pkg://msec-0.45.1-1mdk.src.rpm:167757/msec.spec
info downloads
Summary: Security Level management for the Mandrakelinux distribution
Name: msec
Version: 0.45.1
Release: 1mdk
Url: http://www.mandrakelinux.com/
Source0: %{name}-%{version}.tar.bz2
Source1: msec.logrotate
Source2: msec.sh
Source3: msec.csh
License: GPL
Group: System/Base
BuildRoot: %_tmppath/%name-%version-%release-root
BuildRequires: python
Requires: /bin/bash /bin/touch perl-base diffutils /usr/bin/python /usr/bin/chage gawk
Requires: setup >= 2.2.0-21mdk
Requires: chkconfig >= 1.2.24-3mdk
Requires: coreutils
Requires: iproute2
PreReq: rpm-helper >= 0.4
Conflicts: passwd < 0.67
Requires: python-base >= 2.3.3-2mdk
Requires: mailx
%description
The Mandrakelinux-Security package is designed to provide generic
secure level to the Mandrakelinux users... It will permit you to
choose between level 0 to 5 for a less -> more secured distribution.
This packages includes several programs that will be run periodically
in order to test the security of your system and alert you if needed.
%prep
%setup -q
%build
make CFLAGS="$RPM_OPT_FLAGS"
%install
rm -rf $RPM_BUILD_ROOT
#make install RPM_BUILD_ROOT=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/security/msec
install -d $RPM_BUILD_ROOT/etc/sysconfig
install -d $RPM_BUILD_ROOT/usr/share/msec
install -d $RPM_BUILD_ROOT/var/lib/msec
install -d $RPM_BUILD_ROOT/usr/sbin $RPM_BUILD_ROOT/usr/bin
install -d $RPM_BUILD_ROOT/var/log/security
install -d $RPM_BUILD_ROOT%{_mandir}/man{3,8}
cp -p init-sh/cleanold.sh share/*.py share/*.pyo share/level.* cron-sh/*.sh $RPM_BUILD_ROOT/usr/share/msec
chmod 644 $RPM_BUILD_ROOT/usr/share/msec/{security,diff}_check.sh
install -m 755 share/msec $RPM_BUILD_ROOT/usr/sbin
install -m 644 conf/server.* $RPM_BUILD_ROOT/etc/security/msec
install -m 644 conf/perm.* $RPM_BUILD_ROOT/usr/share/msec
install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find $RPM_BUILD_ROOT/usr/bin
install -m644 man/C/*8 $RPM_BUILD_ROOT%{_mandir}/man8/
install -m644 man/C/*3 $RPM_BUILD_ROOT%{_mandir}/man3/
for i in man/??* ; do
install -d $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8
install -m 644 $i/*.8 $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man8/
install -d $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man3
install -m 644 $i/*.3 $RPM_BUILD_ROOT%{_mandir}/`basename $i`/man3/ || :
done;
touch $RPM_BUILD_ROOT/var/log/security.log $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/%{name}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/{logrotate.d,profile.d}
install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/etc/logrotate.d/msec
install -m 755 %{SOURCE2} $RPM_BUILD_ROOT/etc/profile.d
install -m 755 %{SOURCE3} $RPM_BUILD_ROOT/etc/profile.d
touch $RPM_BUILD_ROOT/var/log/security.log
%pre
%_pre_groupadd xgrp
%_pre_groupadd ntools
%_pre_groupadd ctools
%post
touch /var/log/security.log
if [ $1 != 1 ]; then
# manage spelling change
for i in /etc/security/msec/level.local /etc/security/msec/security.conf /var/lib/msec/security.conf; do
if [ -f $i ]; then
perl -pi -e 's/CHECK_WRITEABLE/CHECK_WRITABLE/g;s/CHECK_SUID_GROUP/CHECK_SGID/g' $i
fi
done
for ext in today yesterday diff; do
if [ -f /var/log/security/writeable.$ext ]; then
mv -f /var/log/security/writeable.$ext /var/log/security/writable.$ext
fi
if [ -f /var/log/security/suid_group.$ext ]; then
mv -f /var/log/security/suid_group.$ext /var/log/security/sgid.$ext
fi
done
# find secure level
SL=$SECURE_LEVEL
[ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || :
# upgrade from old style msec or rerun the new msec
if grep -q "# Mandrake-Security : if you remove this comment" /etc/profile; then
[ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' < /etc/profile.d/msec.sh` || :
/usr/share/msec/cleanold.sh || :
[ -n "$SL" ] && msec $SL < /dev/null || :
else
