SECclean
A Solaris 2.6/2.7 package to cleanup the OS default
install.
Use at your own risk!
:-)
All comments are welcome: chouanard@parc.xerox.com
. Flame to /dev/null
Table of contents:
Introduction:
The goal of this package is to configure or modify your system to make
it more secure. It will deal with different types of files:
-
RC files: As the goal is to have a secure system, just the minimum
RC files will be keep. Some new one will be added if need, or existing
one will be cleaned.
-
System files: To make your system more secure, some system files
will have to be deleted, created or edited.
The distributed version of this package is very restrictive and may not
fit all purpose, as most of the services are turn off by default. It should
be easy for you to localize the package to fit your needs.
The source are available under: ftp://ftp.parc.xerox.com/pub/jean/solins/src
Package description:
Files Installed:
Installed files are listed in the prototype file.
-
/etc/shells : defaults shells, from getusershell(3C)
-
/etc/ftpusers : list of denied users for ftp: by default all the
existing system users.
-
/usr/bin/openwin : a shell wrapper to *try* to avoid stating openwin without
rpcbind running as it will hang the workstation.
-
/etc/hosts.equiv : empty. Just to control it, as being installed with the
right mode and part of the package.
-
/.rhosts : empty. Just to control it, as being installed with the right
mode and part of the package.
/var/adm/loginlog : empty. Solaris will log bad login attend if this file exist.
Files Replaced:
Files replaced are handle by the postinstall script. See next section "Package
modification". The postinstall script defined this list as its internal
variable SA
-
/etc/inet/services: add various useful services not part of SUN distribution
as the SecurID ACE services or for the FWTK (TIS)
-
/etc/profile : minor changes include /opt/local on the PATH and MANPATH
-
/etc/passwd : based on the distributed passwd file, just disable all system
login
-
/etc/syslogd.conf : some cleanup. Nothing should be write on the console.
-
/var/spool/cron/crontabs/root : cleanup.
-
/etc/default/su : PATH and SUPATH to include /opt/local/bin.
-
/etc/default/login : PATH and SUPATH to include /opt/local/bin. Enforce
'CONSOLE=/dev/console' so that root can only login from the console.
-
/etc/default/inetinit : Enforce 'TCP_STRONG_ISS=2' RFC 1948 sequence
number generation, unique-per-connection-ID.
Files Modified:
-
/etc/inet/inetd.conf : all services turn OFF by default. Easy! :-)
-
/etc/pam.conf : turn off rhosts_auth
-
/etc/system : increase File descriptor limits, BSD style ptys and SVR4
style ptys. Attempt to prevent and log stack-smashing attacks. enable advanced memory paging technique.
Files Deleted:
Files deleted are Handle by the postinstall script. See next section "Package
modification". The postinstall script defined this list as its internal
variable SD
-
"/etc/auto_home /etc/auto_master /etc/dfs/dfstab /var/spool/cron/crontabs/adm /var/spool/cron/crontabs/sys /var/spool/cron/crontabs/lp /var/spool/cron/crontabs/uucp"
RC files:
Most of these modifications are done in the postinstall script. See next
section "Package modification".
RC files Deleted
The postinstall script defined this list as its internal variable RC
Long list of RC files turn off : "cacheos cachefs.root asppp uucp cachefs.daemon
xntpd spc rpc autoinstall nfs.client autofs nscd lp nfs.server volmgt PRESERVE
sendmail cacheos.finish sysid.sys sysid.net snmpdx dmi dtlogin power init.dmi
init.snmpdx".
These names are the name of the init files located in the /etc/init.d
directory. For all the links existing under any /etc/rc?.d/ directory,
the postinstall script will delete these link and write a trace trace log
under /etc/rc?.d/Disable-By-SECclean which enable you to re-create the
link if needed.
If you need to re-enable some of these RC file, you can either re-create
the package to fit your need (see Package modification)
or just manually recreate the link after the install.
RC files Replaced
The postinstall script defined this list as its internal variable NRC
These files are based on the SUN distribution files, but have been simplify.
RC files Added
-
/etc/init.d/nettune with link from /etc/rcS.d/S31nettune.
It is based on Jens-S.
Vöckler IP tuning script for Solaris (See his Very
good page on tcp tuning under solaris).
-
/etc/init.d/umask.sh with a symbolink from: etc/rc0.d/S00umask.sh, etc/rc1.d/S00umask.sh, etc/rc2.d/S00umask.sh, etc/rc3.d/S00umask.sh, etc/rcS.d/S00umask.sh to control/force the UMASK by default of deamons.
Package modification:
The source of the package are available from :
ftp://ftp.parc.xerox.com/pub/jean/solins/src
Most of the files which are deleted, or replaced are handle by the PARCpkgu
shell script. It is quiet well commented. Look at /usr/bin/PARCpkgu or
also at the short documentation at:
ftp://ftp.parc.xerox.com/pub/jean/solins/pkgu.html
Here is some quick info. After, just play with the package. Keep
in mind two things: a package should leave the contents database clean
(it means a pkgchk -n should output no error) and a you should be able
to de-install a package without screwing it up your system!
-
To change the files or the RC files installed: Just change the prototype
and/or the file itself.
-
To change the files deleted, modify the SD
variable in the postinstall file.
-
To change the list of RC files deleted, modify the RC
variable in the postinstall file.
Rebuild the package after by running 'make' in the package directory. It
will create the package under "../Trav/SECclean'.
To try your new package:
> cd ../Trav
> pkgadd -d . SECclean
Good luck and let me know any correction or amelioration.
Back
to the main YASSP page
Last Modified: $Id: secclean.html,v 1.3 1999/07/24 18:48:18 chouanar Exp $; by Jean
Chouanard, Xerox PARC