msec(8)msec(8)NAME
msec - Mandriva Linux security tools
SYNOPSIS
msec [options]
msecperms [options]
msecgui [options]
DESCRIPTION
msec is responsible to maintain system security in Mandriva. It sup‐
ports different security configurations, which can be organized into
several security levels, stored in /etc/security/msec/level.LEVELNAME.
Currently, three basic preconfigured security levels are provided with
Mandriva Linux:
none this level disables all msec options. It should be used when you
want to manage all aspects of system security on your own.
standard
this is the default security level, which configures a reason‐
ably safe set of security features. It activates several peri‐
odic system checks, and sends the results of their execution by
email (by default, the local 'root' account is used).
secure this level is configured to provide maximum system security,
even at the cost of limiting the remote access to the system,
and local user permissions. It also runs a wider set of periodic
checks, enforces the local password settings, and periodically
checks if the system security settings, configured by msec, were
modified directly or by some other application.
Besides those levels, different task-oriented security are also pro‐
vided,
such as the 'fileserver', 'webserver' and 'netbook' levels. Such
levels attempt to pre-configure system security according to the
most common use cases.
Note that besides those levels you may create as many levels as neces‐
sary.
The security settings are stored in /etc/security/msec/security.conf
file, and default settings for each predefined level are stored in
/etc/security/msec/level.LEVEL. Permissions for files and directories
that should be enforced or checked for changes are stored in /etc/secu‐
rity/msec/perms.conf, and default permissions for each predefined level
are stored in /etc/security/msec/perm.LEVEL. Note that user-modified
parameters take precedence over default level settings. For example,
when default level configuration forbids direct root logins, this set‐
ting can be overridden by the user.
The following options are supported by msec applications:
msec:
This is the console version of msec. It is responsible for system secu‐
rity configuration and checking and transitions between security lev‐
els.
When executed without parameters, msec will read the system configura‐
tion file (/etc/security/msec/security.conf), and enforce the specified
security settings. The operations are logged to /var/log/msec.log file,
and also to syslog, using LOG_AUTHPRIV facility. Please note that msec
should by run as root.
-h, --help
This option will display the list of supported command line
options.
-l, --level <level>
List the default configuration for given security level.
-f, --force <level>
Apply the specified security level to the system, overwritting all
local changes in /etc/security/msec/security.conf. This usually should
be performed either on first install, on when a transition to a differ‐
ent level is required.
-d
Enable debugging messages.
-p, --pretend
Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs
all the required tasks, except effectively writting data back to disk.
-r, --root <path>
Use path as root. Can be used to perform msec actions in chroot.
-q
Run quietly
-s, --save <level>
Save current settings as a new security level.
msecperms:
This application is responsible for system permission checking and
enforcements.
When executed without parameters, msecperms will read the permissions
configuration file (/etc/security/msec/perms.conf), and enforce the
specified security settings. The operations are logged to
/var/log/msec.log file, and also to syslog, using LOG_AUTHPRIV facil‐
ity. Please note that msecperms should by run as root.
-h, --help
This option will display the list of supported command line
options.
-l, --level <level>
List the default configuration for given security level.
-e, --enforce
Enforce the default permissions on all files.
-d
Enable debugging messages.
-p, --pretend
Verify the actions that will be performed by msec, without actually
doing anything to the system. In this mode of operation, msec performs
all the required tasks, except effectively writting data back to disk.
-r, --root <path>
Use path as root. Can be used to perform msec actions in chroot.
-q
Run quietly
msecgui:
This is the GTK version of msec. It acts as frontend to all msec func‐
tionalities.
-h, --help
This option will display the list of supported command line
options.
-d
Enable debugging messages.
EXAMPLES
Enforce system configuration according to /etc/security/msec/secu‐
rity.conf file:
msec
Display system configuration changes without enforcing anything:
msec -p
Install predefined security level 'standard':
msec -f standard
Preview changes inflicted by change to 'standard' level:
msec -p -f standard
Create a custom security level based on 'standard':
cp /etc/security/msec/level.standard /etc/security/msec/level.my
edit /etc/security/msec/level.my
msec -f my
Export current security settings to create a new security level named
'office':
msec -s office
Enforce system permissions according to /etc/security/msec/perms.conf
file:
msecperms
Display permissions changes without enforcing anything:
msecperms -p
Install predefined permissions for level 'standard':
msecperms -f standard
Preview changes inflicted by change to 'standard' level:
msecperms -p -f standard
Create a custom permissions level based on 'secure':
cp /etc/security/msec/perm.secure /etc/security/msec/perm.my
edit /etc/security/msec/level.my
msecperms -f my
Export current security settings to create a new security level named
'office':
msecperms -s office
DEFINING EXCEPTIONS FOR PERIODIC CHECKS
msec is capable of excluding certain patterns from periodic check
reports. For this, it is possible to define the exceptions in
/etc/security/msec/exceptions file, for each supported check.
For example, to exclude all items that match /mnt, Mandriva-based
chrooted installations in /chroot and all backup files from the results
of of check for unowned files on the system, it is sufficient to define
the following entry in the exceptions file:
CHECK_UNOWNED /mnt
CHECK_UNOWNED /chroot/mdv_.*/
CHECK_UNOWNED .*~
In a similar way, it is possible to exclude the results for the deluge
application from the list of open ports as follows:
CHECK_OPEN_PORT /deluge
Each exception entry is a regular exception, and you might define as
many exceptions as necessary.
In order to exclude a path from all msec checks, you may use * for the
check name. For example, the following would exclude /media/ from all
msec checks:
* /media/
See below for all msec options that support this feature.
SECURITY OPTIONS
The following security options are supported by msec:
libmsec.base_level
Defines the base security level, on top of which the current con‐
figuration is based.
MSEC parameter: BASE_LEVEL
Accepted values: *
NOTES
Msec applications must be run by root.
AUTHORS
Frederic Lepied
Eugeni Dodonov <eugeni@mandriva.com>
Mandriva Linux msec msec(8)