msecperm man page on Mageia

Man page or keyword search:  
man Server   17783 pages
apropos Keyword Search (all sections)
Output format
Mageia logo
[printable version]

msec(8)								       msec(8)

NAME
       msec - Mandriva Linux security tools

SYNOPSIS
       msec [options]
       msecperms [options]
       msecgui [options]

DESCRIPTION
       msec  is	 responsible  to maintain system security in Mandriva. It sup‐
       ports different security configurations, which can  be  organized  into
       several	security levels, stored in /etc/security/msec/level.LEVELNAME.
       Currently, three basic preconfigured security levels are provided  with
       Mandriva Linux:

       none   this level disables all msec options. It should be used when you
	      want to manage all aspects of system security on your own.

       standard
	      this is the default security level, which configures  a  reason‐
	      ably  safe  set of security features. It activates several peri‐
	      odic system checks, and sends the results of their execution  by
	      email (by default, the local 'root' account is used).

       secure this  level  is  configured  to provide maximum system security,
	      even at the cost of limiting the remote access  to  the  system,
	      and local user permissions. It also runs a wider set of periodic
	      checks, enforces the local password settings,  and  periodically
	      checks if the system security settings, configured by msec, were
	      modified directly or by some other application.

       Besides those levels, different task-oriented security  are  also  pro‐
       vided,
	      such as the 'fileserver', 'webserver' and 'netbook' levels. Such
	      levels attempt to pre-configure system security according to the
	      most common use cases.

       Note  that besides those levels you may create as many levels as neces‐
       sary.

       The security settings are  stored  in  /etc/security/msec/security.conf
       file,  and  default  settings  for  each predefined level are stored in
       /etc/security/msec/level.LEVEL.	Permissions for files and  directories
       that should be enforced or checked for changes are stored in /etc/secu‐
       rity/msec/perms.conf, and default permissions for each predefined level
       are  stored  in /etc/security/msec/perm.LEVEL.  Note that user-modified
       parameters take precedence over default level  settings.	 For  example,
       when  default level configuration forbids direct root logins, this set‐
       ting can be overridden by the user.

       The following options are supported by msec applications:

       msec:

       This is the console version of msec. It is responsible for system secu‐
       rity  configuration  and checking and transitions between security lev‐
       els.

       When executed without parameters, msec will read the system  configura‐
       tion file (/etc/security/msec/security.conf), and enforce the specified
       security settings. The operations are logged to /var/log/msec.log file,
       and also to syslog, using LOG_AUTHPRIV facility.	 Please note that msec
       should by run as root.

       -h, --help
	   This option	will  display  the  list  of  supported	 command  line
       options.

       -l, --level <level>
	   List the default configuration for given security level.

       -f, --force <level>

	   Apply  the specified security level to the system, overwritting all
       local changes in /etc/security/msec/security.conf. This usually	should
       be performed either on first install, on when a transition to a differ‐
       ent level is required.

       -d
	   Enable debugging messages.

       -p, --pretend
	   Verify the actions that will be performed by msec, without actually
       doing  anything to the system. In this mode of operation, msec performs
       all the required tasks, except effectively writting data back to disk.

       -r, --root <path>
	   Use path as root. Can be used to perform msec actions in chroot.

       -q
	   Run quietly

       -s, --save <level>
	   Save current settings as a new security level.

       msecperms:

       This application is responsible	for  system  permission	 checking  and
       enforcements.

       When  executed  without parameters, msecperms will read the permissions
       configuration file  (/etc/security/msec/perms.conf),  and  enforce  the
       specified   security   settings.	  The	operations   are   logged   to
       /var/log/msec.log file, and also to syslog, using  LOG_AUTHPRIV	facil‐
       ity.  Please note that msecperms should by run as root.

       -h, --help
	   This	 option	 will  display	the  list  of  supported  command line
       options.

       -l, --level <level>
	   List the default configuration for given security level.

       -e, --enforce
	   Enforce the default permissions on all files.

       -d
	   Enable debugging messages.

       -p, --pretend
	   Verify the actions that will be performed by msec, without actually
       doing  anything to the system. In this mode of operation, msec performs
       all the required tasks, except effectively writting data back to disk.

       -r, --root <path>
	   Use path as root. Can be used to perform msec actions in chroot.

       -q
	   Run quietly

       msecgui:

       This is the GTK version of msec. It acts as frontend to all msec	 func‐
       tionalities.

       -h, --help
	   This	 option	 will  display	the  list  of  supported  command line
       options.

       -d
	   Enable debugging messages.

EXAMPLES
       Enforce	system	configuration  according  to  /etc/security/msec/secu‐
       rity.conf file:
	   msec

       Display system configuration changes without enforcing anything:
	   msec -p

       Install predefined security level 'standard':
	   msec -f standard

       Preview changes inflicted by change to 'standard' level:
	   msec -p -f standard

       Create a custom security level based on 'standard':
	   cp /etc/security/msec/level.standard /etc/security/msec/level.my
	   edit /etc/security/msec/level.my
	   msec -f my

       Export  current	security settings to create a new security level named
       'office':
	  msec -s office

       Enforce system permissions according  to	 /etc/security/msec/perms.conf
       file:
	   msecperms

       Display permissions changes without enforcing anything:
	   msecperms -p

       Install predefined permissions for level 'standard':
	   msecperms -f standard

       Preview changes inflicted by change to 'standard' level:
	   msecperms -p -f standard

       Create a custom permissions level based on 'secure':
	   cp /etc/security/msec/perm.secure /etc/security/msec/perm.my
	   edit /etc/security/msec/level.my
	   msecperms -f my

       Export  current	security settings to create a new security level named
       'office':
	  msecperms -s office

DEFINING EXCEPTIONS FOR PERIODIC CHECKS
       msec is capable of  excluding  certain  patterns	 from  periodic	 check
       reports.	 For  this,  it	 is  possible  to  define  the	exceptions  in
       /etc/security/msec/exceptions file, for each supported check.

       For example, to exclude	all  items  that  match	 /mnt,	Mandriva-based
       chrooted installations in /chroot and all backup files from the results
       of of check for unowned files on the system, it is sufficient to define
       the following entry in the exceptions file:

	   CHECK_UNOWNED /mnt

	   CHECK_UNOWNED /chroot/mdv_.*/

	   CHECK_UNOWNED .*~

       In  a similar way, it is possible to exclude the results for the deluge
       application from the list of open ports as follows:

	   CHECK_OPEN_PORT /deluge

       Each exception entry is a regular exception, and you  might  define  as
       many exceptions as necessary.

       In  order to exclude a path from all msec checks, you may use * for the
       check name. For example, the following would exclude /media/  from  all
       msec checks:

	   * /media/

       See below for all msec options that support this feature.

SECURITY OPTIONS
       The following security options are supported by msec:

       libmsec.base_level
	   Defines  the	 base security level, on top of which the current con‐
	   figuration is based.

	   MSEC parameter: BASE_LEVEL

	   Accepted values: *

NOTES
       Msec applications must be run by root.

AUTHORS
       Frederic Lepied

       Eugeni Dodonov <eugeni@mandriva.com>

Mandriva Linux			     msec			       msec(8)
[top]

List of man pages available for Mageia

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net