MinimizeOS is a new module that takes a configuration file and does a pkgrm of all modules that are not found in the configuration file. This minimizes the OS and removes unused (and potentially insecure) packages from the system.Use with caution.
init4.sh-generic
This script checks and turns off ALL server side services. init4.sh-generic
creates a new system run level of run-level 4 which only has client side
network services enabled.
init4.sh-generic when run the first time with init4.sh-generic
-f; will create links for all start up
scripts from /etc/rc2.d and /etc/rc3.d into the new /etc/rc4.d
and replaces the "S" for "Start" with a "K" for kill in front of
the script to keep the script from running when run-level 4 is entered.
This is done such that by either booting into run-level 4 or by changing
run-level from another run-level into run-level 4 (entering "init 4" as
root) will cause all server side services to be shut down. This includes
inetd! as well as any other services run out of inetd including telnetd,
ftpd, and any other daemon ("*d") that is a listening server for your system.
This makes your system act as
a (mostly) standalone black-box which allows outbound connections,
but does not accept ANY in-bound connections from "standard" services.
NOTE: This does *not* disable any services that are started up by any other method such as by users or root from the command line, or via cron.
This utility is quite useful for laptops or other desktop systems that are going to connect to the Internet temporarily. It is also useful as a starting point for Servers where you want to manually install a single service (after running init4.sh-generic -f).
You can manually add back in a startup script (like /etc/rc4.d/S99sshd
or
/etc/rc4.d/httpd) by editing the init4.sh-generic script and
changing the NEEDEDSVC
variable (or just do it manually) . This would then be the only
listening service/server; everything else would not listen for remote connections.
It checks the following directories
/etc/rc2.d /etc/rc3.d
NOTE2: To make init run level 4 the DEFAULT run level for the system, change the line in /etc/inittab:
Default Solaris uses run
level 3:
FROM:
is:3:initdefault:
CHANGE this line -after-
running the init4.sh-generic script:
TO:
is:4:initdefault:
Titan.top This module is the same as Titan except the path has been modified so that When "Titan-Config" is run, Titan can be run from the top most directory.
TitanReport. This file runs all Titan modules in the $TITANDIR/bin/modules directory using the "-v" flag. TitanReport then sends email with the results. Titanreport is intended to run out of cron, or as an auditing tool. See the FAQ for more.
Sample.Desktop, sample.Firewall, sample.Server, sample.config. These files are used as sample templates when titan is run as "Titan -c config-file". See the FAQ for more.
backtit.sh This modules is called by "Titan-Config" when run "Titan-Config -i" (install). Backtit.sh makes a backup copy of all the files Titan modifies (backtit.sh currently does not backup file permission changes) SEE Note above!
untit.sh Untit.sh is called by "Titan-Config" when run 'Titan-Config -d" (de-install) Untit.sh replaces the files modified by Titan with the original unsecured versions, and is provided as a recovery mechanism if we were too aggressive about securing the system.
src1 directory
noshell.c This is the preferred way of doing a noshell. This should be statically compiled (see Titan.v4.0/src1/Makefile) and should replace the shell script that disable-accounts.sh placed in /usr/sbin/noshell.
noshell-simple.c This is a simplified version of noshell.c . I don't expect this to get much use, but should be statically compiled (see Titan,v4.0/src1/Makefile) and replace the /usr/sbin/noshell script that disable-accounts.sh creates. the script that disable-accounts.sh creates is better than nothing, (better than /bin/true which is also a shell script) but a statically linked C program is the best way to go.
Titan,v4.0/src1/Makefile.linux It turned out that with a few simple changes to the makefile, that noshell and runas worked fine with Linux distributions (probably other Unix variants too).
runas.c This is a simple generic program that allows administrators to start daemons as non privileged users, and optionally to run in a chrooted environment. A really good example is the license manager daemon. Sun sets the license manager daemon (in /etc/rc2.d/S85lmgrd) to start up with the command (line 84 on my system) :
su nobody -c $lic_srvr_start
This isn't bad, but it requires that the user shell for user "nobody" be a valid shell. Well being paranoid, Titan sets the shell to "noshell" so when some intruder tries to login as user "nobody" we get a warning message. So to get the license manager daemon to start, while keeping our security intact, we change the /etc/rc2.d/S86lmgrd to use runas with the following syntax:
/sbin/runas 60001 60001 022 $lic_srvr_start
^^^^^ ^^^^ ^^^
nobodyUID nobodyGID umask to use
viola! Secure as well as functional. With the latest runas.c you can
also run things in a chrooted environment. This isn't required for the
license manager daemon, but will come in handy for http daemons.