[ -n "$SL" ] && msec < /dev/null || :
fi
# remove the old way of doing the daily cron
rm -f /etc/cron.d/msec
fi
%postun
if [ $1 = 0 ]; then
# cleanup crontabs on package removal
rm -f /etc/cron.d/msec /etc/cron.hourly/msec /etc/cron.daily/msec
fi
%_postun_groupdel xgrp
%_postun_groupdel ntools
%_postun_groupdel ctools
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
%doc AUTHORS COPYING share/README share/CHANGES
%doc ChangeLog doc/*.txt
%_bindir/promisc_check
%_bindir/msec_find
%_sbindir/msec
%_datadir/msec
%_mandir/*/*.*
%_mandir/*/*/*.*
%dir /var/log/security
%dir /etc/security/msec
%dir /var/lib/msec
%config(noreplace) /etc/security/msec/*
%config(noreplace) /etc/logrotate.d/msec
%config(noreplace) /etc/profile.d/msec*
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%ghost /var/log/security.log
# MAKE THE CHANGES IN CVS: NO PATCH OR SOURCE ALLOWED
%changelog
* Mon Mar 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45.1-1mdk
- allow to use the variable CHKROOTKIT_OPTION as an argument to
chkrootkit (Michael, bug #12687).
- fixed documentation of the use of the current keyword (bug #12866).
- fixed password_history.
* Mon Feb 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45-1mdk
- requires mailx (bug #13497).
- fixed the permissions of sendmail symlinks (bug #13515).
- allow to put an EXCLUDE_REGEXP variable in
/etc/security/msec/security.conf to be used in msec_find (bug #508).
* Thu Sep 30 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.2-1mdk
- fix allow_reboot
* Fri Jul 30 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.1-1mdk
- fix directory creation code
* Fri Jul 30 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44-1mdk
- new function allow_xauth_from_root
- the perm.local config file is now forcing permissions even if it's lowering the security.
- install translated man pages
- Mandrakelinux/Mandrakesoft
* Wed Jul 7 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.43-1mdk
- fixed again mailman permissions for mailman in level 3 (bug #9319)
- use getent to parse the passwd database (bug #9904)
- fix msec.csh (Pixel)
- more servers in level 4 (Florin)
* Fri Apr 23 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.2-1mdk
- corrected mailman log permissions (Guillaume Rousse bug #9319)
* Sun Mar 21 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.1-1mdk
- check files on / in the daily check (workaround strange ntfw bug #9121)
* Fri Feb 27 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42-1mdk
- fix mailman log perm (Guillaume Rousse) [bug #8158]
- allow to specify only group or user in perm files (Bill Shirley)
- allow the force keyword in perm files to be able to lower security (Bill Shirley)
- document perl files syntax in README
* Sat Feb 14 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.41.1-1mdk
- allow % in file names [bug #6144] (Sven Hoexter)
- fixed system-auth growing line forever [bug #7853] (Michael Scherer)
* Thu Feb 12 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.41-1mdk
- make it lib64 aware wrt pam files rewriting
- more csh-ish msec.csh (Pixel)
- msec.csh: only set SECURE_LEVEL whenever it already exists
locally
- conf/: perm.0, perm.1, perm.2, perm.3, perm.4, perm.5: fixed typo
rpp => rpm
- share/libmsec.py: allow_xserver_to_listen: corrected startx
modifications (Gavin Porter)
- cron-sh/security.sh: removed xfs from remote filesystems and
added hfs in foreign filesystems (Stefaan Simoens)
- conf/: perm.0, perm.1, perm.2, perm.3, perm.4, perm.5: handle
/var/lib/rpm/Packages
- AUTHORS, README, TODO: fix #6145 (list current maintainer instead
of old one) (Thierry)
- share/shadow.py: Added local_config to say that the calls are now
coming from the config file. Call force_val in indirect to store
that the arguments of the function need to be used even if the
security is lowered.
