1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
# Q: Would you like to run the packet filtering script? [N]
IPChains.ip_intro="Y"
# Q:
IPChains.ip_detail_level_kludge="Y"
# Q: Do you need the advanced networking options?
IPChains.ip_advnetwork="N"
# Q: DNS Servers: [0.0.0.0/0]
IPChains.ip_b_dns="0.0.0.0/0"
# Q:
IPChains.ip_b_trustiface="lo"
# Q: Public interfaces: [eth+ ppp+ slip+]
IPChains.ip_b_publiciface="eth+ ppp+ slip+"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
IPChains.ip_b_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: UDP services to audit: [31337]
IPChains.ip_b_udpaudit="31337"
# Q: TCP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publictcp="ssh 80 443 25 21 53"
# Q: UDP service names or port numbers to allow on public interfaces: [ ]
IPChains.ip_b_publicudp="53 67 68"
# Q: Force passive mode? [N]
IPChains.ip_b_passiveftp="N"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
IPChains.ip_b_tcpblock="2049 2065:2090 7100"
# Q: UDP services to block: [2049 6770]
IPChains.ip_b_udpblock="2049 6770"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
IPChains.ip_b_icmpallowed="destination-unreachable echo-reply time-exceeded echo-requested"
# Q: Enable source address verification? [Y]
IPChains.ip_b_srcaddr="Y"
# Q: Reject method: [DENY]
IPChains.ip_b_rejectmethod="REJECT"
# Q: Interfaces for DHCP queries: [ ]
IPChains.ip_b_dhcpiface="eth+"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1.1="N"
# Q: What security level should we set? [3]
FilePermissions.security_level="3"
# Q: Would you like us to modify your file permissions?
FilePermissions.generalperms_1.2_mandrake="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="N"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="N"
# Q: Would you like to disable SUID status for dump and restore? [Y]
FilePermissions.suiddump="Y"
# Q: Would you like to disable SUID status for cardctl? [Y]
FilePermissions.suidcard="Y"
# Q: Would you like to disable SUID status for at? [Y]
FilePermissions.suidat="N"
# Q: Would you like to disable SUID status for DOSEMU? [Y]
FilePermissions.suiddos="Y"
# Q: Would you like to disable SUID status for news server tools? [Y]
FilePermissions.suidnews="Y"
# Q: Would you like to disable SUID status for printing utilities? [N]
FilePermissions.suidprint="N"
# Q: Would you like to disable SUID status for the r-tools? [Y]
FilePermissions.suidrtool="Y"
# Q: Would you like to disable SUID status for usernetctl? [Y]
FilePermissions.suidusernetctl="N"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="N"
# Q: Would you like to set up a second UID 0 account? [N]
AccountSecurity.secondadmin="N"
# Q: May we take strong steps to disallow the dangerous r-protocols? [Y]
AccountSecurity.protectrhost="Y"
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Would you like to create a non-root user account? [N]
AccountSecurity.createuser="N"
# Q: Would you like to restrict the use of cron to administrative accounts? [Y]
AccountSecurity.cronuser="N"
# Q: What umask would you like to set for users on the system? [077]
AccountSecurity.umask="077"
# Q: Should we allow root to login on tty's 1-6? [Y]
AccountSecurity.rootttylogins="Y"
# Q: Should we allow the PATH to include the current directory? [N]
AccountSecurity.restrict_path_mdk="N"
# Q: Should we deactivate this list of users? [N]
AccountSecurity.forbiduserview="N"
# Q: Would you like to password-protect the LILO prompt? [N]
BootSecurity.protectlilo="N"
# Q: Would you like to reduce the LILO delay time to zero? [N]
BootSecurity.lilodelay="N"
# Q: Do you ever boot Linux from the hard drive? [Y]
BootSecurity.lilosub_drive="N"
# Q: Would you like to write the LILO changes to a boot floppy? [N]
BootSecurity.lilosub_floppy="N"
# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N]
BootSecurity.secureinittab="N"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q: May we disable Autologin? [Y]
BootSecurity.disable_autologin="Y"
# Q: Would you like to set a default-deny on TCP Wrappers? [N]
SecureInetd.tcpd_default_deny="N"
# Q: May we deactivate telnet? [Y]
SecureInetd.deactivate_telnet="Y"
# Q: May we deactivate ftp? [Y]
SecureInetd.deactivate_ftp="Y"
# Q: Would you like to make "Authorized Use" banners? [Y]
SecureInetd.banners="Y"
# Q: Would you like to disable the compiler? [N]
DisableUserTools.compiler="N"
# Q: Would you like to put limits on system resource usage? [Y]
ConfigureMiscPAM.limitsconf="N"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="N"
# Q: Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q: Do you have a remote logging host? [N]
Logging.remotelog="N"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q: Would you like to set up nightly security checks? [N]"
Logging.security_checks="Y"
# Q: Would you like to disable apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q: Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable PCMCIA services? [Y]
MiscellaneousDaemons.pcmcia="N"
# Q: Would you like to disable the DHCP daemon? [Y]
MiscellaneousDaemons.dhcpd="Y"
# Q: Would you like to disable GPM? [Y]
MiscellaneousDaemons.gpm="Y"
# Q: Would you like to disable the news server daemon? [Y]
MiscellaneousDaemons.innd="Y"
# Q: Would you like to deactivate the routing daemons? [Y]
MiscellaneousDaemons.routing="Y"
# Q: Would you like to deactivate NIS server and client programs? [Y]
MiscellaneousDaemons.nis="Y"
# Q: Would you like to disable SNMPD? [Y]
MiscellaneousDaemons.snmpd="Y"
# Q: Should we disable most chkconfig'd services?
MiscellaneousDaemons.minimize_chkconfig="N"
# Q: Do you want to leave sendmail running in daemon mode? [Y]
Sendmail.sendmaildaemon="N"
# Q: Would you like to run sendmail via cron to process the queue? [N]
Sendmail.sendmailcron="Y"
# Q: Would you like to disable the VRFY and EXPN sendmail commands? [Y]
Sendmail.vrfyexpn="Y"
# Q: Would you like to download and install ssh? [N]
RemoteAccess.installssh="N"
# Q: Would you like to chroot named and set it to run as a non-root user? [N]
DNS.chrootbind="N"
# Q: Would you like to deactivate named, at least for now? [Y]
DNS.namedoff="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to bind the web server to listen only to the localhost? [N]
Apache.bindapachelocal="N"
# Q: Would you like to bind the web server to a particular interface? [N]
Apache.bindapachenic="N"
# Q: Would you like to deactivate the following of symbolic links? [Y]
Apache.symlink="N"
# Q: Would you like to deactivate server-side includes? [Y]
Apache.ssi="Y"
# Q: Would you like to disable CGI scripts, at least for now? [Y]
Apache.cgi="N"
# Q: Would you like to disable indexes? [N]
Apache.apacheindex="N"
# Q: Would you like to disable printing? [N]
Printing.printing="N"
# Q: Would you like to disable user privileges on the FTP daemon? [N]
FTP.userftp="N"
# Q: Would you like to disable anonymous download? [N]
FTP.anonftp="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="Y"
|
