SecurityLevels

Link to Launchpad: https://launchpad.net/people/ubuntu-securitylevels

Summary of Ubuntu Security Levels

The purpose of this project is to have a security level management tool similar to Mandriva's msec.

The idea is to harden (and maybe monitor/log) the security of Ubuntu by having well-known states or levels that are easy to understand and manage by users and sysadmins.

  • Easy, like in Mandriva, by typing just "msec 3" we go to a level deemed appropriate for desktops connected to the Internet. No need to go through screens answering difficult questions like with Bastille.
  • System administrators will be aware that the systems are in a particular well-known configuration regarding basic aspects of security ("this web server is level 4, that critical server is level 5"). The caveat of course is to have a false sense of security.

  • The proposed difference in philosophy with Mandriva's msec is that the users won't be able to customize (at least easily) the directives for the levels.

Proposed names for the tool/package: usec, seclevels, securitylevels

Description of msec: http://club.mandriva.com/xwiki/bin/KB/SecureSmsec and http://club.mandriva.com/xwiki/bin/KB/SecureSmsec2

You are welcome to join this task; tech skills you may bring: Python, security, Mandriva, spec designs, Gnome GUI design.

Comments

(add your comments here)

Porting msec

Getting msec

msec CVS viewer at: http://cvs.mandriva.com/cgi-bin/viewvc.cgi/soft/msec/

Current Package:

  • Version: 0.50.1, Aug 11 2006

http://rpms.mandrivaclub.com/rpms/mandriva/official/2007.0/i586/media/main/release/msec-0.50.1-1mdv2007.0.i586.html

Previous:

  • Version: 0.49.1 , Dec 22 2005

http://rpms.mandrivaclub.com/rpms/mandriva/official/updates/2006.0/main_updates/msec-0.49.1-0.1.20060mdk.i586.html

Downloadable repositories:

alien, rpm to deb tool: http://kitenet.net/~joey/code/alien.html

Installing the rpm

  • (Running all as root, otherwise sudo as necessary) cd somewhere:
     cd /usr/src/
    Get the msec rpm:
     wget http://ftp.univie.ac.at/systems/linux/Mandrake/updates/2006.0/SRPMS/msec-0.49.1-0.1.20060mdk.src.rpm
    Note that there's also a msec-0.50.1:

    ftp://rpmfind.net/linux/MandrakeCooker/2007.0/SRPMS/main/release/msec-0.50.1-1mdv2007.0.src.rpm Install the "alien" tool and extract the rpm

     apt-get install alien
    alien -k msec-0.49.1-0.1.20060mdk.src.rpm 
    dpkg -i msec_0.49.1-0.1.20060mdk_i386.deb
    Perhaps is better: dpkg --unpack ? For some reason the unpacked files went into my root directory, move files here:
     mv /msec* .
    Uncompress and untar the big file:
     bzip2 -d msec-0.49.1.tar.bz2 
    tar xvf msec-0.49.1.tar
    compile:
     cd msec-0.49.1
    make; make install
    Done! let's try it, for instance:
     man msec
    msec 2
    msec 3
    Now we can see the things that don't work and need porting.

Next Steps

  • Identify the commands and files/directories that need to be abstracted with variables or translated (like the "service" or "chkconfig" commands.

Notes

Just a place to put temporarily some notes.

msec package used in list below is: msec-0.45.1-1mdk.src.rpm , from Mandriva LE 2005

msec Requirements

From msec.spec:

Build Requires: python OK

Requires:

  • /bin/bash OK
  • /bin/touch OK
  • perl-base OK
  • diffutils OK (diff)
  • /usr/bin/python OK
  • /usr/bin/chage OK
  • gawk pkg: gawk (supported)

Requires: setup >= 2.2.0-21mdk Mandriva: from Makefile

http://cvs.mandriva.com/cgi-bin/cvsweb.cgi/soft/setup/Makefile

csh.cshrc csh.login exports host.conf hosts.allow hosts.deny inputrc motd printcap profile.d protocols securetty services shells profile filesystems bashrc

  • Requires: chkconfig >= 1.2.24-3mdk -> update-rc.d

  • Requires: coreutils OK (gnu coreutils?)
  • Requires: iproute2 OK (ip)
  • Requires: rpm-helper >= 0.4 skip rpm management

  • Conflicts: passwd < 0.67 OK (suppose)

  • Requires: python-base >= 2.3.3-2mdk OK (suppose)

  • Requires: mailx pkg: mailx (supported), or use alternative mail user agent

Other not in list:

  • Requires: userhelper, consolehelper usermode- .rpm

/usr/bin/consolehelper , userhelper http://www.die.net/doc/linux/man/man8/consolehelper.8.html http://www.die.net/doc/linux/man/man8/userhelper.8.html

usermode-consoleonly : mandriva package that has userhelper (urpmf userhelper)

  • /etc/pam.d/halt
    • poweroff
    • reboot
    • simple_root_auth
  • /etc/security/console.apps/halt
    • poweroff
    • reboot
  • /usr/bin/consolehelper
  • /usr/bin/halt
  • /usr/bin/poweroff
  • /usr/bin/reboot
  • /usr/sbin/userhelper
  • /usr/share/locale/...
  • /usr/share/man

msec files

msec 0.45.1 rpm -ql msec

  • /etc/logrotate.d/msec
  • /etc/profile.d/msec.csh
  • /etc/profile.d/msec.sh
  • /etc/security/msec
  • /etc/security/msec/server.4
  • /etc/security/msec/server.5
  • /etc/sysconfig/msec
  • /usr/bin/msec_find
  • /usr/bin/promisc_check
  • /usr/sbin/msec
  • /usr/share/doc/...
  • /usr/share/man/...
  • /usr/share/msec
  • /usr/share/msec/Config.py
  • /usr/share/msec/Config.pyo
  • /usr/share/msec/ConfigFile.py
  • /usr/share/msec/ConfigFile.pyo
  • /usr/share/msec/Log.py
  • /usr/share/msec/Log.pyo
  • /usr/share/msec/Perms.py
  • /usr/share/msec/Perms.pyo
  • /usr/share/msec/cleanold.sh
  • /usr/share/msec/compile.py
  • /usr/share/msec/compile.pyo
  • /usr/share/msec/diff_check.sh
  • /usr/share/msec/draksec_help.py
  • /usr/share/msec/draksec_help.pyo
  • /usr/share/msec/level.0
  • /usr/share/msec/level.1
  • /usr/share/msec/level.2
  • /usr/share/msec/level.3
  • /usr/share/msec/level.4
  • /usr/share/msec/level.5
  • /usr/share/msec/libmsec.py
  • /usr/share/msec/libmsec.pyo
  • /usr/share/msec/man.py
  • /usr/share/msec/man.pyo
  • /usr/share/msec/msec.py
  • /usr/share/msec/mseclib.py
  • /usr/share/msec/mseclib.pyo
  • /usr/share/msec/perm.0
  • /usr/share/msec/perm.1
  • /usr/share/msec/perm.2
  • /usr/share/msec/perm.3
  • /usr/share/msec/perm.4
  • /usr/share/msec/perm.5
  • /usr/share/msec/promisc_check.sh
  • /usr/share/msec/security.sh
  • /usr/share/msec/security_check.sh
  • /usr/share/msec/shadow.py
  • /usr/share/msec/shadow.pyo
  • /var/lib/msec
  • /var/log/security

SecurityLevels (last edited 2008-08-06 17:01:04 by localhost)