- share/libmsec.py: Rework same_level to be able to put the
priority on the config file. This is realized by inspecting the
stack trace and using a global associative array.
- man/cs/msec.8: updated Czech man page (Pablo)
* Wed Sep 3 2003 Frederic Lepied <flepied@mandrakesoft.com> 0.40-1mdk
- corrected strange permission settings in /var/log (bug #4854)
- allow set_shell_history_size(-1) in level.local (bug #4392)
* Fri Aug 22 2003 Frederic Lepied <flepied@mandrakesoft.com> 0.39-1mdk
- don't write True or False in sysctl.conf (bug #4629)
- don't use apply anymore (Olivier Blin) (bug #4632)
- better documentation for no_password_aging_for (bug #1629)
- support passing arg as a number in set_root_umask, set_user_umask (bug #3640)
- better support for symlinks
* Thu Jul 24 2003 Thierry Vignaud <tvignaud@mandrakesoft.com> 0.38-5mdk
- fix upgrade
* Fri Jun 06 2003 Per Øyvind Karlsen <peroyvind@sintrax.net> 0.38-4mdk
- use double %%'s in changelog
* Fri Mar 7 2003 Frederic Lepied <flepied@mandrakesoft.com> 0.38-3mdk
- report correct message in log (bug #748)
* Sun Feb 2 2003 Thierry Vignaud <tvignaud@mandrakesoft.com> 0.38-2mdk
- move security::help from msec to drakxtools so that it get
translated
* Mon Jan 20 2003 Thierry Vignaud <tvignaud@mandrakesoft.com> 0.38-1mdk
- generate help for draksec
* Wed Nov 20 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.37-1mdk
- chage is l10n now so use LC_ALL=C before calling it
* Thu Nov 07 2002 Thierry Vignaud <tvignaud@mandrakesoft.com> 0.36-2mdk
- requires s/(sh-|text|file)utils/coreutils/
* Tue Sep 17 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.36-1mdk
- allow_user_list handles Selected in X-*-Greeter section of kdmrc
when not changing security level.
- allow_reboot handles Root in X-:*-Core section of kdmrc when not
changing security level.
* Sun Sep 8 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.35-1mdk
- when changing the aging expiry, change the date of last password
change to today to avoid having accounts already expired.
* Fri Sep 6 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.5-2mdk
- fixed bad file name in find.c (David Relson)
* Thu Sep 5 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.5-1mdk
- correct allow_user_list with the new place for kdm3
* Thu Sep 5 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.4-2mdk
- removed debug message
- corrected credit in the changelog for sgid to David Walser
* Tue Sep 3 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.4-1mdk
- more spelling errors fixes thx to David Walser:
o CHECK_SUID_GROUP => CHECK_SGID
* Fri Aug 30 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.3-1mdk
- fixed server symlink creation
- corrected spelling errors thx to David Relson
* Tue Aug 27 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.2-1mdk
- fixed /boot as suggested by Guillaume Rousse.
* Tue Aug 27 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34.1-1mdk
- corrected permissions for /boot/kernel.h*
- corrected syntax error in cron (David Relson)
* Sun Aug 25 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.34-1mdk
- let hosts.{allow,deny} be readable by everyone (to allow all the
daemons to access them).
- doc/security.txt: documented daily mailing of security checks
- allow_reboot: used section X-:0-Core instead of X-:*-Greeter for
kdmrc.
- password_history: create /etc/security/opasswd if it doesn't exist.
* Mon Aug 19 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.33-1mdk
- reworked wording of mails
* Fri Aug 9 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.32-1mdk
- do not change permissions/groups/owners of remote files/directories.
- documented the command line options in the man page
- added password_history function (level 5)
- password_length uses system-auth pam file instead of passwd pam file
(added Conflicts with the old passwd package)
- allow_remote_root_login handles the without_password argument (level 4)
* Wed Jul 31 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.31.1-1mdk
- handle again level.local
* Tue Jul 30 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.31-1mdk
- added level.* for draksec
- add needed groups in %%pre
* Mon Jul 29 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.30.2-1mdk
- fixed allow_root_login
* Sun Jul 28 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.30.1-1mdk
- corrected a bug when the variable doesn't exist before setting it.
