Msec Howto

From LinodeWiki

Contents 1 Synopsis 2 Files 3 What Does msec Do? 4 Configurable Variables 5 Customizing msec With Overrides 6 What Security Level To Choose? 7 Default Server Activation 8 Changing Your Security Level 9 security.txt File 9.1 Security level 0 9.2 Security level 1 9.3 Security level 2 (Aka normal system ) 9.4 Security level 3 ( Aka more secure system ) 9.5 Security level 4 ( Aka Secured system ) 9.6 Security level 5 ( Aka Paranoid system ) 10 Links

[edit] Synopsis

msec ([-o <option>=<value>...]) ([0-5])

      Available options:

      -o all-local-files=<value>
             if <value> is 1, consider that all the files are local.

      -o log=<value>
             if <value> is different of syslog do not log to  syslog  but  to
             the standard error output.

      -o nolocal=<path>
             do not load the /etc/security/msec/level.local rules.

      -o non-local-fstypes=<value>
             <value>  is  a  list of non local file system types separated by
             spaces.

      -o print=<value>
             if <value> is equal to 1,  output  the  default  values  of  the
             rules.

      -o root=<path>
             use <path> as the root of the file system.

[edit] Files

File	Description
/usr/sbin/msec	The msec executable (sh script)
/var/lib/msec/security.conf	Contains the configuration of the current active security level
/etc/sysconfig/msec	Contains the configuration of the current active security level
/etc/security/msec/security.conf	Overrides the settings in /var/lib/msec/security.conf
/usr/share/msec/level.{0:5}	Shell scripts for rules at each level
/etc/security/msec/level.local	Overrides the rules of /usr/share/msec/level.{0:5}. See mseclib(3)
/usr/share/msec/perm.{0:5}	Shell scripts for setting the permissions/owners/groups at each level
/etc/security/msec/perm.local	Overrides the permissions/owners/groups of /usr/share/msec/perm.{0:5}
/etc/security/msec/server.{4:5}	Servers allowed to be enabled when installed

[edit] What Does msec Do?

• msec is the main script of the msec package. It enables the system administrator to change the security level for that system. msec is provided with six preconfigured security levels. These levels range from poor security and ease of use, to paranoid config, suitable for very sensitive server applications.

• You must be root to run msec.

• Launch "msec x" to set you security level to x (x=[0-5]). It'll modify your system according to security level x features. Called without argument, it will enforce the current security level without lowering security.

• All the changes are logged to syslog at the AUTH facility when called non interactivelly (by cron for example) or at the LOCAL1 facility when called interactivelly (on the command line or from Mandrake Control Center for example).

• If you want to make changes to the current level, use /etc/security/msec/perm.local to override the permissions/owners/groups (use the same syntax as /usr/share/msec/perm.* or use the drakperm graphical utility) and /etc/security/msec/level.local to override the rules (see mseclib(3) for details or use the draksec graphical utility).

---

The following table illustrates the basic differences between the six security levels available:

                        	0	1	2	3	4	5
root umask			022	022	022	022	022	077
user umask			022	022	022	022	077	077
shell timeout			0	0	0	0	3600	900
deny services			none	none	none	none	local	all
su only for wheel grp		no	no	no	no	no	yes
shell history size		default	default	default	default	10	10
direct root login		yes	yes	yes	yes	no	no
remote root login		yes	yes	yes	yes	no	no
sulogin for single user	no	no	no	no	yes	yes
user list in [kg]dm		yes	yes	yes	yes	no	no
promisc check			no	no	no	no	yes	yes
ignore icmp echo		no	no	no	no	yes	yes
ignore broadcasted icmp echo	no	no	no	no	yes	yes
ignore bogus error responses	no	no	no	no	yes	yes
enable libsafe			no	no	no	no	yes	yes
allow reboot by user		yes	yes	yes	yes	no	no
allow crontab/at		yes	yes	yes	yes	no	no
password aging			no	no	no	no	60	30
allow autologin		yes	yes	yes	no	no	no
console log			no	no	no	yes	yes	yes
issues				yes	yes	yes	local	local	no
ip spoofing protection		no	no	no	yes	yes	yes
dns spoofing protection	no	no	no	yes	yes	yes
log stange ip packets		no	no	no	yes	yes	yes
periodic security check	no	yes	yes	yes	yes	yes
allow X connections		yes	local	local	no	no	no
allow xauth from root		yes	yes	yes	yes	no	no
X server listen to		tcp	tcp	tcp	tcp	local	local
run msec by cron		yes	yes	yes	yes	yes	yes 
"." in $PATH			yes	yes	no	no	no	no

