msec

Section: Maintenance Commands (8)
Updated: msec
Page Index
 

NAME

msec - Mageia Linux security tools  

SYNOPSIS

msec [options]
msecperms [options]
msecgui [options]
 

DESCRIPTION

msec is responsible to maintain system security in Mageia. It supports different security configurations, which can be organized into several security levels, stored in /etc/security/msec/level.LEVELNAME. Currently, three basic preconfigured security levels are provided with Mageia Linux:

\fBnone\fR
this level disables all msec options. It should be used when you want to manage all aspects of system security on your own.

\fBstandard\fR
this is the default security level, which configures a reasonably safe set of security features. It activates several periodic system checks, and sends the results of their execution by email (by default, the local 'root' account is used).

\fBsecure\fR
this level is configured to provide maximum system security, even at the cost of limiting the remote access to the system, and local user permissions. It also runs a wider set of periodic checks, enforces the local password settings, and periodically checks if the system security settings, configured by msec, were modified directly or by some other application.

Besides those levels, different task-oriented security are also provided,
such as the 'fileserver', 'webserver' and 'netbook' levels. Such levels attempt to pre-configure system security according to the most common use cases.

Note that besides those levels you may create as many levels as necessary.

The security settings are stored in \fB/etc/security/msec/security.conf\fR file, and default settings for each predefined level are stored in \fB/etc/security/msec/level.LEVEL\fR. Permissions for files and directories that should be enforced or checked for changes are stored in \fB/etc/security/msec/perms.conf\fR, and default permissions for each predefined level are stored in \fB/etc/security/msec/perm.LEVEL\fR. Note that user-modified parameters take precedence over default level settings. For example, when default level configuration forbids direct root logins, this setting can be overridden by the user.

The following options are supported by msec applications:

\fBmsec\fR:

This is the console version of msec. It is responsible for system security configuration and checking and transitions between security levels.

When executed without parameters, msec will read the system configuration file (/etc/security/msec/security.conf), and enforce the specified security settings. The operations are logged to \fB/var/log/msec.log\fP file, and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msec should by run as root.

\fB-h, --help\fR
    This option will display the list of supported command line options.

\fB-l, --level <level>\fR
    List the default configuration for given security level.

\fB-f, --force <level>\fR


    Apply the specified security level to the system, overwritting all local changes in /etc/security/msec/security.conf. This usually should be performed either on first install, on when a transition to a different level is required.

\fB-d\fR
    Enable debugging messages.

\fB-p, --pretend\fR
    Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk.

\fB-r, --root <path>\fR
    Use path as root. Can be used to perform msec actions in chroot.

\fB-q\fR
    Run quietly

\fB-s, --save <level>\fR
    Save current settings as a new security level.

\fBmsecperms\fR:

This application is responsible for system permission checking and enforcements.

When executed without parameters, msecperms will read the permissions configuration file (/etc/security/msec/perms.conf), and enforce the specified security settings. The operations are logged to \fB/var/log/msec.log\fP file, and also to syslog, using \fBLOG_AUTHPRIV\fR facility. Please note that msecperms should by run as root.

\fB-h, --help\fR
    This option will display the list of supported command line options.

\fB-l, --level <level>\fR
    List the default configuration for given security level.

\fB-e, --enforce\fR
    Enforce the default permissions on all files.

\fB-d\fR
    Enable debugging messages.

\fB-p, --pretend\fR
    Verify the actions that will be performed by msec, without actually doing anything to the system. In this mode of operation, msec performs all the required tasks, except effectively writting data back to disk.

\fB-r, --root <path>\fR
    Use path as root. Can be used to perform msec actions in chroot.

\fB-q\fR
    Run quietly

\fBmsecgui\fR:

This is the GTK version of msec. It acts as frontend to all msec functionalities.

\fB-h, --help\fR
    This option will display the list of supported command line options.

\fB-d\fR
    Enable debugging messages.

 

EXAMPLES

\fBEnforce system configuration according to /etc/security/msec/security.conf file:\fP
    msec

\fBDisplay system configuration changes without enforcing anything:\fP
    msec -p

\fBInstall predefined security level 'standard':\fP
    msec -f standard

\fBPreview changes inflicted by change to 'standard' level:\fP
    msec -p -f standard

\fBCreate a custom security level based on 'standard':\fP
    cp /etc/security/msec/level.standard /etc/security/msec/level.my
    edit /etc/security/msec/level.my
    msec -f my

\fBExport current security settings to create a new security level named 'office':\fP
   msec -s office

\fBEnforce system permissions according to /etc/security/msec/perms.conf file:\fP
    msecperms

\fBDisplay permissions changes without enforcing anything:\fP
    msecperms -p

\fBInstall predefined permissions for level 'standard':\fP
    msecperms -f standard

\fBPreview changes inflicted by change to 'standard' level:\fP
    msecperms -p -f standard

\fBCreate a custom permissions level based on 'secure':\fP
    cp /etc/security/msec/perm.secure /etc/security/msec/perm.my
    edit /etc/security/msec/level.my
    msecperms -f my

\fBExport current security settings to create a new security level named 'office':\fP
   msecperms -s office

 

DEFINING EXCEPTIONS FOR PERIODIC CHECKS

msec is capable of excluding certain patterns from periodic check reports. For this, it is possible to define the exceptions in \fB/etc/security/msec/exceptions\fP file, for each supported check.

For example, to exclude all items that match \fB/mnt\fP, Mageia-based chrooted installations in \fB/chroot\fP and all backup files from the results of of check for unowned files on the system, it is sufficient to define the following entry in the exceptions file:


    CHECK_UNOWNED /mnt

    CHECK_UNOWNED /chroot/mdv_.*/

    CHECK_UNOWNED .*~

In a similar way, it is possible to exclude the results for the \fBdeluge\fP application from the list of open ports as follows:


    CHECK_OPEN_PORT /deluge

Each exception entry is a regular exception, and you might define as many exceptions as necessary.

In order to exclude a path from all msec checks, you may use * for the check name. For example, the following would exclude /media/ from all msec checks:


    * /media/

See below for all msec options that support this feature.

 

SECURITY OPTIONS

The following security options are supported by msec:

libmsec.base_level
Defines the base security level, on top of which the current configuration is based.

MSEC parameter: BASE_LEVEL

Accepted values: *

 

NOTES

Msec applications must be run by root.  

AUTHORS

Frederic Lepied

Eugeni Dodonov


 

Index

NAME
SYNOPSIS
DESCRIPTION
EXAMPLES
DEFINING EXCEPTIONS FOR PERIODIC CHECKS
SECURITY OPTIONS
NOTES
AUTHORS
LinuxReviews : manual page archive : man8