Titan modules (arch/sol9sun4/bin/modules)
add-cmask.sh Adds system wide CMASK New in Solaris 9. Replaces add-umask.sh
adjust-arp-timers.sh This changes the system configuration to shorten the ARP expiration timer to one minute instead of the default 20 minutes.
aset.sh This module was contributed by Jason R. Rhoads mailto:jasonr@net.com. aset.sh is a Titan wrapper around the Solaris Automated Security Enhancement Tool (ASET)
automount.sh Disables the automounter at boot time. (old version for compatibility)
automount2.sh. Moves aside the /etc/rc2.d/S74automount file so that automounter doesn't start up at boot.
bsm.sh bsm.sh verifies that the Basic Security Module (BSM) is enabled and configures auditing events by modifying /etc/security/audit_control. Auditing is configured to log all logins, admin operations (whether or not they succeed), as well as failures of all types except object attribute access failures. Auditing flags can be changed by editing this script. Note: When run in Fix mode and BSM was not previously enabled, it will be neccessary to reboot.
cde.sh This module sets up CDE to not allow XDMCP logins from remote. In order to do this we: 1) Move /usr/dt/config/Xaccess to /usr/dt/config/Xaccess.0701021137 2) Move /etc/dt/config/Xaccess to /etc/dt/config/Xaccess.0701021137 (if it exists) 3) Replace the Xaccess file with a minimal one 4) chmod the file to work
create.issue.sh Creates the /etc/issue banner that gets displayed at login time. NOTE: see ssh-banner.sh below. You also need to enable that as well for ssh (new in Sol9)
cronset.sh. This script check/fixes CRONLOG-YES in /etc/default/cron, rotates the cron log files at 2Mb, and changes cron permissions.
decode.sh Looks for any ``|'' in /etc/aliases and fixes if found.
defloginparams.sh Resets the /etc/default/login parameters to a stricter mode. Variables are in the script to allow you to match your security policy
defpwparams.sh Resets the /etc/default/password parameters to be stricter. Variables are in the script to allow you to match your security
disable-L1-A.sh Solaris 2.6 and newer only. This disables the L1-A or stop-A keyboard sequence by modifying /etc/default/kbd.
disable-NFS-2.6.sh This checks that the NFS system port is set as a privileged port. Works with solaris 2.6 and newer using the new ndd definitions:
ndd /dev/tcp tcp_extra_priv_ports
ndd /dev/udp udp_extra_priv_ports
disable-accounts.sh Disables ``system'' accounts like ``bin'' and ``daemon'' and creates a /usr/sbin/noshell script. NOTE! The noshell script should only be a place holder until you compile and install the noshell statically linked C program. NOTE: if you don't have a root password set, titan WILL disable root as well.
disable-afbinit.sh Disables the afbinit service from starting. part of the OEM packages.
disable-cachefs.sh Name change from nuke-cachefs.sh Note: some systems require cachefs to run. HA systems as one example.
disable-core-sol8.sh This modules uses coreadm to disable core files. No reboot is required!
disable-flashprom.sh Disables the flasprom daemon from listening for flashprom updates (from afar)
disable-ifbinit.sh Disables ifbinit daemon from starting (OEM package)
disable-L1-A.sh. Stops the L1-A sequence from being used
disable-llc2.sh Disables llc2 daemon (OEM package)
disable-ncalogd.sh Disables ncalogd from running (OEM package)
disable-ping-echo.sh This disables ip_respond_to_echo_broadcast so that specific ping crashes don't work . It also hides the system from some network probe agents that use broadcast ping to discover hosts to probe.
disable_ip_holes.sh Disables ip_forward ip_forward_directed_broadcasts, ip_source_routed, and ip_ignore_redirect 1, ect.
disable-pppd.sh Disables PPP daemon. Only needed for dialup.
disable-services.sh
This disables various services from running during startup. By default
it will turn off S73nfs.client ,S74autofs, S80lp, S88sendmail, S71rpc,
S99dtlogin, S28nfs.server, and S76snmpdx. These
default services that are disabled can be changed by editing the DISABLERC
variable in the script.
dmi-2.6.sh Simply moves aside all the dmi daemons start up files. DMI doesn't do any authentication ; allows core dumps and seems to allow you to start up arbitrary services. It isn't well documented on what it actually does.
