Using msec

The Mandriva Security package, msec, runs periodically to test and enforce security settings, and generates periodic reports. To do its job it makes a number of assumptions about your system, some of which may not be appropriate for your case. Here’s how I tweak msec to get the most out of it.

TODO: Organize this article. For now it’s a jumble of random notes. Perhaps organize like this:

* intro
* walk through the gui, configuring as we go
* report generation and reading
* tips and tricks

Or maybe like this:

* intro
* out of the box behavior
* user configuration

On one box the music library was in /home/guest/Music, and msec by default will change the permissions on this directory to not allow other accounts to access it. To change this I opened msec (MCC – Security – Tune permissions on system). Click on “add a rule”. For path, enter /home/guest. For user, choose guest, and for group, choose users. User permissions are r,w,x. Group and other permissions are both r,x. Set the sticky bit. Click on “Ok”. This allows all users read only access to the entire guest directory and its subdirectories, and instructs msec to enforce this permission.

Msec reports are generated periodically and sent to the system mail. You can also manually run any check and view the most recent results in MCC – Security – Configure system security – Overview.

Ideally you will set up msec reporting to your liking immediately upon a clean install, and manually run all reports at that time. Thenceforth pay attention to each subsequent diff report, which tell you what has changed since the previous report.

If they are installed, msec can run the security tools chkrootkit and sectool periodically and include their findings in msec’s reports. I do not do this: I consider chkrootkit to be of limited use, and sectool to be an alternative to msec rather than complementary to it.

Every day I received this unhelpful report:

Security Warning: Change in Suid Root files found :
- Newly added suid root file : /usr/bin/Xwrapper
- No longer present suid root file : /usr/bin/Xwrapper

Finding no way to suppress checking of that file, I turned off the relevant report. I opened msec (MCC – Security – Configure system security – Security settings – Periodic checks) and set “Verify checksum of the suid/sgid files” to no. That worked, although it is throwing the baby out with the bathwater.

Every day I received this report: “Security Warning: World Writable files found”… and a list. I searched the net for “permissions /path/to/filename” and asked on Usenet to obtain the appropriate permissions for each file. In most cases, the file indeed should not have been world writable and so I changed permissions as appropriate. Other cases led me to remove packages that I really didn’t need in the first place. A few files indeed should be world writable if you have them; an incomplete list is:

A clue that the author intended a directory to be world writable is the presence of the “t” permissions option, for example:

$ ls -l /var/lock | grep -i gkrellm
drwxrwxrwt 2 root root 4096 2010-12-29 17:24 gkrellm/

Some users, myself included, believe msec should exclude such files automatically. In the meantime, you can manually exclude them in Security settings – Exceptions – Add a rule. For “Check”, choose CHECK_WRITABLE, and for “Exception”, enter the full path to the file or directory to be excluded from that check. A list and description of all available checks are available in msec at Security settings – Periodic checks.

What does not work for this purpose is adding an entry to Security settings – Permissions. Although I am able to add an appropriate rule, msec continues to complain about the file or directory being world writable.

Red Hat has sectool.

Documentation on msec is curiously thin. All I’ve found is:

  • Introduction to msec is obsolete but still useful. In particular it defines most of the configuration variables.
  • The blog of msec’s lead developer has useful information.

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

3 Responses to Using msec

  1. Pingback: Using chkrootkit | A maze of twisty little passages

  2. Pingback: Security and stability tuning on Linux | A maze of twisty little passages

  3. Pingback: Verdi installation notes, mdv2010.1/2 | A maze of twisty little passages

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s