Attachment 1904 Details for Bug 5194 – re-test with xeyes and requested msec settings

re-test with xeyes and requested msec settings

sudo.msec (text/plain), 2.24 KB, created by Bit Twister on 2012-04-02 17:02:16 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Bit Twister

Created: 2012-04-02 17:02:16 CEST

Size: 2.24 KB

patch

obsolete

>$ ll /etc/systemd/system/default.target
>lrwxrwxrwx 1 root root 36 Apr  2 08:52 /etc/systemd/system/default.target -> /lib/systemd/system/runlevel5.target
>
>[bittwister@wb ~]$ sudo su - root
>[root@wb ~]# xeyes
>No protocol specified
>No protocol specified
>Error: Can't open display: :0.0
>
>Following SECURITY=3 indicates I am running in a "standard" msec setup
>
>$ cat /etc/sysconfig/system
>CLASS=beginner
>SECURITY=3
>LIBSAFE=no
>META_CLASS=download
>
>Following is my level.standard override/settings
>
>$ cat /etc/security/msec/security.conf
>ACCEPT_BROADCASTED_ICMP_ECHO=no
>ALLOW_AUTOLOGIN=no
>CHECK_PERMS=daily
>CHECK_PERMS_ENFORCE=yes
>CHECK_PROMISC=no
>CHECK_RPM_INTEGRITY=daily
>MAIL_EMPTY_CONTENT=yes
>SECURE_TMP=yes
>
>Following is standard msec settings from clean install.
>
>$ cat /etc/security/msec/level.standard
>BASE_LEVEL=standard
>ALLOW_X_CONNECTIONS=local
>CHECK_WRITABLE=weekly
>ENABLE_IP_SPOOFING_PROTECTION=yes
>MAIL_EMPTY_CONTENT=no
>ACCEPT_BROADCASTED_ICMP_ECHO=yes
>CHECK_PERMS=no
>CHECK_PERMS_ENFORCE=no
>CHECK_SECTOOL=
>CHECK_SECTOOL_LEVEL=3
>CHECK_USER_FILES=daily
>ALLOW_XSERVER_TO_LISTEN=no
>CHECK_CHKROOTKIT=weekly
>SHELL_HISTORY_SIZE=-1
>ALLOW_REBOOT=yes
>CHECK_SUID_ROOT=weekly
>SYSLOG_WARN=yes
>ENABLE_AT_CRONTAB=yes
>ACCEPT_BOGUS_ERROR_RESPONSES=no
>CHECK_PASSWD=daily
>PASSWORD_HISTORY=0
>CHECK_SUID_MD5=weekly
>CHECK_SHOSTS=daily
>MAIL_USER=root
>ALLOW_AUTOLOGIN=yes
>ENABLE_PAM_WHEEL_FOR_SU=no
>CHECK_SHADOW=daily
>ALLOW_ROOT_LOGIN=yes
>CHECK_UNOWNED=weekly
>FIX_UNOWNED=no
>CHECK_USERS=daily
>CHECK_GROUPS=daily
>ENABLE_CONSOLE_LOG=yes
>ALLOW_USER_LIST=yes
>ENABLE_DNS_SPOOFING_PROTECTION=yes
>CREATE_SERVER_LINK=no
>ENABLE_PASSWORD=yes
>NOTIFY_WARN=yes
>WIN_PARTS_UMASK=000
>CHECK_OPEN_PORT=daily
>IGNORE_PID_CHANGES=yes
>CHECK_FIREWALL=daily
>SHELL_TIMEOUT=0
>ALLOW_REMOTE_ROOT_LOGIN=without-password
>ENABLE_LOG_STRANGE_PACKETS=yes
>USER_UMASK=022
>CHECK_RPM_PACKAGES=weekly
>CHECK_RPM_INTEGRITY=no
>SECURE_TMP=no
>ENABLE_SULOGIN=no
>EXCLUDE_REGEXP=
>ENABLE_PAM_ROOT_FROM_WHEEL=no
>MAIL_WARN=yes
>ALLOW_XAUTH_FROM_ROOT=yes
>CHECK_SECURITY=yes
>ACCEPT_ICMP_ECHO=yes
>PASSWORD_LENGTH=4,0,0
>AUTHORIZE_SERVICES=yes
>ROOT_UMASK=022
>ENABLE_MSEC_CRON=yes
>TTY_WARN=no
>CHECK_SGID=weekly
>CHECK_PROMISC=daily
>ENABLE_STARTUP_MSEC=yes
>ENABLE_STARTUP_PERMS=yes
>ALLOW_CURDIR_IN_PATH=no
>CHECK_ON_BATTERY=no
>LOG_RETENTION=4
>ALLOW_SUDO_TO_WHEEL=yes

