8.1. Securing your Machine with DrakSec

Msec allows you to change your system's security level and to configure options and features associated to those levels.

Draksec allows you to configure various aspects of your system's security:

Increasing security level modifies the system configuration, making it more and more secure, and verifying more and more security related aspects.

8.1.1. Setting your Security Level

Figure 8.1. Choosing the Security Level of your System

Choosing the Security Level of your System

Choose a Security Level.  First enable msec by checking Enable MSEC toolSimply choose the security level you want: check either Standard or Secure option. It will be effective as soon as you click on save button. Please read the help text regarding security levels very carefully so that you know what setting a specific security level implies.

[Tip] Explore Each Level

If you wish to check which options are activated for each security level, review the other tabs: System security, Network security, Periodic Checks and Permissions. Click on the Help button to display information about the options and their default values. If some of the default options don't suit your needs, simply redefine them. See Section 8.1.2, “Customizing a Security Level”, for details.

Activate Security Alerts.  Put a check mark on the Security Alerts box to send mail about possible security issues found by msec to the local user name or to the e-mail address defined in the Security Administrator field. Finally you can get notifications for security alerts on your desktop. Check box to enable it.

[Warning] Warning

We highly recommend you activate the security alerts option so that the administrator is automatically informed of possible security issues. Otherwise the administrator will have to regularly check the relevant system log files.

8.1.2. Customizing a Security Level

Select a paramater and double clicking on each of the Value in tabs. A new window will pop up and show information about this current value: Current value, Standard level value which is the value proposed by default in selected security level.

Figure 8.2. Modifying Standard Options

Modifying Standard Options

In combo list choose the right value. Clicking on OK validate current modification on a given value. In order to really save all modifications you will have to click on save icon.

8.1.3. Setting up your own Permissions

Drakperm allows you to customize the permissions which should be associated with each file and directory in your system: configuration files, personal files, applications, etc. If the owners and permissions listed here don't match the actual permissions of the system's files, then msec (which stands for Mandriva Linux Security Tool) will change them during its hourly checks. These modifications can help prevent possible security holes or intrusions.

Figure 8.3. Configuring File-Permission Checks

Configuring File-Permission Checks

The list of files and directories which appears depends on the current system's security level as set by msec, along with their expected permissions for that security level. For each entry (Path) there exists a corresponding owner (User), owner group (Group) and Permissions. In the drop-down menu, you can choose to display only msec rules (System settings), your own user-defined rules (Custom settings) or both as in the example shown in Figure 8.3, “Configuring File-Permission Checks”.

[Note] Note

You cannot edit system rules, as stated by the “Do not enter” () sign on the left. However you can override them by adding custom rules.

Create Your Own Rules.  If you wish to add your own rules for specific files or modify the default behavior, display the Custom settings list and click on the Add a rule button.

Figure 8.4. Adding a File-Permissions Rule

Adding a File-Permissions Rule

Procedure 8.1. Customize Your Home Directory Permissions

  1. Let's imagine your current security level is set to 3 (high). This means that only the owners of the home directories can browse them. If you wish to share the content of Queen's home directory with other users, you need to modify the permissions of the /home/queen/ directory.

  2. msec only changes file permissions that are more permissive than the one required by a certain security level. That means that for the change above, the permissions must be changed by hand.

    You can do this in Konqueror by modifying the permission properties of your home directory, and checking the Apply changes to all sub-folders and their contents option.

  3. If you create more rules, you can change their priorities by moving them up and down the rules list: use the Up and Down buttons on your custom rules to have more control over your system's permissions.