Name: msec Version: 0.50.12 %define subrel 1 Release: %mkrel 1 Summary: Security Level management for the Mandriva Linux distribution License: GPLv2+ Group: System/Base Url: http://www.mandrivalinux.com/ Source0: %{name}-%{version}.tar.bz2 Source1: msec.logrotate Source2: msec.sh Source3: msec.csh Requires: perl-base Requires: diffutils Requires: gawk Requires: coreutils Requires: iproute2 Requires: setup >= 2.2.0-21mdk Requires: chkconfig >= 1.2.24-3mdk Requires: python-base >= 2.3.3-2mdk Requires: mailx Requires: python # at least xargs is used Requires: findutils Requires(pre): rpm-helper >= 0.4 Requires(postun): rpm-helper >= 0.4 Conflicts: passwd < 0.67 BuildRequires: python BuildRoot: %{_tmppath}/%{name}-%{version} %description The Mandriva Linux Security package is designed to provide generic secure level to the Mandriva Linux users... It will permit you to choose between level 0 to 5 for a less -> more secured distribution. This packages includes several programs that will be run periodically in order to test the security of your system and alert you if needed. %prep %setup -q %build make CFLAGS="$RPM_OPT_FLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" %install rm -rf %{buildroot} install -d %{buildroot}/etc/security/msec install -d %{buildroot}/etc/sysconfig install -d %{buildroot}/usr/share/msec install -d %{buildroot}/var/lib/msec install -d %{buildroot}/usr/sbin %{buildroot}/usr/bin install -d %{buildroot}/var/log/security install -d %{buildroot}%{_mandir}/man{3,8} cp -p init-sh/cleanold.sh share/*.py share/*.pyo share/level.* cron-sh/*.sh %{buildroot}/usr/share/msec chmod 644 %{buildroot}/usr/share/msec/{security,diff}_check.sh install -m 755 share/msec %{buildroot}/usr/sbin install -m 644 conf/server.* %{buildroot}/etc/security/msec install -m 644 conf/perm.* %{buildroot}/usr/share/msec install -m 755 src/promisc_check/promisc_check src/msec_find/msec_find %{buildroot}/usr/bin install -m644 man/C/*8 %{buildroot}%{_mandir}/man8/ install -m644 man/C/*3 %{buildroot}%{_mandir}/man3/ for i in man/??* ; do install -d %{buildroot}%{_mandir}/`basename $i`/man8 install -m 644 $i/*.8 %{buildroot}%{_mandir}/`basename $i`/man8/ install -d %{buildroot}%{_mandir}/`basename $i`/man3 install -m 644 $i/*.3 %{buildroot}%{_mandir}/`basename $i`/man3/ || : done; touch %{buildroot}/var/log/security.log %{buildroot}/%{_sysconfdir}/sysconfig/%{name} mkdir -p %{buildroot}/%{_sysconfdir}/{logrotate.d,profile.d} install -m 644 %{SOURCE1} %{buildroot}/etc/logrotate.d/msec install -m 755 %{SOURCE2} %{buildroot}/etc/profile.d install -m 755 %{SOURCE3} %{buildroot}/etc/profile.d touch %{buildroot}/var/log/security.log %find_lang %name %pre %_pre_groupadd xgrp %_pre_groupadd ntools %_pre_groupadd ctools %post touch /var/log/security.log if [ $1 != 1 ]; then # manage spelling change for i in /etc/security/msec/level.local /etc/security/msec/security.conf /var/lib/msec/security.conf; do if [ -f $i ]; then perl -pi -e 's/CHECK_WRITEABLE/CHECK_WRITABLE/g;s/CHECK_SUID_GROUP/CHECK_SGID/g' $i fi done for ext in today yesterday diff; do if [ -f /var/log/security/writeable.$ext ]; then mv -f /var/log/security/writeable.$ext /var/log/security/writable.$ext fi if [ -f /var/log/security/suid_group.$ext ]; then mv -f /var/log/security/suid_group.$ext /var/log/security/sgid.$ext fi done # find secure level SL=$SECURE_LEVEL [ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || : # upgrade from old style msec or rerun the new msec if grep -q "# Mandrake-Security : if you remove this comment" /etc/profile; then [ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' < /etc/profile.d/msec.sh` || : /usr/share/msec/cleanold.sh || : [ -n "$SL" ] && msec $SL < /dev/null || : else [ -n "$SL" ] && msec < /dev/null || : fi # remove the old way of doing the daily cron rm -f /etc/cron.d/msec fi %postun if [ $1 = 0 ]; then # cleanup crontabs on package removal rm -f /etc/cron.d/msec /etc/cron.hourly/msec /etc/cron.daily/msec fi %_postun_groupdel xgrp %_postun_groupdel ntools %_postun_groupdel ctools %clean rm -rf %{buildroot} %files -f %{name}.lang %defattr(-,root,root) %doc AUTHORS COPYING share/README share/CHANGES %doc ChangeLog doc/*.txt %_bindir/promisc_check %_bindir/msec_find %_sbindir/msec %_datadir/msec %_mandir/*/*.