SecurityLevels
Link to Launchpad: https://launchpad.net/people/ubuntu-securitylevels
Summary of Ubuntu Security Levels
The purpose of this project is to have a security level management tool similar to Mandriva's msec.
The idea is to harden (and maybe monitor/log) the security of Ubuntu by having well-known states or levels that are easy to understand and manage by users and sysadmins.
- Easy, like in Mandriva, by typing just "msec 3" we go to a level deemed appropriate for desktops connected to the Internet. No need to go through screens answering difficult questions like with Bastille.
System administrators will be aware that the systems are in a particular well-known configuration regarding basic aspects of security ("this web server is level 4, that critical server is level 5"). The caveat of course is to have a false sense of security.
- The proposed difference in philosophy with Mandriva's msec is that the users won't be able to customize (at least easily) the directives for the levels.
Proposed names for the tool/package: usec, seclevels, securitylevels
Description of msec: http://club.mandriva.com/xwiki/bin/KB/SecureSmsec and http://club.mandriva.com/xwiki/bin/KB/SecureSmsec2
You are welcome to join this task; tech skills you may bring: Python, security, Mandriva, spec designs, Gnome GUI design.
Comments
(add your comments here)
Porting msec
Getting msec
msec CVS viewer at: http://cvs.mandriva.com/cgi-bin/viewvc.cgi/soft/msec/
Current Package:
- Version: 0.50.1, Aug 11 2006
Previous:
- Version: 0.49.1 , Dec 22 2005
Downloadable repositories:
http://ftp.univie.ac.at/systems/linux/Mandrake/updates/2006.0/SRPMS/
http://rpmfind.net/linux/rpm2html/search.php?query=msec&submit=Search+...
alien, rpm to deb tool: http://kitenet.net/~joey/code/alien.html
Installing the rpm
- (Running all as root, otherwise sudo as necessary) cd somewhere:
cd /usr/src/
Get the msec rpm:wget http://ftp.univie.ac.at/systems/linux/Mandrake/updates/2006.0/SRPMS/msec-0.49.1-0.1.20060mdk.src.rpm
Note that there's also a msec-0.50.1:ftp://rpmfind.net/linux/MandrakeCooker/2007.0/SRPMS/main/release/msec-0.50.1-1mdv2007.0.src.rpm Install the "alien" tool and extract the rpm
apt-get install alien alien -k msec-0.49.1-0.1.20060mdk.src.rpm dpkg -i msec_0.49.1-0.1.20060mdk_i386.deb
Perhaps is better: dpkg --unpack ? For some reason the unpacked files went into my root directory, move files here:mv /msec* .
Uncompress and untar the big file:bzip2 -d msec-0.49.1.tar.bz2 tar xvf msec-0.49.1.tar
compile:cd msec-0.49.1 make; make install
Done! let's try it, for instance:man msec msec 2 msec 3
Now we can see the things that don't work and need porting.
Next Steps
- Identify the commands and files/directories that need to be abstracted with variables or translated (like the "service" or "chkconfig" commands.
Notes
Just a place to put temporarily some notes.
msec package used in list below is: msec-0.45.1-1mdk.src.rpm , from Mandriva LE 2005
msec Requirements
From msec.spec:
Build Requires: python OK
Requires:
- /bin/bash OK
- /bin/touch OK
- perl-base OK
- diffutils OK (diff)
- /usr/bin/python OK
- /usr/bin/chage OK
- gawk pkg: gawk (supported)
Requires: setup >= 2.2.0-21mdk Mandriva: from Makefile
http://cvs.mandriva.com/cgi-bin/cvsweb.cgi/soft/setup/Makefile
csh.cshrc csh.login exports host.conf hosts.allow hosts.deny inputrc motd printcap profile.d protocols securetty services shells profile filesystems bashrc
Requires: chkconfig >= 1.2.24-3mdk -> update-rc.d
- Requires: coreutils OK (gnu coreutils?)
- Requires: iproute2 OK (ip)
Requires: rpm-helper >= 0.4 skip rpm management
Conflicts: passwd < 0.67 OK (suppose)
Requires: python-base >= 2.3.3-2mdk OK (suppose)
- Requires: mailx pkg: mailx (supported), or use alternative mail user agent
Other not in list:
- Requires: userhelper, consolehelper usermode- .rpm
/usr/bin/consolehelper , userhelper http://www.die.net/doc/linux/man/man8/consolehelper.8.html http://www.die.net/doc/linux/man/man8/userhelper.8.html
usermode-consoleonly : mandriva package that has userhelper (urpmf userhelper)
- /etc/pam.d/halt
- poweroff
- reboot
- simple_root_auth
- /etc/security/console.apps/halt
- poweroff
- reboot
- /usr/bin/consolehelper
- /usr/bin/halt
- /usr/bin/poweroff
- /usr/bin/reboot
- /usr/sbin/userhelper
- /usr/share/locale/...
- /usr/share/man
msec files
msec 0.45.1 rpm -ql msec
- /etc/logrotate.d/msec
- /etc/profile.d/msec.csh
- /etc/profile.d/msec.sh
- /etc/security/msec
- /etc/security/msec/server.4
- /etc/security/msec/server.5
- /etc/sysconfig/msec
- /usr/bin/msec_find
- /usr/bin/promisc_check
- /usr/sbin/msec
- /usr/share/doc/...
- /usr/share/man/...
- /usr/share/msec
- /usr/share/msec/Config.py
- /usr/share/msec/Config.pyo
- /usr/share/msec/ConfigFile.py
- /usr/share/msec/ConfigFile.pyo
- /usr/share/msec/Log.py
- /usr/share/msec/Log.pyo
- /usr/share/msec/Perms.py
- /usr/share/msec/Perms.pyo
- /usr/share/msec/cleanold.sh
- /usr/share/msec/compile.py
- /usr/share/msec/compile.pyo
- /usr/share/msec/diff_check.sh
- /usr/share/msec/draksec_help.py
- /usr/share/msec/draksec_help.pyo
- /usr/share/msec/level.0
- /usr/share/msec/level.1
- /usr/share/msec/level.2
- /usr/share/msec/level.3
- /usr/share/msec/level.4
- /usr/share/msec/level.5
- /usr/share/msec/libmsec.py
- /usr/share/msec/libmsec.pyo
- /usr/share/msec/man.py
- /usr/share/msec/man.pyo
- /usr/share/msec/msec.py
- /usr/share/msec/mseclib.py
- /usr/share/msec/mseclib.pyo
- /usr/share/msec/perm.0
- /usr/share/msec/perm.1
- /usr/share/msec/perm.2
- /usr/share/msec/perm.3
- /usr/share/msec/perm.4
- /usr/share/msec/perm.5
- /usr/share/msec/promisc_check.sh
- /usr/share/msec/security.sh
- /usr/share/msec/security_check.sh
- /usr/share/msec/shadow.py
- /usr/share/msec/shadow.pyo
- /var/lib/msec
- /var/log/security
SecurityLevels (last edited 2008-08-06 17:01:04 by localhost)