* Sat Jul 27 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.30-1mdk
- integrated fixes and requests from David Harris.
- documentation fixes.
- don't lower the security when called without argument (by the hourly cron for example).
- splitted functions that worked at multiple levels:
* splitted accept_broadcasted_icmp_echo from from accept_icmp_echo.
* splitted enable_dns_spoofing_protection from enable_ip_spoofing_protection.
* splitted allow_remote_root_login from allow_root_login.
* splitted allow_xserver_to_listen from from allow_x_connections.
* Thu Jul 4 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.25-1mdk
- insert the change at the end of the file if no match is found for
PermitRootLogin and logindefs.
- updated server.4 with MNF needs
* Thu Jun 27 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.24-1mdk
- don't lower access rights when not changing security level
* Thu May 30 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.23-1mdk
- check that only root can run msec
- added more complete error messages
* Wed May 29 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.22-1mdk
- corrected alias files loop (Jérôme UZEL).
- added no_password_aging_for function to mseclib
- server.4, server.5: added shorewall
* Tue Apr 16 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.21-1mdk
- applied patch from John Ehresman to exec the config file in the
context of mseclib.
* Wed Mar 27 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.20-2mdk
- allow_reboot: only touch the shutdown, poweroff, reboot and halt
files if they don't exist (reported by Jason Baker).
* Mon Mar 25 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.20-1mdk
- Maximum password aging can be -1 (David Relson)
- allow to pass ignore in function calls in
/etc/security/msec/level.local to ask msec to do nothing with this
feature.
* Fri Mar 8 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-8mdk
- /var/log/lp-errs must always be 600
* Fri Mar 8 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-7mdk
- fix permissions of /var/log/lp-errs for LPRng (Till)
- add yes and no as good values for mseclib
- some doc updates
* Tue Mar 5 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-6mdk
- protect scripts from beeing run twice
* Thu Feb 28 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-5mdk
- use 127.0.0.1 instead of localhost in hosts.deny
- msec.csh: "unhash" workaround for /usr/bin non-readable (msec 5)
applied after modifying PATH (eurk!)
* Mon Feb 25 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-4mdk
- separate config files and other files in the rpmv check (idea of
Michael Reinsch)
- don't restart network on sysctl.conf change
- doc/security.txt: resync with code.
* Fri Feb 22 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-3mdk
- security_check.sh: check uid and not gid ! (change of meaning of the
-g option of ls).
- perm.*: do not manage lilo.conf.
- corrected missing security.conf migration from /etc/security/msec/
to /var/lib/msec.
- don't handle libsafe (let the package do it's job)
* Wed Feb 20 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-2mdk
- implement no password in level 0
- X listens to tcp connections in level 3
* Tue Feb 19 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.19-1mdk
- corrected msec.sh and msec.csh problems.
- security.conf is now read from /var/lib/msec and can be overridden
from /etc/security/msec/security.conf.
- enhanced mseclib man page.
- perm files are now in /usr/share/msec but the custom file stays in
/etc/security/msec/perm.local.
* Fri Feb 15 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-6mdk
- promisc_check.sh: use complete path to the ip command
- correct upgrade when secure level isn't set
- enable_console_log support an arg to specify what to log
* Wed Feb 13 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-5mdk
- perm.5: /etc/sendmail.cf 640 for sendmail to work.
- set umask and . in path according to the secure level
- use the ip command to detect promiscuous mode with 2.4 kernel
* Tue Feb 5 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-4mdk
- password aging also enable delay to change
- correct gdm.conf modifications
* Mon Feb 4 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-3mdk
- in level > 2 X server doesn't listen on tcp connection.
- in level > 3 /etc/hosts.{allow,deny,equiv} readable by daemon group.
- don't report /tmp and /var/tmp as bogus world writable directories.
- security_check.sh: added .ssh/id_dsa .ssh/id_rsa to the list of files to check.
- corrected /etc/issue* moving.
- permissions settings part processes options like the rules part.
- add a man page for the mseclib python library.
* Mon Jan 28 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-2mdk
- do the daily cron through /etc/cron.daily to avoid heavy loads
- clean crontabs when removing the package (Dadou)
- 644 for /etc/rc.d/init.d/mandrake_consmap (Andrej)
- fix sendmail perms (Florin)
- symlink /etc/security/msec/server.<level> to
/etc/security/msec/server for secure levels > 3 (used by chkconfig).