* %lang(cs) %_mandir/cs/man?/* %lang(et) %_mandir/et/man?/* %lang(eu) %_mandir/eu/man?/* %lang(fi) %_mandir/fi/man?/* %lang(fr) %_mandir/fr/man?/* %lang(it) %_mandir/it/man?/* %lang(nl) %_mandir/nl/man?/* %lang(pl) %_mandir/pl/man?/* %lang(ru) %_mandir/ru/man?/* %lang(uk) %_mandir/uk/man?/* %dir /var/log/security %dir /etc/security/msec %dir /var/lib/msec %config(noreplace) /etc/security/msec/* %config(noreplace) /etc/logrotate.d/msec /etc/profile.d/msec* %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %ghost /var/log/security.log %changelog * Thu Feb 25 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.50.12-1.1mdv2009.0 - built for updates * Wed Feb 24 2010 Eugeni Dodonov <eugeni@mandriva.com> 0.50.12-1mdv2009.0 + Revision: 510609 - 0.50.12: - Crrectly change file permissions (#57793) * Mon Jan 05 2009 Vincent Danen <vdanen@mandriva.com> 0.50.11-1.1mdv2009.0 + Revision: 325087 - build for updates + Eugeni Dodonov <eugeni@mandriva.com> - 0.50.11 - Correctly handle permit_root_login in sshd_config on level change (#19726). - Handle multibyte characters in msec reports (#26773). + root <root> - Branching 2009.0 release for updates. * Tue Sep 30 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.10-1mdv2009.0 + Revision: 290111 - cron entry: o blacklist cifs instead of only smbfs for samba o exclude /media from searching like /mnt is o run with idle IOnice priority (#42795) * Tue Jun 17 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.9-2mdv2009.0 + Revision: 223324 - rebuild * Tue Mar 25 2008 Pixel <pixel@mandriva.com> 0.50.9-1mdv2008.1 + Revision: 189939 - 0.50.9: do not allow msec to mess with umask=xxx for vfat in level 3 (#37222) * Fri Mar 07 2008 Thierry Vignaud <tvignaud@mandriva.com> 0.50.8-1mdv2008.1 + Revision: 181183 - use ionice to reduce I/O pressure when running msec_find and rpm -Va - packaging cleanups * Fri Jan 25 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.7-1mdv2008.1 + Revision: 157928 - 0.50.7: build msec_find with large file support (#36047) * Fri Jan 25 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.6-1mdv2008.1 + Revision: 157908 - 0.50.6: strip binary chars from report email (#36848) * Fri Jan 11 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.5-1mdv2008.1 + Revision: 148730 - fix infinitely growing kdmrc with set variable AllowShutdown to None (#12821) * Fri Jan 11 2008 Andreas Hasenack <andreas@mandriva.com> 0.50.4-1mdv2008.1 + Revision: 148599 - updated to version 0.50.4, which fixes the following: - Argument list too long (#36656) - msec_find should exclude pipes and sockets when reporting writable files (#27530) - msec diff (diff_check.sh) does not take into account the chkrootkit reports (#21369) - netstat check for open ports doesnt pick up ports on ipv6 addr (#19486) - need to resolve symlinks before testing for local filesystems (#14387) + Olivier Blin <oblin@mandriva.com> - restore BuildRoot + Thierry Vignaud <tvignaud@mandriva.com> - kill re-definition of %%buildroot on Pixel's request * Tue Nov 13 2007 Adam Williamson <awilliamson@mandriva.org> 0.50.3-2mdv2008.1 + Revision: 108377 - requires python (#35485) - new license policy * Mon Mar 05 2007 Guillaume Rousse <guillomovitch@mandriva.org> 0.50.3-1mdv2007.0 + Revision: 132893 - drop useless and redundant file dependencies - new version spec cleanup * Mon Mar 05 2007 Olivier Thauvin <nanardon@mandriva.org> 0.50.2-1mdv2007.1 + Revision: 132772 - 0.50.2: fix (#27956 and #12353) * Sat Aug 12 2006 Olivier Thauvin <nanardon@mandriva.org> 0.50.1-1mdv2007.0 + Revision: 55666 - 0.50.1 + Nicolas Lécureuil <neoclust@mandriva.org> - Fix manpages (close ticket #17430) * Sat Aug 05 2006 Olivier Thauvin <nanardon@mandriva.org> 0.50.0-1mdv2007.0 + Revision: 52699 - 0.50.0 - Import msec * Fri Nov 18 2005 Frederic Lepied <flepied@mandriva.com> 0.49.1-1mdk - fix bug #17921 * Mon Nov 14 2005 Frederic Lepied <flepied@mandriva.com> 0.49-1mdk - scripts in /etc/profile.d no more config files - fix bug #19206 by really generating /var/lib/msec/security.conf * Tue Sep 20 2005 Frederic Lepied <flepied@mandriva.com> 0.48-1mdk - enable_pam_root_from_wheel: fixed too laxist config in level 2 (bug #18403). * Sat Sep 10 2005 Frederic Lepied <flepied@mandriva.com> 0.47.5-1mdk - remove debugging output * Fri Sep 09 2005 Frederic Lepied <flepied@mandriva.com> 0.47.4-1mdk - fixed security.conf path (bug #18271). - security.sh fix parsing of rpm -Va (bug #18326 , Michael Reinsch). - security.sh: don't check sysfs and usbfs file system (bug #14359). - make msec.sh bourne shell compatible. - allow_xserver_to_listen: adapt to new way of specifying X server arguments for kdm (bug #15759). * Fri Sep 02 2005 Frederic Lepied <flepied@mandriva.com> 0.47.3-1mdk - make /etc/rc.d/init.d/functions always readable (bug #18080) * Thu Aug 18 2005 Frederic Lepied <flepied@mandriva.com> 0.47.2-1mdk - another fix for bug #17477 * Wed Aug 17 2005 Frederic Lepied <flepied@mandriva.com> 0.47.1-1mdk - really fix bug #17477 * Sat Aug 13 2005 Frederic Lepied <flepied@mandriva.com> 0.47-1mdk - security_check.sh: fix user or homedir with spaces in (bug #16237). - perm.*: o /etc/rc.d/init.d/xprint exception o manage apache files (Guillaume Rousse) (bug #12183) - allow_user_list: fixed kdmrc settings. - support new inittab syntax for single user mode. - fix parsing of new chage output (bug #17477). - Perms.py: more robust parsing - fixed wrong kdmrc values (bug #16268). - follow new Single user need in inittab. * Sat Jun 18 2005 Frederic Lepied <flepied@mandriva.com> 0.46-1mdk - Mandriva - new function enable_pam_root_from_wheel to allow transparent root access for the wheel group members. * Mon Mar 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45.1-1mdk - allow to use the variable CHKROOTKIT_OPTION as an argument to chkrootkit (Michael, bug #12687). - fixed documentation of the use of the current keyword (bug #12866). - fixed password_history. * Mon Feb 21 2005 Frederic Lepied <flepied@mandrakesoft.com> 0.45-1mdk - requires mailx (bug #13497). - fixed the permissions of sendmail symlinks (bug #13515). - allow to put an EXCLUDE_REGEXP variable in /etc/security/msec/security.conf to be used in msec_find (bug #508). * Fri Oct 01 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.2-1mdk - fix allow_reboot * Sat Jul 31 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44.1-1mdk - fix directory creation code * Sat Jul 31 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.44-1mdk - new function allow_xauth_from_root - the perm.local config file is now forcing permissions even if it's lowering the security. - install translated man pages - Mandrakelinux/Mandrakesoft * Thu Jul 08 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.43-1mdk - fixed again mailman permissions for mailman in level 3 (bug #9319) - use getent to parse the passwd database (bug #9904) - fix msec.csh (Pixel) - more servers in level 4 (Florin) * Sat Apr 24 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.2-1mdk - corrected mailman log permissions (Guillaume Rousse bug #9319) * Sun Mar 21 2004 Frederic Lepied <flepied@mandrakesoft.com> 0.42.1-1mdk - check files on / in the daily check (workaround strange ntfw bug #9121)