More on msec
As promised in one of the past blog posts, a few more news about msec.
Since 2009.1, msec was supporting an arbitrary number of custom security levels, providing two levels by default: standard, focused on casual desktops, and secure, focused on security-concerned machines. Clearly, this was not covering all the possible use cases, and, while it was possible to create custom security levels for different users needs, few users actually dared to do so.
Starting with 2010.1, msec will provide a larger number of custom, task-oriented security levels. Among such levels, initially are the netbook (focused on low-end machines, running mostly on batteries, with a single local user and no remote accesses); fileserver (focused on a network server, such as SAMBA, NFS, or a database server, where only authenticated users are allowed), and webserver (focused on a web-facing server, attending unauthenticated and unknown users). The idea is to allow users to focus on their specific tasks (e.g., creating a web server, or configuring the netbook), without going too deep into the configuration options.
The msecgui UI was also improved to support those levels, among with user-created custom levels:
Msec levels selection, including the provided levels among with user-created ones
Besides those changes, the UI was simplified a bit thanks to a great cooker discussion and comments from Fabrice Facorat (and will be further improved in newer versions), the support for configuring the log retention period was introduced, and a few bugs were fixed.
More changes are still to be implemented in msec, but I thought that the ones I described in this post are interesting enough to deserve a new msec release.
Stay tuned for future updates!
a profile “home desktop connected to internet” is missing
@promneneur, “home desktop connected to internet” is what the “Standard” profile represents now. I still don’t know if the “Standard” should be renamed to “Desktop”, or just its description should be improved.
First of all, thanx so much for this great tool!
I run a server (with Mandriva, of course!) with Apache, proftpd, ssh and nx. I don’t use php nor cgi’s, so Apache simply sends totally static webpages. Now, the question: which level do you recommend me? I’m unsure if “webserver” level is the one for me, or I’d rather make a personal one.
Thank you in advance! motitos
@motitos, I think that the “fileserver” should be adequate for you. The difference between it and the “webserver” is that it runs the I/O-intensive periodic check weekly instead of daily.
As your server does not receives user-generated content, nor has php scripts, it is less likely to be compromised by a php exploit or something like that.
But on the other hand, if you don’t have that much files, you could use the “webserver” level and just run most periodic checks daily.
Ola Dr Eugeni,
Thanks for all these msec improvements.
There’s a particular point that I’d like to see improved. It’s the way msec is dealing with the /net special autofs mount point. This special directory is used when configured in /etc/autofs/auto.master as a special mount point that is able to mount every NFS servers’ exported file systems. For example, /net/an-nfs-server/export1 is mounting the /export1 FS of the NFS server named an-nfs-server. The problem is that, even if the NFS mount is auto-unmounted after a given time, the /net/an-nfs-server/export1 mount point stays on the client until the next restart of the autofs service. And, when msec is performing its checks, every remote FS that has been mounted since the last restart of autofs (e.g. since the system is up), are automatically re-mounted, and the checks go across the remote FS…
IMHO, msec should consider /net as an exception, at least if we ensure that autofs is using it for that particular purpose.
First of all, congratulations for a a job well done.
Now, focusing on the “profiles”. Maybe can be useful grant to the sysadmin create his own profile. I explain: If a sysadmin selects the “desktop” profile, but needs some fine tunning, after apply changes will be a great option save these changes to re-use (i.e. deploying a large amount of machines) in another installation. So, the idea is implement a “Load/Save” advanced settings or something else..
@vfmBOFH this functionality is already in the console version (e.g., just run ‘msec -s‘ to save current settings as a new profile). The gui for it is missing indeed however.
Yargh!
Next time i will try the –help trick before open my big mouth
I am looking for help about msec. I my log (mandriva 2010.0), I got “localhost msec: A sniffer is probably running on your system”. I wonder if someone is sniffing my network? Or maybe it is from a program on my computer. I am a newbie so I don’t what to check. I am connected on the internet through an apple airport express and an intel wireless card with WPA key. Could you let me know how to investigate this security breach? Thanks, Julien
Hi,
this message says that some application on your system has put your network card in ‘promiscuous’ mode – a mode in which it intercepts all network packets, even if they are not intended for it. This is suspicious, because under normal circumstances the network card shouldn’t be running in this mode. However, many applications do this on purpose (for example, traffic analyzers).
To confirm what network card is running in this mode, try running (as root) ‘promisc_check’ in console. This will display you the information about what network card is currently running in this mode.