The following table shows the periodic checks that msec performs for the various security levels:

                  0   1   2   3    4    5
CHECK_SECURITY    no  yes yes yes  yes  yes  
CHECK_PERMS       no  no  no  yes  yes  yes  
CHECK_SUID_ROOT   no  no  yes yes  yes  yes  
CHECK_SUID_MD5    no  no  yes yes  yes  yes  
CHECK_SGID        no  no  yes yes  yes  yes  
CHECK_WRITABLE    no  no  yes yes  yes  yes  
CHECK_UNOWNED     no  no  no  no   yes  yes  
CHECK_PROMISC     no  no  no  no   yes  yes  
CHECK_OPEN_PORT   no  no  no  yes  yes  yes  
CHECK_PASSWD      no  no  no  yes  yes  yes  
CHECK_SHADOW      no  no  no  yes  yes  yes  
TTY_WARN          no  no  no  no   yes  yes  
MAIL_WARN         no  no  no  yes  yes  yes  
SYSLOG_WARN       no  no  yes yes  yes  yes  
RPM_CHECK         no  no  no  yes  yes  yes
CHKROOTKIT_CHECK  no  no  no  yes  yes  yes

[edit] Configurable Variables

There are at least three additional variables that may be configured by the user in /etc/security/msec/security.conf:

1. MAIL_USER
2. PERM_LEVEL
3. EXCLUDE_REGEXP

Let's take a look at what each configurable variable actually does:

MAIL_USER: This is the user to send the daily reports to. If this is not set, the email is sent to the root user (which, hopefully, is being forwarded to another user since root should not really receive mail).

PERM_LEVEL: This is used to determine the file to use in order to fix permissions, owners, and groups. If set, it will use the file /etc/security/msec/perm.$PERM_LEVEL

If it is not set, it will use the SECURE_LEVEL variable instead (which is your current msec security level). Additionally, for extra system-specific configuration, the file /etc/security/msec/perm.local is used also. The syntax for each line if the following:

<file specification>	<owner>	<permission>	[force]

<file specification> can be any glob to specify one or multiple files/directories.

<owner> must be in the form <user>.<group> or <user>. (force only user) or .<group> (force only group) or current (keep current user and group).

<permission> is an octal number representing the access rights or current to keep the current permissions.

If [force] is present as a 4th argument, it means that msec will enforce the permission even if the previous permission was lower.

EXCLUDE_REGEXP: This is used to exclude files from consideration by msec, for example because they are always world writable and you don't want to be told about them.

An example configuration:

EXCLUDE_REGEXP='^/tmp/\..*-unix'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/lib/texmf'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/acpid.socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/dbus/system_dbus_socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/sdp'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/xdmctl/dmctl.*/socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/spool/postfix'

Splitting the regexp one per line makes this more readable. You can test it by copy/pasting the EXCLUDE_REGEXP statements into a console, then executing

find / -maxdepth 4 | grep $EXCLUDE_REGEXP

This lists all the directories and files that will be excluded.

There are also more variables that can be configured by the user:

CHECK_SECURITY: If set, msec will execute the security_check.sh script with all CHECK_* variables taken into account. These tests include:

• Check if any NFS filesystems are globally exported (without restrictions for who may mount them)
• Check if NFS mounts are missing the "nosuid" option
• Check if host trusting files containing the "+" character which allows hosts to connect without proper authentication (the files checked are /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd)
• Check if executables are found in the /etc/aliases or /etc/postfix/aliases files and reports the found executable

CHECK_PERMS: If set, msec will check the permissions of certain files in each user's home directory and report it's findings. It does not change the permissions, but simply reports that there are potential problems. It checks:

• Files that should not be owned by someone other than the home directory owner, or readable: .netrc, .rhosts, .shosts, .Xauthority, .gnupg/secring.gpg, .pgp/secring.pgp, .ssh/identity, .ssh/id_dsa, .ssh/id_rsa, .ssh/random_seed
• Files that should not be owned by someone other than the home directory owner, or writeable: .bashrc, .bash_profile, .bash_login, .bash_logout, .cshrc, .emacs, .exrc, .forward, .klogin, .login, .logout, .profile, .tcshrc, .fvwmrc, .inputrc, .kshrc, .nexrc, .screenrc, .ssh, .ssh/config, .ssh/authorized_keys, .ssh/environment, .ssh/known_hosts, .ssh/rc, .twmrc, .xsession, .xinitrc, .Xdefaults
• Checks home directories; directories should not be owned by someone else or writeable

CHECK_SUID_ROOT: If set, msec will check and report on any changes to files that are suid root. This tells you if new suid root files appear on the system or if previously-existing suid root files have been removed.