- password aging for the root account too.
* Sat Jan 26 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.18-1mdk
- corrected upgrade from 0.16 and older versions
- allow customization of level through /etc/security/msec/level.local
* Tue Jan 22 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-15mdk
- change Requires: from perl to perl-base.
- perm.*: corrected errors reported by Pierre Fortin's script.
* Mon Jan 21 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-14mdk
- perm.*: make mandrake_consmap 755 because it needs to be readable by everyone
* Sun Jan 20 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-13mdk
- diff_check.sh: mail even if the report is empty to show that the
check was fine.
- the string "current" signifies to not change the permissions.
- perm.*: corrected mandrake_consmap permissions and ping path/permissions.
- /home is 711 in level 3.
* Thu Jan 17 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-12mdk
- report cron log to tty only on root ttys.
- better layout of rpm modified files report.
* Wed Jan 9 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-11mdk
- added hostname to the subject of the mail report for better
information when you receive multiple reports
- really added rpm-va check to the mail report
- fix handling of the owner/group of subdirectories of /var/log in a
generic manner.
- oops put back periodic filesystems check
* Mon Jan 7 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-10mdk
- corrected first invocation.
* Sun Jan 6 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-9mdk
- oops: corrected broken security.sh script
* Fri Jan 4 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-8mdk
- TMOUT is now a read only variable
- allow/forbid reboot/shutdown by [kg]dm
* Thu Jan 3 2002 Frederic Lepied <flepied@mandrakesoft.com> 0.17-7mdk
- rpm -qa check now logs install time too
- corrected the way we install the byte compiled python files to avoid
false rpm -V warnings.
- added a CHANGES file to document what has changed between 0.16 and 0.17
- send complete rpm -va check to the main mail
- perm.*: added handling of /etc/rc.d/init.d/*
- changed the way /etc/security/msec/perm.local is used to avoid flip/flap changes
- reworked output in diff rpm check to be more coherent
* Sat Dec 29 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-6mdk
- added doc of the features of the msec utility
- corrected enable_at_crontab
- password_aging only takes care of /etc/shadow users and avoid the
users with a deactivated password.
* Fri Dec 28 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-5mdk
- added rpm database checks
- added check of accounts with the 0 id that aren't root.
* Thu Dec 27 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-4mdk
- disable root login in xdm,kdm,gdm the same way as in Bastille (via pam).
- manage password aging.
- manage crontab and at authorization.
* Thu Dec 27 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-3mdk
- avoid changing permissions twice in the same run (to avoid unneeded logging).
- when run in non-interactive mode, the output goes to the auth facility.
* Fri Dec 14 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-2mdk
- fixed sysctl.conf handling
* Thu Dec 13 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.17-1mdk
- rewritten file modifications part in python
* Wed Dec 05 2001 Florin <florin@mandrakesoft.com> 0.16-4mdk
- oups, use %%{_sysconfdir}/sysconfig/%%{name} instead of %%{_sysconfdir}/%%{name}
- fix the msec.csh file (thks again to Konrad Bernlohr)
* Thu Nov 29 2001 Florin <florin@mandrakesoft.com> 0.16-3mdk
- remove the redundance related to umask and /etc/bashrc
- add the %%{_sysconfdir}/%%{name} file
- allow the ssh connexions in the snf security level
- sort of update the ChangeLog
- updated msec.csh to read %%{_sysconfdir}/%%{name} with sed black magic (Fred)
- added console timeout support (Fred)
- added command history disabling (Fred)
- added sysctl settings (Fred)
- changed perms of rpm progs in high security levels to prevent
exposing what is installed (and access to /usr/share/doc too). (Fred)
- spoof protection for name resoluton (Fred)
- remove /etc/issue and /etc/issue.net according to level (Fred)
* Thu Nov 08 2001 Florin <florin@mandrakesoft.com> 0.16-2mdk
- oups forgot to create the needed links in post:
- create the /etc/security/msec/server
- the /usr/share/msec/current-level.sh and
- /etc/security/msec/current.perm files
* Thu Nov 08 2001 Florin <florin@mandrakesoft.com> 0.16-1mdk
- 0.16
- add requires on chkconfig >= 1.2.24-3mdk
- add the new link /etc/security/msec/server
- fix permissions for monitoring in snf level
- deny root ssh access in snf level
* Wed Nov 07 2001 Florin <florin@mandrakesoft.com> 0.15-31mdk
- bring back the squid.squid permissions
- add some permissions for the naat servers
- add some authorized servers for naat-snf, cooker version
- add the snf security level
- make rpmlint happy with the distribution name
- add Url tag
* Wed Oct 03 2001 Florin <florin@mandrakesoft.com> 0.15-30mdk
- more things from /etc/profile to /etc/profile.d/msec.{sh|csh}
- update the doc path in the man pages
- add the msec*sh sources
- libsafe.so.2 in levels 4/5
* Thu Sep 20 2001 Florin <florin@mandrakesoft.com> 0.15-29mdk
- fix the /etc/profile.d/msec.{sh|csh} entries
- get rid of /etc/profile entries
* Thu Sep 20 2001 Florin <florin@mandrakesoft.com> 0.15-28mdk
- authorize the usb service in the 4/5 levels of security
* Wed Sep 19 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-27mdk
- Require /bin/touch.
