Level 0

Level 1

Level 2

Level 3

Level 4

Level 5

root umask

set_root_umask(umask)

Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}

002

002

022

022

022

077

User umask

set_user_umask(umask)

Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}

002

002

022

022

077

077

Shell timeout
set_shell_timeout()

Stored in /etc/sysconfig/msec and then used by /etc/profile.d/msec.{sh,csh}

0

0

0

0

3600

900

Deny Services

authorize_services(arg)

(Remember to reverse the logic for authorize_services as it is opposite deny services, which is what this row lists.)

Sets /etc/hosts.deny

none

none

none

none

local

all

su Only For wheel Group

enable_pam_wheel_for_su(arg)

Sets /etc/pam.d/su

no

no

no

no

no

yes

Shell History Size

set_shell_history_size(size)

default

default

default

default

10

10

Direct root Login

allow_root_login(arg)

Sets: /etc/ssh/sshd_config, /etc/securetty, /etc/pam.d/kde, /etc/pam.d/gdm, /etc/pam.d/xdm, /etc/bastille-no-login

BUG: remember to fix PermitRootLogin in /etc/ssh/sshd_config

yes

yes

yes

yes

no

no

sulogin For Single User

enable_sulogin(arg)

Sets: /etc/inittab

Enable/Disable sulogin(8) in single user level.

no

no

no

no

yes

yes

User List in [kg]dm

allow_user_list(arg)

Allow/Forbid the list of users on the system on display managers (kdm and gdm).

yes

yes

yes

yes

no

no

Ignore ICMP Echo

accept_icmp_echo(arg)

Accept/Refuse icmp echo.

Sets: /etc/sysctl.conf

BUG: remember to run “sysctl -e -p /etc/sysctl.conf”

no

no

no

no

yes

yes

Ignore Bogus Error Responses

accept_bogus_error_responses(arg)

Accept/Refuse bogus IPv4 error messages.

Sets: /etc/sysctl.conf

BUG: remember to run “sysctl -e -p /etc/sysctl.conf”

no

no

no

no

yes

yes

Allow Reboot by User

allow_reboot(arg)

Allow/Forbid reboot by the console user.

Sets: /etc/shutdown.allow and kernel.sysrq in /etc/sysctl.conf and /usr/share/config/kdm/kdmrc and /etc/X11/gdm/gdm.conf

BUG: remember to run “sysctl -e -p /etc/sysctl.conf”

yes

yes

yes

yes

no

no

Allow crontab/at

enable_at_crontab(arg)

Enable/Disable crontab and at for users. Put allowed users in /etc/cron.allow and /etc/at.allow (see man at(1) and crontab(1)).

Sets: /etc/cron.allow and /etc/at.allow

yes

yes

yes

yes

no

no

Password Aging

password_aging(max, inactive=-1)

To disable: password_aging(99999)

Set password aging to max days and delay to change to inactive.

Sets: /etc/login.defs and uses /usr/bin/chage

no

no

no

no

60 days

30 days

Password Required

enable_password(arg)

Use password to authenticate users. (If this is set to “no” then any password will be accepted as OK.)

Sets: /etc/pam.d/system-auth

no

yes

yes

yes

yes

yes

Allow Autologin

allow_autologin(arg)

Allow/Forbid autologin.

Sets: /etc/sysconfig/autologin

yes

yes

yes

no

no

no

Console Log

enable_console_log(arg, expr='*.*')

Enable/Disable syslog reports to console 12. expr is the expression describing what to log (see syslog.conf(5) for more details).

Sets: /etc/syslog.conf

no

no

no

yes

yes

yes

Warnings in syslog

set_security_conf(SYSLOG_WARN, value)

Sets: SYSLOG_WARN /var/lib/msec/security.conf. This can be overridden with /etc/security/msec/security.conf.

Listed in below table as SYSLOG_WARN.

no

no

yes

yes

yes

yes

Warnings in security.log

Not a configuration variable.

no

yes

yes

yes

yes

yes

Issues

allow_issues(arg)

If arg = ALL allow /etc/issue and /etc/issue.net to exist. If arg = NONE no issues are allowed else only /etc/issue is allowed.

Sets: /etc/issue and /etc/issue.net (will disable them by adding the “.msec” suffix, I think).

BUG: this setting encumbered by hard coded logic in /etc/rc.d/rc.local

yes

yes

yes

local

local

no

IP Spoofing Protection

enable_ip_spoofing_protection(arg, alert=1)

Sets: /etc/host.conf and enables paranoid reverse dns lookups. From host.conf(5): “Valid  values are on and off. If set to on, the resolv+ library will attempt to prevent hostname spoofing to enhance the security of rlogin and rsh.  It works as follows: after performing a host address lookup, resolv+ will perform a hostname lookup for that address. If the two hostnames do not match, the query will fail.”