CHECK_SUID_MD5: If set, msec will compare the md5sum of suid root files to previously computed values. This will tell you if a suid root file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_SUID_GROUP: If set, msec will compare the md5sum of sgid files to previously computed values. This will tell you if a sgid file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_WRITEABLE: If set, msec will look for and report and world-writeable files found on your system.

CHECK_UNOWNED: If set, msec will look for files that are owned by uids and gids not referenced in /etc/passwd (ie. unknown users). If such files are found, msec will automatically change the user/group to "nobody".

CHECK_PROMISC: If set, msec will check each ethernet card to determine whether or not they are in promiscuous mode. Cards in promiscuous mode are allowed to intercept every packet received, including those that are not specifically directed to it. This is usually the case when a packet sniffer is being run on your system. At the same time, this could also mean that you have prelude running on your system.

CHECK_OPEN_PORT: If set, msec will report any changes to open ports on your system. This will help you track if a server has been re-started, or if a new server is starting to listen on any given port. This can provide false positives if servers have been re-started automatically by logrotate.

CHECK_PASSWD: If set, msec will verify that each user has a password and that the password is shadowed. This is an integrity check against /etc/passwd and discourages the system from having blank passwords.

CHECK_SHADOW: If set, msec will verify that each user has a password and that it is not blank. This is an integrity check against /etc/shadow.

TTY_WARN: If set, msec will write it's report to any console that has root logged on.

MAIL_WARN: If set, msec will send email warnings to the user specified by the MAIL_USER variable.

SYSLOG_WARN: If set, msec will also write it's report to syslog.

RPM_CHECK: If set, msec will check what packages have been changed on the system since yesterday (even re-installs of the same package). It will also check if any files belonging to packages have been modified.

CHKROOTKIT_CHECK: If set, msec will search your system for known rootkits.

---

• These settings are written to the files /etc/sysconfig/msec and /var/lib/msec/security.conf; each time you change the msec active security level, it will be re-written with the new defaults.

• The /etc/sysconfig/msec file is sourced in various shell scripts while the /var/lib/msec/security.conf and /etc/security/msec/security.conf are sourced in the CHECK_SECURITY daily check.

One final thing to note. The settings are now also enforced every hour, for maximum protection, and every change that msec makes is logged to syslog. An easy way to view what changes msec is making on your system is to do:

 # cd /var/log
 # grep " msec" messages

[edit] Customizing msec With Overrides

To override any of these defaults, you will need to create the file /etc/security/msec/level.local with your overrides. For example, you could have a level.local file that looks something like this:

from mseclib import
set_security_conf('MAIL_USER', 'vdanen') 
set_security_conf('CHECK_PROMISC', 'no') 
allow_reboot(1)

This tells msec that all msec emails must go to the user vdanen and that we will never do the Promiscuous check (CHECK_PROMISC) regardless of what security level we have defined.

This also tells msec to allow user reboots regardless of the security level.

To have a better idea of the different commands you can use in the level.local file, read the mseclib manpage (man mseclib). It describes all of the functions you can set in the file and what each function is for.

Instead of using level.local, you can also use /etc/security/msec/security.conf in a different format that is easier to use. It is not quite as versatile as level.local, as it is used to set shell variables that msec uses, but in most cases it will be enough to use security.conf instead of level.local.

For example, instead of using the above in level.local you could use in security.conf the following:

MAIL_USER=vdanen 
CHECK_PROMISC=no

and in level.local just use:

from mseclib import
allow_reboot(1)

If you want to override some permissions, you can do this with the /etc/security/msec/perm.local file. Each level has it's own set of different file permissions for some certain files.