* Wed Sep 19 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-26mdk
- Output in /etc/profile.d/msec.sh as only .sh extenssion files are read.
- Keep the output of the SECURE_LEVEL in /etc/profile and /etc/zprofile.
* Wed Sep 19 2001 florin <florin@mandrakesoft.com> 0.15-25mdk
- RootSshLogin in levels 4/5
- squidGuard entries
* Wed Sep 19 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-24mdk
- Fix manpages installation.
- Fix logrotate config installation.
- Fix issue with SECURE_LEVEL not updated if not exiting the console
(this is a workaround for problems in several terminal programs).
* Mon Sep 17 2001 Daouda LO <daouda@mandrakesoft.com> 0.15-23mdk
- Resync with cvs (yoann sucks)
- real fix for kdm is in lib.sh (msec sux)
* Fri Sep 14 2001 Florin <florin@mandrakesoft.com> 0.15-21mdk
- conf/perm.*: /var/log/squid must be owned by nobody.nobody.
- add the %%post section for the ghost file
* Mon Sep 03 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-20mdk
- logrotate entry in %%install, not %%post
* Mon Sep 03 2001 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-19mdk
- add logrotate entry
* Thu Aug 9 2001 Frederic Lepied <flepied@mandrakesoft.com> 0.15-18mdk
- added vc/[1-6] to securetty (devfs)
- merged back in cvs
* Mon Jul 9 2001 Frederic Crozat <fcrozat@mandrakesoft.com> 0.15-17mdk
- Patch 0: add suppport for usermode halt/reboot
* Thu May 10 2001 Stew Benedict <sbendict@mandrakesoft.com> 0.15-16mdk
- Check for drakx install environment before running "telinit u" - PPC hang
* Tue May 01 2001 David BAUDENS <baudens@mandrakesoft.com> 0.15-15mdk
- Use %%_tmppath for BuildRoot
* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-14mdk
- call telinit after modifying inittab
* Tue Oct 10 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-13mdk
- Applied Warly patch to fix user list problem under kdm.
- User list option for gdm too.
* Tue Oct 10 2000 Warly <warly@mandrakesoft.com> 0.15-12mdk
- change the UserList method to not append at the end of kdmrc (in the wrong section)
* Mon Oct 9 2000 Pixel <pixel@mandrakesoft.com> 0.15-11mdk
- remove the fix for #760 (it needs real fixing!)
* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-10mdk
- conf/server.[45]: add pcmcia
* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-9mdk
- fix for #760 (kdm should not display the list of users for high security
levels)
* Mon Oct 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-8mdk
- fix a typo in conf/perm.0
* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-7mdk
- Autologin allowed in level 0, 1, 2.... I'm against this... but...
* Fri Oct 04 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-6mdk
- fix some entry in perm.*
- Autologin will only work in level 0
* Tue Oct 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-5mdk
* init-sh/*.sh : instead of modifying Xsession,
create the /etc/X11/xinit.d/msec file which can contain eventual
rules appended by msec.
* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-4mdk
- some fix.
