf	no	no	no	yes	yes	yes
Warnings in syslog set_security_conf(SYSLOG_WARN, value) Sets: SYSLOG_WARN /var/lib/msec/security.conf. This can be overridden with /etc/security/msec/security.conf. Listed in below table as SYSLOG_WARN.	no	no	yes	yes	yes	yes
Warnings in security.log Not a configuration variable.	no	yes	yes	yes	yes	yes
Issues allow_issues(arg) If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed. Sets: /etc/issue and /etc/issue.net (will disable them by adding the “.msec” suffix, I think). BUG: this setting encumbered by hard coded logic in /etc/rc.d/rc.local	yes	yes	yes	local	local	no
IP Spoofing Protection enable_ip_spoofing_protection(arg, alert=1) Sets: /etc/host.conf and enables paranoid reverse dns lookups. From host.conf(5): “Valid values are on and off. If set to on, the resolv+ library will attempt to prevent hostname spoofing to enhance the security of rlogin and rsh. It works as follows: after performing a host address lookup, resolv+ will perform a hostname lookup for that address. If the two hostnames do not match, the query will fail.” Sets: net.ipv4.conf.all.rp_filter in /etc/sysctl.conf. About this setting /usr/src/linux/Documentation/filesystems/proc.txt says “If you set this to 1 on a router that is the only connection for a network to the net, it will prevent spoofing attacks against your internal networks (external addresses can still be spoofed), without the need for additional firewall rules.” About this setting /usr/src/linux/Documentation/networking/ip-sysctl.txt says: “do source validation by reversed path, as specified in RFC1812. Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes. Bug: Does not unset sysctl net.ipv4.conf.all.rp_filter BUG: remember to run “sysctl -e -p /etc/sysctl.conf”	no	no	no	yes	yes	yes
Log Strange IP Packets enable_log_strange_packets(arg) Enable/Disable the logging of IPv4 strange packets. Sets: net.ipv4.conf.all.log_martians in /etc/sysctl.conf About this setting /usr/src/linux/Documentation/filesystems/proc.txt says: “Log packets with source addresses with no known route to kernel log.” BUG: remember to run “sysctl -e -p /etc/sysctl.conf”	no	no	no	yes	yes	yes
Periodic Security Check enable_security_check(arg) Activate/Disable daily security check. Sets: /etc/cron.daily/msec to a symlink to /usr/share/msec/security.sh	no	yes	yes	yes	yes	yes
allow_x_connections(arg, listen_tcp) Allow/Forbid X connections. First arg specifies what is done on the client side: ALL (all connections are allowed), LOCAL (only local connection) and NONE (no connection). The second argument specifies what is authorized on the server side: if clients are authorized to connect on the tcp port 6000 or not.	(all, 1)	(local, 1)	(local, 1)	(none, 1)	(none, 0)	(none, 0)
Hosts allowed to make connections to the X server (think xhost) (was: “Allow X TCP Connections”) Sets: first argument of allow_x_connections BUG: incorrect settings in the original document. They have been corrected in this document.	yes	local	local	none	no	no
X server listens for tcp connections (was: “Connect to X Display”) Sets: second argument of allow_x_connections BUG: incorrect settings in the original document. They have been corrected in this document	1	1	1	1	0	0
"." in $PATH Setting hard coded into /etc/profile.d/msec.sh and /etc/profile.d/msec.csh. BUG: setting is hard coded	yes	yes	no	no	no	no
Run msec tests via cron enable_msec_cron(arg) Sets: links /etc/cron.hourly/msec to /usr/sbin/msec Enable/Disable msec hourly security check. This is how the msec settings get refreshed	no	no	no	some ????	yes	yes
Check for promiscuous Ethernet interfaces enable_promisc_check() Sets: /etc/cron.d/msec Activate/Disable ethernet cards promiscuity check. BUG: this requires CHECK_PROMISC setting.	0	0	0	0	1	1
	Level 0	Level 1	Level 2	Level 3	Level 4	Level 5

	Level 0	Level 1	Level 2	Level 3	Level 4	Level 5	Requires enable_security_check(1)	Requires CHECK_SECURITY
CHECK_SECURITY	no	yes	yes	yes	yes	yes	1	n/a
CHECK_PERMS	no	no	no	yes	yes	yes	1	1
CHECK_SUID_ROOT	no	no	yes	yes	yes	yes	1	1
CHECK_SUID_MD5	no	no	yes	yes	yes	yes	1	1
CHECK_SUID_GROUP	no	no	no	yes	yes	yes	1	1
CHECK_WRITEABLE	no	no	yes	yes	yes	yes	1	1
CHECK_UNOWNED	no	no	no	yes	yes	yes	1	1
CHECK_PROMISC	no	no	no	yes	yes	yes	Requires: enable_promisc_check(1)	0
CHECK_OPEN_PORT	no	no	no	yes	yes	yes	1	1
CHECK_PASSWD	no	no	no	yes	yes	yes	1	1
CHECK_SHADOW	no	no	no	yes	yes	yes	1	1
TTY_WARN	no	no	no	no	yes	yes	n/a	n/a
MAIL_WARN	no	no	no	yes	yes	yes	n/a	n/a
SYSLOG_WARN	no	no	yes	yes	yes	yes	n/a	n/a
RPM_CHECK	no	no	no	yes	yes	yes	1	1
CHKROOTKIT_CHECK	no	no	no	yes	yes	yes	1	1

Permission settings

Summarized from:

/usr/share/msec/perm.*

filename	1	2	3	4	5
/	root.root 755	root.root 755	root.adm 755	root.adm 751	root.root 711