If you want to take a look at the defaults for each level, look at the /usr/share/msec/perm.* files. They contain the file name (or directory), the user/group that should own it, and the numeric permissions for the file or directory.

Let's say, for example, that you are using level 4 but don't want to have /boot with only 700 permissions, which is the default in level 4. You would create your /etc/security/msec/perm.local file and write in it the following:

/boot/ root.root 755

Then you would execute msec (just type "msec" at the command prompt as root), and if you look at the permissions of the /boot directory now, you will see it is 755, so normal users can look in there.

[edit] What Security Level To Choose?

Historically, msec's security levels had names that somewhat distinguished what they did. For level 0, the name was "Welcome to Crackers", for level 1 it was "Poor", for level 2 it was "Low", for level 3 it was "Medium", for level 4 it was "High", and for level 5 it was "Paranoid".

These names fit quite nicely with what each level is for. So how do you determine what level is right for you? There is obviously some thought behind each level, and you must determine the trade-off between security and ease of use for yourself. Here we will describe some typical scenarios for each security level.

Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. It will make your system extremely easy to use, but at the expense of security. You should ask yourself the following questions, and if you answer yes to any of them, you should not use this level:

   * Is my computer connected to the internet?
   * Is my computer connected to other computers by a network?
   * Will this computer be used by someone other than me (intentionally or otherwise)?
   * Is there confidential data on this computer that I don't want others having access to?
   * I have little Linux experience and like to do everything as root (aka I don't know what I'm doing and can break things)?

Level 1: Poor. The increased security over level 0 here is that access to user data is protected by usernames and passwords. This makes the system usable by multiple users locally, but should not be used if the system is on a network (internet or LAN).

Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use.

Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind an appropriate firewall (ie. there is a physical firewall system between you and the internet, not a firewall running on the local computer). This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default.

Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.

Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services.

[edit] Default Server Activation

msec has a new feature that will only enable secure services upon installation. This is only active in security levels 4 and 5. Basically, this means that only some pre-defined services will be enabled when the server package is installed. For instance, if you select level 4 and then install proftpd, proftpd would not be enabled immediately.

Typically, when a server is installed, the RPM scripts enable the server so if you don't want it running, you will have to disable it. msec works contrary to this and will only enable services that are listed in the /etc/security/msec/server.{level} file. The only real difference between level 4 and level 5 is that in level 5 sshd is not enabled.

This does not mean you cannot enable the service yourself. This only prevents it from being activated upon installation, which is good practice anyways. To enable a particular service, simply use:

# chkconfig -add service

where "service" is the name of the service to enable (ie. proftpd, http, etc.). If you upgrade a package (ie. it already existed on the system), then msec will do nothing regarding service activation. This means that if you've already enabled httpd, then upgrade apache, you do not need to re-enable it.

[edit] Changing Your Security Level

Changing a security level on your Mandrake Linux system is very simple. All you need to do is execute msec and tell it what security level you wish to use. This can be done by executing msec {level} where {level} is the security level you wish to switch to.

You can also have msec tell you exactly what it's doing when you change the security level. Here is a sample output of changing to security level 4:

# msec -o log=stderr 4

As you can see, msec is a very useful starting point for securing your system. It cannot do everything to secure your system, and it is not meant as that sort of tool. System security requires due diligence by the system administrator. But msec will give you an excellent starting point from which to further secure your system, and it provides some great defaults depending on the type of system you wish to use.

[edit] security.txt File

[edit] Security level 0

* no password
* umask is 002 ( user = read,write | greoup = read,write | other = read ) 
* easy file permission.
* everybody authorized to connect to X display.
* . in $PATH

[edit] Security level 1

* Global security check.
* umask is 002 ( user = read,write | greoup = read,write | other = read ) 
* easy file permission.
* localhost authorized to connect to X display and X server listens to tcp connections.
* . in $PATH
* Warning in /var/log/security.log

[edit] Security level 2 (Aka normal system )

* Global security check
* Suid root file check
* Suid root file md5sum check
* Writable file check
* Warning in syslog
* Warning in /var/log/security.log 
* umask is 022 ( user = read,write | group = read | other = read )
* easy file permission.
* localhost authorized to connect to X display and X server listens to tcp connections.