$ ll /etc/systemd/system/default.target
lrwxrwxrwx 1 root root 36 Apr  2 08:52 /etc/systemd/system/default.target -> /lib/systemd/system/runlevel5.target

[bittwister@wb ~]$ sudo su - root
[root@wb ~]# xeyes
No protocol specified
No protocol specified
Error: Can't open display: :0.0

Following SECURITY=3 indicates I am running in a "standard" msec setup

$ cat /etc/sysconfig/system
CLASS=beginner
SECURITY=3
LIBSAFE=no
META_CLASS=download

Following is my level.standard override/settings

$ cat /etc/security/msec/security.conf
ACCEPT_BROADCASTED_ICMP_ECHO=no
ALLOW_AUTOLOGIN=no
CHECK_PERMS=daily
CHECK_PERMS_ENFORCE=yes
CHECK_PROMISC=no
CHECK_RPM_INTEGRITY=daily
MAIL_EMPTY_CONTENT=yes
SECURE_TMP=yes

Following is standard msec settings from clean install.

$ cat /etc/security/msec/level.standard
BASE_LEVEL=standard
ALLOW_X_CONNECTIONS=local
CHECK_WRITABLE=weekly
ENABLE_IP_SPOOFING_PROTECTION=yes
MAIL_EMPTY_CONTENT=no
ACCEPT_BROADCASTED_ICMP_ECHO=yes
CHECK_PERMS=no
CHECK_PERMS_ENFORCE=no
CHECK_SECTOOL=
CHECK_SECTOOL_LEVEL=3
CHECK_USER_FILES=daily
ALLOW_XSERVER_TO_LISTEN=no
CHECK_CHKROOTKIT=weekly
SHELL_HISTORY_SIZE=-1
ALLOW_REBOOT=yes
CHECK_SUID_ROOT=weekly
SYSLOG_WARN=yes
ENABLE_AT_CRONTAB=yes
ACCEPT_BOGUS_ERROR_RESPONSES=no
CHECK_PASSWD=daily
PASSWORD_HISTORY=0
CHECK_SUID_MD5=weekly
CHECK_SHOSTS=daily
MAIL_USER=root
ALLOW_AUTOLOGIN=yes
ENABLE_PAM_WHEEL_FOR_SU=no
CHECK_SHADOW=daily
ALLOW_ROOT_LOGIN=yes
CHECK_UNOWNED=weekly
FIX_UNOWNED=no
CHECK_USERS=daily
CHECK_GROUPS=daily
ENABLE_CONSOLE_LOG=yes
ALLOW_USER_LIST=yes
ENABLE_DNS_SPOOFING_PROTECTION=yes
CREATE_SERVER_LINK=no
ENABLE_PASSWORD=yes
NOTIFY_WARN=yes
WIN_PARTS_UMASK=000
CHECK_OPEN_PORT=daily
IGNORE_PID_CHANGES=yes
CHECK_FIREWALL=daily
SHELL_TIMEOUT=0
ALLOW_REMOTE_ROOT_LOGIN=without-password
ENABLE_LOG_STRANGE_PACKETS=yes
USER_UMASK=022
CHECK_RPM_PACKAGES=weekly
CHECK_RPM_INTEGRITY=no
SECURE_TMP=no
ENABLE_SULOGIN=no
EXCLUDE_REGEXP=
ENABLE_PAM_ROOT_FROM_WHEEL=no
MAIL_WARN=yes
ALLOW_XAUTH_FROM_ROOT=yes
CHECK_SECURITY=yes
ACCEPT_ICMP_ECHO=yes
PASSWORD_LENGTH=4,0,0
AUTHORIZE_SERVICES=yes
ROOT_UMASK=022
ENABLE_MSEC_CRON=yes
TTY_WARN=no
CHECK_SGID=weekly
CHECK_PROMISC=daily
ENABLE_STARTUP_MSEC=yes
ENABLE_STARTUP_PERMS=yes
ALLOW_CURDIR_IN_PATH=no
CHECK_ON_BATTERY=no
LOG_RETENTION=4
ALLOW_SUDO_TO_WHEEL=yes

Actions: View

Attachments on bug 5194: 1900 | 1904