Tibor Pittich <[EMAIL PROTECTED]> writes: > First: sorry for my poor english, but i believe that this information is > useful. > > i installed mdk 8.2b3 and synced to curerrent cooker, but msec-0.19-3mdk .... > :-( i used security level 4 > > 1. chage problem: i have set how long the passwords are valid in file > /etc/login.defs. after msec script finished running, some accounts have > different PASS_MAX_DAYS parameter in /etc/shadow. because was this > misconfiguration, some accounts is still valid, but password is no longer > used, because PASS_MAX_DAYS.. while msec was running i saw processes > "chage -M 60 $LOGIN", which is called from libmsec.py. i'v tried looking > at /usr/share/msec/libmsec.py, where is exactly these steps, but i don't > know what magic used for calculate this.. > p.s.: i can't disable this feature, maybe usefull for others too ..
To disbale password aging, use the following in /etc/security/msec/level.local: from mseclib import * password_aging(99999) > 2. msec doesn't parse UID_MIN from /etc/login.defs. at line 550 in > /usr/share/libmsec.py this is declared statically, uid_min = 500.. That's wrong the line 550 is the defqult value if nothing is found by parsing the file line 555... > 3. tcsh permission problem: i see, you are applied workarround, which is > needed for tcsh against "hash" feature, which is presented in > /etc/csh.login: "if (! -r /usr/bin) then unhash endif". it still doesn't > fix the bug. i must manually change permissions for directory > /bin and /usr/bin to 755 (in /usr/share/msec/perm.4 off course) because login > process (if tcsh is login shell) can't done properly.. (some command not found > errors for progs which was in these directories) Pixel can you check that ? > 4. I don't want to run msec in cron.hourly, but msec is installing itself > automagically into /etc/cron.hourly/. Is there a way how to configure > (turnoff) msec cron.hourly job? either remove msec or add the following to /etc/security/msec/level.local: enable_msec_cron(0) > 5. i don't know if this is only my local problem, but my system missing > symlink in /etc/security/security.conf which he should aim to > /var/lib/msec/security.conf. cron (promisc_check.sh) is reporting an error > that this file is missing every hour.. corrected in cooker (no need for a symlink). > too many problems in higher level(s) of msec security for production > machines... :( but i know, this is useful tool.. -- Fred - May the source be with you
