MSEC I

Summary:

• Introduction
• What Does msec Do?
• Configurable Variables

This article has been originally posted on ~MandrakeSecure by Vincent Danen. Thanks to him for allowing me to repost this article here on MUO.

Introduction

The Mandrake-Security package, more commonly known as msec, has been one of the base packages in Mandrake Linux since it was first introduced in version 7.0. Since that time, msec has undergone a lot of changes, most notably the transformation from being a series of shell scripts in 8.1 to the python-based system it is currently in 8.2.

Please note that this paper describes msec 0.19 and will be modified to reflect changes in newer versions as they appear. There are some differences between this version of msec and earlier versions so while much of the information provided is applicable to previous versions of msec, it may not be exact.

The basic functionality of msec has, however, remained the same. Every user, consciously or not, has used msec to some degree. ~DrakX, the Mandrake Linux GUI installer, when asking what security level you wish to have on your system (Low, Medium, High) is calling msec to secure your system.

section index

What Does msec Do?

However, one source of confusion with msec is what exactly it does. It's nice to know you can select a low security setting for next to no system security, or a high security setting for a paranoid system, but what exactly does msec do to differentiate a low setting from a high setting, or any of those in between? The following table illustrates the basic differences between the six security levels available:

The following table shows the periodic checks that msec performs for the various security levels:

section index

Configurable Variables

There are at least three additional variables that may be configured by the user (in /etc/security/msec/security.conf): MAIL_USER, PERM_LEVEL and EXCLUDE_REGEXP. Let's take a look at what each configurable variable actually does:

MAIL_USER: this is the user to send the daily reports to. If this is not set, the email is sent to the root user (which, hopefully, is being forwarded to another user since root should not really receive mail).

PERM_LEVEL: This is used to determine the file to use in order to fix permissions, owners, and groups. If set, it will use the file /etc/security/msec/perm.$PERM_LEVEL. If it is not set, it will use the SECURE_LEVEL variable instead (which is your current msec security level). Additionally, for extra system-specific configuration, the file /etc/security/msec/perm.local is used also, if it exists.

EXCLUDE_REGEXP: This is used to exclude files from consideration by msec, for example because they are always world writable and you don't want to be told about them. An example configuration:

EXCLUDE_REGEXP='^/tmp/\..*-unix'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/lib/texmf'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/acpid.socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/dbus/system_dbus_socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/sdp'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/run/xdmctl/dmctl.*/socket'
EXCLUDE_REGEXP=${EXCLUDE_REGEXP}'\|^/var/spool/postfix'

Splitting the regexp one per line makes this more readable. You can test it by copy/pasting the EXCLUDE_REGEXP statements into a console, then executing

find / -maxdepth 4 | grep $EXCLUDE_REGEXP

CHECK_SECURITY: If set, msec will execute the security_check.sh script with all CHECK_* variables taken into account. These tests include:

• Check if any NFS filesystems are globally exported (without restrictions for who may mount them)
• Check if NFS mounts are missing the "nosuid" option
• Check if host trusting files containing the "+" character which allows hosts to connect without proper authentication (the files checked are /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd)
• Check if executables are found in the /etc/aliases or /etc/postfix/aliases files and reports the found executable

• Files that should not be owned by someone other than the home directory owner, or readable: .netrc, .rhosts, .shosts, .Xauthority, .gnupg/secring.gpg, .pgp/secring.pgp, .ssh/identity, .ssh/id_dsa, .ssh/id_rsa, .ssh/random_seed
• Files that should not be owned by someone other than the home directory owner, or writeable: .bashrc, .bash_profile, .bash_login, .bash_logout, .cshrc, .emacs, .exrc, .forward, .klogin, .login, .logout, .profile, .tcshrc, .fvwmrc, .inputrc, .kshrc, .nexrc, .screenrc, .ssh, .ssh/config, .ssh/authorized_keys, .ssh/environment, .ssh/known_hosts, .ssh/rc, .twmrc, .xsession, .xinitrc, .Xdefaults
• Checks home directories; directories should not be owned by someone else or writeable

CHECK_SUID_MD5: If set, msec will compare the md5sum of suid root files to previously computed values. This will tell you if a suid root file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_SUID_GROUP: If set, msec will compare the md5sum of sgid files to previously computed values. This will tell you if a sgid file has changed, even if the size and timestamp are similar, but has not been newly added or removed from the system.

CHECK_WRITEABLE: If set, msec will look for and report and world-writeable files found on your system.

CHECK_UNOWNED: If set, msec will look for files that are owned by uids and gids not referenced in /etc/passwd (ie. unknown users). If such files are found, msec will automatically change the user/group to "nobody".

CHECK_PROMISC: If set, msec will check each ethernet card to determine whether or not they are in promiscuous mode. Cards in promiscuous mode are allowed to intercept every packet received, including those that are not specifically directed to it. This is usually the case when a packet sniffer is being run on your system. At the same time, this could also mean that you have prelude running on your system.

CHECK_OPEN_PORT: If set, msec will report any changes to open ports on your system. This will help you track if a server has been re-started, or if a new server is starting to listen on any given port. This can provide false positives if servers have been re-started automatically by logrotate.

CHECK_PASSWD: If set, msec will verify that each user has a password and that the password is shadowed. This is an integrity check against /etc/passwd and discourages the system from having blank passwords.

CHECK_SHADOW: If set, msec will verify that each user has a password and that it is not blank. This is an integrity check against /etc/shadow.

TTY_WARN: If set, msec will write it's report to any console that has root logged on.

MAIL_WARN: If set, msec will send email warnings to the user specified by the MAIL_USER variable.

SYSLOG_WARN: If set, msec will also write it's report to syslog.

RPM_CHECK: If set, msec will check what packages have been changed on the system since yesterday (even re-installs of the same package). It will also check if any files belonging to packages have been modified.

CHKROOTKIT_CHECK: If set, msec will search your system for known rootkits.

These settings are written to the files /etc/sysconfig/msec and /var/lib/msec/security.conf; each time you change the msec active security level, it will be re-written with the new defaults. The /etc/sysconfig/msec file is sourced in various shell scripts while the /var/lib/msec/security.conf and /etc/security/msec/security.conf are sourced in the CHECK_SECURITY daily check.

One final thing to note. The settings are now also enforced every hour, for maximum protection, and every change that msec makes is logged to syslog. An easy way to view what changes msec is making on your system is to do:

{root@mdk82}# cd /var/log<br> {root@mdk82}# grep " msec" messages

Related Resources:

Original article on ~MandrakeSecure
Official Mandrake Linux msec Documentation
Files in '/usr/share/doc/msec-{...}

Revision / Modified: May 14, 2002
Author: Vincent Danen

Legal: This page is covered by the GNU Free Documentation License . Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.