[edit] Security level 3 ( Aka more secure system )

* Global security check 
* Permissions check
* Suid root file check
* Suid root file md5sum check
* Suid group file check 
* Writable file check 
* Unowned file check 
* Promiscuous check 
* Listening port check 
* Passwd file integrity check
* Shadow file integrity check
* Warning in syslog
* Warning in /var/log/security.log
* rpm database checks
* send the results of checks by mail if they aren't empty
* umask is 022 ( user = read,write | group = read | other = read )
* Normal file permission.
* X server listens to tcp connections.
* All system events additionally logged to /dev/tty12
* Some system security check launched every midnight from the ( crontab ).
* no autologin
* home directories are accesible but not readable by others and group members.

[edit] Security level 4 ( Aka Secured system )

* Global security check 
* Permissions check
* Suid root file check 
* Suid root file md5sum check
* Suid group file check
* Writable file check
* Unowned file check 
* Promiscuous check 
* Listening port check 
* Passwd file integrity check 
* Shadow file integrity check 
* Warning in syslog
* Warning in /var/log/security.log
* Warning directly on tty
* rpm database checks
* Send the results of checks by mail even if they are empty to show that the checks were run
* umask 022 ( user = read,write | group = read | other = read ) for root
* umask 077 ( user = read,write | group =  | other =  ) for normal users
* restricted file permissions.
* All system events additionally logged to /dev/tty12
* System security check every midnight ( crontab ).
* localhost authorized to connect to X display.
* X server doesn't listen for tcp connections
* no autologin
* sulogin in single user
* no direct root login
* remote root login only with a pass phrase
* no list of users in kdm and gdm
* password aging at 60 days
* shell history limited to 10
* shell timeout 3600 seconds
* at and crontab not allowed to users not listd in /etc/at.allow and /etc/cron.allow
* Services not contained in /etc/security/msec/server.4 are disabled during package installation
* Connection to the system denyied for all except localhost (authorized services must be in /etc/hosts.allow).
* ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow ).
* most sensible files and directories are restricted to the members of the adm group.
* home directories are not accesible by others and group members.
* X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
* network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
* compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
* rpm command restricted to the members of the rpm group.
* forbid exporting X display when switching from root to another user

[edit] Security level 5 ( Aka Paranoid system )

* Global security check
* Permissions check 
* Suid root file check 
* Suid root file md5sum check
* Suid group file check 
* Writable file check
* Unowned file check 
* Promiscuous check 
* Listening port check 
* Passwd file integrity check 
* Shadow file integrity check
* Warning in syslog
* Warning in /var/log/security.log
* Warning directly on tty
* rpm database checks
* Send the results of checks by mail even if they are empty to show that the checks were run.
* umask 077 ( user = read,write | group =  | other =  )
* Highly restricted file permission
* All system events additionally logged to /dev/tty12
* System security check every midnight ( crontab ).
* X server doesn't listen for tcp connections
* no autologin
* sulogin in single user
* no direct root login
* no list of users in kdm and gdm
* password aging at 30 days
* password history to 5
* shell history limited to 10
* shell timeout 900 seconds
* su to root only allowed to members of the wheel group (activated only if the wheel group isn't empty)
* Services not contained in /etc/security/msec/server.5 are disabled during package installation
* Connection to the system denyied for all (authorized services must be in /etc/hosts.allow).
* ctrl-alt-del only allowed for root ( or user in /etc/shutdown.allow )
* most sensible files and directories are restricted to the root account.
* home directories are not accesible by others and group members.
* X commands from /usr/X11R6/bin restricted to the members of the xgrp group.
* network commands (ssh, scp, rsh, ...) restricted to the members of the ntools group.
* compilation commands (gcc, g++, ...) restricted to the members of the ctools group.
* rpm command restricted to the members of the rpm group.
* forbid exporting X display when switching from root to another user

---

• level4/level5 : "services disabled" explanations:

1. Some servers aren't really considered as secure, these ones, should for example be compiled from sources. Server considered as secure are specified in /etc/security/msec/server.4/5
2. When enabling level4/5, all servers which aren't considered as secure are disabled ( NOT uninstalled, just disabled ) user can reenable them using the chkconfig utility ( server will be launched at next boot ).
3. In these levels, we are also denying rpm to enable any server considered as insecure (off course rpm can install the server). The user have the choice:
   1. chkconfig --add servername will enable the server.
   2. Or add the server in the secured server list

[edit] Links

1. David Harris msec_docs
2. David Harris msec_bugs