Sets: net.ipv4.conf.all.rp_filter in /etc/sysctl.conf. About this setting /usr/src/linux/Documentation/filesystems/proc.txt says “If you  set this to 1 on a router that is the only connection for a network to the net,  it  will  prevent  spoofing attacks  against your internal networks (external addresses can still  be  spoofed), without the need for additional firewall rules.” About this setting /usr/src/linux/Documentation/networking/ip-sysctl.txt says: “do source validation by reversed path, as specified in RFC1812. Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes.

Bug: Does not unset sysctl net.ipv4.conf.all.rp_filter

BUG: remember to run “sysctl -e -p /etc/sysctl.conf”

no

no

no

yes

yes

yes

Log Strange IP Packets

enable_log_strange_packets(arg)

Enable/Disable the logging of IPv4 strange packets.

Sets: net.ipv4.conf.all.log_martians in /etc/sysctl.conf

About this setting /usr/src/linux/Documentation/filesystems/proc.txt says: “Log packets with source addresses with no known route to kernel log.”

BUG: remember to run “sysctl -e -p /etc/sysctl.conf”

no

no

no

yes

yes

yes

Periodic Security Check

enable_security_check(arg)

Activate/Disable daily security check.

Sets: /etc/cron.daily/msec to a symlink to /usr/share/msec/security.sh

no

yes

yes

yes

yes

yes

allow_x_connections(arg, listen_tcp)

Allow/Forbid X connections. First arg specifies what is done on the client side:  ALL (all  connections are allowed), LOCAL (only local connection) and NONE (no connection). The second argument specifies what is authorized on the server side: if clients are authorized to connect on the tcp port 6000 or not.

(all, 1)

(local, 1)

(local, 1)

(none, 1)

(none, 0)

(none, 0)

Hosts allowed to make connections to the X server (think xhost)

(was: “Allow X TCP Connections”)

Sets: first argument of allow_x_connections

BUG: incorrect settings in the original document. They have been corrected in this document.

yes

local

local

none

no

no

X server listens for tcp connections

(was: “Connect to X Display”)

Sets: second argument of allow_x_connections

BUG: incorrect settings in the original document. They have been corrected in this document

1

1

1

1

0

0

"." in $PATH

Setting hard coded into /etc/profile.d/msec.sh and /etc/profile.d/msec.csh.

BUG: setting is hard coded

yes

yes

no

no

no

no

Run msec tests via cron

enable_msec_cron(arg)

Sets: links /etc/cron.hourly/msec to /usr/sbin/msec

Enable/Disable msec hourly security check. This is how the msec settings get refreshed

no

no

no

some ????

yes

yes

Check for promiscuous Ethernet interfaces

enable_promisc_check()

Sets: /etc/cron.d/msec

Activate/Disable ethernet cards promiscuity check.

BUG: this requires CHECK_PROMISC setting.

0

0

0

0

1

1

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5

Requires enable_security_check(1)

Requires CHECK_SECURITY

CHECK_SECURITY

no

yes

yes

yes

yes

yes

1

n/a

CHECK_PERMS

no

no

no

yes

yes

yes

1

1

CHECK_SUID_ROOT

no

no

yes

yes

yes

yes

1

1

CHECK_SUID_MD5

no

no

yes

yes

yes

yes

1

1

CHECK_SUID_GROUP

no

no

no

yes

yes

yes

1

1

CHECK_WRITEABLE

no

no

yes

yes

yes

yes

1

1

CHECK_UNOWNED

no

no

no

yes

yes

yes

1

1

CHECK_PROMISC

no

no

no

yes

yes

yes

Requires: enable_promisc_check(1)

0

CHECK_OPEN_PORT

no

no

no

yes

yes

yes

1

1

CHECK_PASSWD

no

no

no

yes

yes

yes

1

1

CHECK_SHADOW

no

no

no

yes

yes

yes

1

1

TTY_WARN

no

no

no

no

yes

yes

n/a

n/a

MAIL_WARN

no

no

no

yes

yes

yes

n/a

n/a

SYSLOG_WARN

no

no

yes

yes

yes

yes

n/a

n/a

RPM_CHECK

no

no

no

yes

yes

yes

1

1

CHKROOTKIT_CHECK

no

no

no

yes

yes

yes

1

1