MSEC II

Summary:

• Customizing msec With Overrides
• What Security Level To Choose?
• Default Server Activation
• Changing Your Security Level

Section index - KB index

Customizing msec With Overrides

To override any of these defaults, you will need to create the file /etc/security/msec/level.local with your overrides. For example, you could have a level.local file that looks something like this:

from mseclib import

set_security_conf('MAIL_USER', 'vdanen') set_security_conf('CHECK_PROMISC', 'no') allow_reboot(1)

This tells msec that all msec emails must go to the user vdanen and that we will never do the Promiscuous check (CHECK_PROMISC) regardless of what security level we have defined. This also tells msec to allow user reboots regardless of the security level.

To have a better idea of the different commands you can use in the level.local file, read the mseclib manpage (man mseclib). It describes all of the functions you can set in the file and what each function is for.

Instead of using level.local, you can also use /etc/security/msec/security.conf in a different format that is easier to use. It is not quite as versatile as level.local, as it is used to set shell variables that msec uses, but in most cases it will be enough to use security.conf instead of level.local. For example, instead of using the above in level.local you could use in security.conf the following:

MAIL_USER=vdanen CHECK_PROMISC=no

and in level.local just use:

from mseclib import *

allow_reboot(1)

If you want to override some permissions, you can do this with the /etc/security/msec/perm.local file. Each level has it's own set of different file permissions for some certain files. If you want to take a look at the defaults for each level, look at the /usr/share/msec/perm. files. They contain the file name (or directory), the user/group that should own it, and the numeric permissions for the file or directory. Let's say, for example, that you are using level 4 but don't want to have /boot with only 700 permissions, which is the default in level 4. You would create your /etc/security/msec/perm.local file and write in it the following:

/boot/ root.root 755

Then you would execute msec (just type "msec" at the command prompt as root), and if you look at the permissions of the /boot directory now, you will see it is 755, so normal users can look in there.

section index

What Security Level To Choose?

Historically, msec's security levels had names that somewhat distinguished what they did. For level 0, the name was "Welcome to Crackers", for level 1 it was "Poor", for level 2 it was "Low", for level 3 it was "Medium", for level 4 it was "High", and for level 5 it was "Paranoid". These names fit quite nicely with what each level is for. So how do you determine what level is right for you? There is obviously some thought behind each level, and you must determine the trade-off between security and ease of use for yourself. Here we will describe some typical scenarios for each security level.

Level 0: Welcome to Crackers. This level is the least secure level and should be used with extreme caution. It will make your system extremely easy to use, but at the expense of security. You should ask yourself the following questions, and if you answer yes to any of them, you should not use this level:

• Is my computer connected to the internet?
• Is my computer connected to other computers by a network?
• Will this computer be used by someone other than me (intentionally or otherwise)?
• Is there confidential data on this computer that I don't want others having access to?
• I have little Linux experience and like to do everything as root (aka I don't know what I'm doing and can break things)?

Level 1: Poor. The increased security over level 0 here is that access to user data is protected by usernames and passwords. This makes the system usable by multiple users locally, but should not be used if the system is on a network (internet or LAN).

Level 2: Low. The increased security over level 1 is that msec provides more security warnings and checks. This level is appropriate for multi-user local use.

Level 3: Medium. This is the recommended minimum security level for computers connected to a network. Most of the security checks are used in this level, such as checking for open ports. However, in this level, open ports are kept open and global access to them is granted, so this level, by default, is not generally good for systems connected to the internet unless you are behind an appropriate firewall (ie. there is a physical firewall system between you and the internet, not a firewall running on the local computer). This security level makes a nice base if you want to secure your system yourself by manually modifying configuration files for various services, etc. This security level is typically what most distributions use as a default, so it is comparable to older pre-msec versions of Mandrake Linux, or other distributions such as Red Hat or ~SuSE.

Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.

Level 5: Paranoid. This is the highest security level and it locks down the entire system. All of the security checks are enabled and the administrator will have to activate ports manually to enable services, and explicitly grant access to those services.

section index

Default Server Activation

msec has a new feature that will only enable secure services upon installation. This is only active in security levels 4 and 5. Basically, this means that only some pre-defined services will be enabled when the server package is installed. For instance, if you select level 4 and then install proftpd, proftpd would not be enabled immediately. Typically, when a server is installed, the RPM scripts enable the server so if you don't want it running, you will have to disable it. msec works contrary to this and will only enable services that are listed in the /etc/security/msec/server.{level} file. The only real difference between level 4 and level 5 is that in level 5 sshd is not enabled.

This does not mean you cannot enable the service yourself1.1 This only prevents it from being activated upon installation, which is good practice anyways. To enable a particular service, simply use:

~# chkconfig -add service

where "service" is the name of the service to enable (ie. proftpd, http, etc.). If you upgrade a package (ie. it already existed on the system), then msec will do nothing regarding service activation. This means that if you've already enabled httpd, then upgrade apache, you do not need to re-enable it.

section index

Changing Your Security Level

Changing a security level on your Mandrake Linux system is very simple. All you need to do is execute msec and tell it what security level you wish to use. This can be done by executing msec {level} where {level} is the security level you wish to switch to. You can also have msec tell you exactly what it's doing when you change the security level. Here is a sample output of changing to security level 4:

{root@mdk82}# msec -o log=stderr 4

As you can see, msec is a very useful starting point for securing your system. It cannot do everything to secure your system, and it is not meant as that sort of tool. System security requires due diligence by the system administrator. But msec will give you an excellent starting point from which to further secure your system, and it provides some great defaults depending on the type of system you wish to use.

section index

Related Resources:

Original article on ~MandrakeSecure
Official Mandrake Linux msec Documentation
Files in '/usr/share/doc/msec-{...}

Revision / Modified: May 14, 2002
Author: Vincent Danen

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.