* Mon Oct 02 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-3mdk
- init-sh/*.sh : modify /etc/X11/Xsession, not /etc/X11/xdm/Xsession
nor /etc/X11/xinit/xinitrc anymore, as they all load
/etc/X11/Xsession.
* Fri Sep 01 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-2mdk
- install manually
- use %%{_mandir} macros
- use %%config(noreplace) for /etc/msec and for logfile
* Tue Jul 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.15-1mdk
- cron-sh/security_check.sh : use -L in ls,
to dereference symbolic link Chris Green <cmg@dok.org>
- conf/perm.*: /var/log/squid must be owned by squid.squid.
- cron-sh/security.sh:
- init-sh/custom.sh: added patch from AG <darkimage@bigfoot.com>,
if no user to mail security report to is availlable, send to root.
* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-6mdk
- Handle new libsafe path.
* Wed May 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-5mdk
- corrected a wrong path.
* Wed May 03 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-4mdk
- LoaderUpdate() make a difference between an empty
variable, and a non existing one.
* Fri Apr 25 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-3mdk
- Fix a bug with comment removed pointed out by Konrad Bernloehr.
* Mon Apr 24 2000 Pixel <pixel@mandrakesoft.com> 0.14-2mdk
- conf/perm.[0-4]: fix ugly disgusting fucking bloody buggy bug!
(remove bloody /usr/{bin,sbin}/* entries)
* Wed Apr 19 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.14-1mdk
- Bug fix.
- Support Grub as well as Lilo.
* Tue Apr 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-5mdk
- cron job at 4:00am, msec_find fix.
* Mon Apr 17 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-4mdk
- perm.5 : -e s'/ntool/ntools/' -e s'/ctool/ctools/'
- updated documentation.
- file_perm.sh : bug fix + output to /dev/null.
- include /var/tmp in perm.[0-5].
- Patch to msec_find from Thomas Poindessous.
* Fri Apr 14 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.12-1mdk
- Modify zprofile.
- use libsafe-1.3
* Thu Mar 16 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security.sh : export *_TODAY variable to be used by msec_find.
- find.c : removed a debuging printf.
* Tue Mar 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com> 0.10-1mdk
- custom.sh : added a patch from Havard Bell.
- custom.sh : check if libsafe is installed before asking if the user want to use it.
- Heavily modified msec_find.
- Added msec_find utility, written by Thierry Vignaud which will avoid us to
find / 5 times :)
- Added support for libsafe stack overflow protection in level 4 / 5 /
custom
- trap the sigint signal.
- use %%config for config file ( thanks to Frederic Lepied ).
- use /etc/security/msec for config file only.
- Renamed init.sh to msec, and install it in /usr/sbin.
- The other shell scripts are located in /usr/share/msec
- Included patch from Stefan Siegel.
* Tue Jan 18 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- custom.sh : fix a nasty typo.
* Tue Jan 06 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security.sh : find are niced to (+19)
- Camille updated the documentation.
- Removed the "spawn a shell on boot" feature of level0 cause of a tty problem.
- shutdown.allow is 600 in level 4/5; 644 else.
- updated doc/security.txt
- updated init-sh/custom.sh
- level 0-3 -> ctrl-alt-del allowed for any local user.
- level 4-5 -> ctrl-alt-del allowed for root.
* Wed Dec 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Removing grpuser manpage, because :
1 - grpuser is not to be used by any user, ( and should not have a manpage so ).
2 - manpage is obsolete
* Tue Dec 28 1999 Chmouel Boudjnah <chmouel@mandrakesoft.com>
- add man-pages from camille.
* Fri Dec 24 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Use the mail user variable.
- level[35]: also do a mail report.
- moved Syslog(), Ttylog(), Maillog() to security.sh
- security_check.sh & diff_check.sh now sourced from security.sh
- Typo / bug fix
- init-sh/perm[15]: files should be constant in their content.
all entry should be in each perm file
* Tue Dec 21 1999 Pixel <pixel@mandrakesoft.com>
- init-sh/lib.sh (LiloUpdate): replace the -z ${LILO_PASSWORD} by
${LILO_PASSWORD+set} != set
- init-sh/lib.sh (LiloUpdate): replace the call to AddRules to
AddBegRules (password= must in the beginning of lilo.conf)
- init-sh/lib.sh (AddBegRules): 1 \n instead of 2
* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Use grpconv after modifying /etc/group.
- Add a message for level 5 saying that user who want X access
should be in the xgrp group.
* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- fixed a typo / variable pb.
* Mon Dec 20 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- init-sh/perm.[05]: Oops, /var/spool/mail is 771 not 755.
- init-sh/lib.sh: removed the failsafe for not a tty stdin (not efficient)
- init-sh/lib.sh: rewrote the perl script (now a one-liner :)
- Big cleanup.
- All work properly now.
- msec.spec: modify to take into account the Makefile modifying the .spec
- Makefile (VERSION): make it the same as the .spec
* Sat Dec 18 1999 Pixel <pixel@mandrakesoft.com>
- init-sh/lib.sh: added failsafe for not a tty stdin
* Sat Dec 18 1999 Pixel <pixel@mandrakesoft.com>
- no interactive questions if not a tty
* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Don't use msec parsing routine to hack inittab
* Thu Dec 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fixed the last AddBegRules() problem.
- Indentation problem should be fixed.
- All debug finished, changing secure.tmp to a mktemp
allocated tmpfile for symlink security.
- DRAKX_USER variable no longer needed.
- grpuser.sh take only one opt ( --refresh ),
take group name from /etc/security/msec/group.conf
and add user from /etc/security/msec/user.conf if secure level > 2
- level0.sh fixed inittab entry
- fix a typo
- As requested, direct shell access for level 0
- Fixed a little problem with the DRAKX_USERS variable
- removed chattr +a because of the problem it can cause to
other system automated system task.
* Mon Dec 13 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- diff_check.sh : fix a typo.
* Thu Dec 10 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- custom.sh : Fix a typo & forgot to export path & secure level
* Thu Dec 9 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- More bugfix.
- Many bugfix, always trying to get a bugfree release :).
- Renamed some variable, added consistencie.
- security_cjheck.sh: print header at begining of the log.
- diff_check.sh: typo.
* Wed Dec 8 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- security_check.sh: remove /tmp stuff.
- security_check.sh: typo
- level[1-3].sh: Changed crontab call to file_check.sh
from every hour to every midnight ( bug reported by axalon ).
- diff_check.sh: clean up.
- moved file_check.sh to diff_check.sh and changed
what is related to cron call in level[15].sh
- Added missing configurations question in level custom.
- bug fix.
* Wed Dec 8 1999 Chmouel Boudjnah <chmouel@mandrakesoft.com>
- Various (Makefile|specfiles) clean-up.
- insert doc.
* Mon Dec 6 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Released 0.5
- Divided security check into 2 files :
security_check.sh & file_check.sh,
the first do normal security check, the other watch at anormal change
on the system...
- Bug fix again & again
- Updated perm files & fix a security problem ( thanks Axalon ).
* Wed Dec 1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- DrakX compatibility.
* Wed Dec 1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Add & delete of userlist from audio group ( level 1 & 2 ).
- Minor fix
* Wed Dec 1 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- We now preserve config file implementation.
- Minor fix to lib.sh
- export profile variable...
* Mon Nov 30 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Many cron security check added.
- Print more infos.
* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Released 0.4 :
- Now have a custom mode, just answer the question.
- Msec print what it does.
- Bug fix in LiloUpdate().
* Mon Nov 29 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fixed a few bugs in msec.
* Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- grpuser was not installed.
* Fri Nov 26 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Fix a bug in level3.sh
- level[12].sh Removed some unused code
* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Call chkconfig with the new --msec option.
* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Cleaned up tree.
* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Removed touched file /-i
* Thu Nov 25 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- Create rc.firewall to avoid error,
- Call grpuser with the good path,
- Call groupadd before usermod.
* Tue Nov 23 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- New release (0.3) :
Now each security level has it's own set of permissions.
Add "." at the end of $PATH for level 1.
Corrected some grave bug, it should work properly now.
* Thu Nov 18 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- New release (0.2) :
Fixed the path for promisc_check.sh :
now /etc/security/msec/cron-sh/promisc_check.sh
In level 1 & 2, user is now automagically added to the audio group.
* Tue Nov 16 1999 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- First packaging attempt :-).