eeprom.sh Check Only. This checks to see if you set an eeprom password ("eeprom security-mode = command" is recommended; and then move/remove the eeprom command support from the kernel) If you don't set a eeprom password, a bad guy might set one for you (eeprom security-mode = full) and then halt your system. Then since you don't know the password, you cannot reboot (DOS attack)
file-own.sh Changes system files (mainly in /usr ) to be owned by "root"." I personally don't like anything that the root user is going to run not being owned by root. When /usr/bin is owned by user ``bin'' user ``bin can trojan anything root runs; thus bin=root. Thus I change everything back to root to begin with. We need not mention NFS where root=nobody but bin=bin; I think you get the point.
fix-cronpath.sh Changes permission and ownership of things run out of roots cron. Otherwise every time cron is run a new trojan/setuid-root-file could be created.
fix-modes.sh modes.c modes; (From Casper Dik). Fixes all the mode 775 directories and binaries and changes the ownership to root where needed. The modes.c may need to be compiled locally.
- Big note here! - REMEMBER to re-run this whenever you add packages or patches!! If you don't, the modes get brain dead again. This should be run (-v) often such as out of cron or at least after adding any vendor patches. Then run -f as needed.
fix-stack.sol2.6.sh Solaris 2.6 has the protect_stack ability built-in as a /etc/system configurable option. This blocks many of the stack smashing bugs from working.
ftp-2.6_secure.sh
This works with Solaris 2.6 and newer version of in.ftpd. It adds in a
umask (UMASK=077) into /etc/default/ftpd, and also creates a short ftp
login warning message by creating /etc/ftp-banner. There is a size limit
imposed on the ftp banner, so if you modify
this script, be cognizant of the length restriction. Caution
- if you reset the Titan default for UMASK, care should be taken. It is
possible to reset the umask value to a LESS secure mode (letting ftp create
executable binaries or suid binaries would be a bad thing!)
ftpusers.sh Creates a sane /etc/ftpusers which stops users such as root or "bin" from using ftp. This prevents "root" from ftping over a new /etc/shadow file, and forces the administrators to ftp as themselves and then "su" to root thus keeping the audit trail (more) intact.
hosts.equiv.sh Checks for /etc/hosts.equiv. it should also check /etc/nsswitch.conf "password and group" entries but currently doesn't.
hostallow.sh New for solaris 9. NOTE: this only applies to ssh/sshd. See tcp_wrap.sh for all other services started out of inetd (in.telnetd, ect.)
inetd.sh Changes /etc/inetd.conf and turns off most of the services. You will want to localize this. For desktops for instance you might want to leave on the services for calendar manager and tooltalk (assuming windows) My suggestion is to turn on tcp_wrappers support with tcp_wrap.sh and wrap all services. Then get ssh and turn off rsh/rlogin and ftp and only use ssh/scp for remote access needs.
inetd2.sh A more restrictive version of the inetd.sh module. This one turns off everything, and runs a little cleaner for things like firewalls.
inetsvc.sh. This modules changes /etc/init.d/inetsvc to a minimum version such that named (DNS server), multicast, and DHCP are not supported. Obviously if you are on a DNS server, or a laptop that uses DHCP, you may not want to run this module. But for everything else, it helps by not allowing the system to be bothered by these system calls.
keyserv2.9.sh New in sol9. Changes the keyserv startup /etc/default/keyserv changing ENABLE_NOBODY_KEYS=YES to ENABLE_NOBODY_KEYS=NO.
log-tcp.sh Adds the "-t" flag to in.inetd startup in /etc/rc2.d/S72inetsvc to trace all incoming TCP services.
loginlog.sh Fixes the syntax so that (assuming Sun patches) log entries are made for failed login attempts.
login_failed_retries.sh This program modifies /etc/default/login taking advantage of Solaris 8's RETRIES variable, which determines the number of failed logins that will be allowed before login exits.
lpsched.sh Disables lp. For firewalls, and non-print servers. Probably want to leave this service on for desktops.
nddconfig.2.9.sh Creates /etc/rc2.d/S70nddconfig and sets all of the kernel network modules that have to do with security (that we know of)
nfs-portmon.sh Turns on NFS port monitoring for solaris.
nsswitch.sh Modifies /etc/nsswitch.conf removing all the nis/nis+/dns entries. This is useful on a firewall, but you may want to tune it down a little on networked servers and desktops. It also sets password and group to only look at local password/group files; again network servers or desktops might not want this behavior.
nuke-dtlogin.sh This program simply renames S99dtlogin to s99dtlogin so that dtlogin does not start at system boot.
nuke-nfs-client.shFor systems that don't use NFS, and for NFS servers. Disables NFS client
nuke-nfs-serv.sh For desktops and those systems that will never be exporting filesystems.
nuke-nscd.sh Disables the Name Service Cache Daemon. Useful on firewalls, but may not apply to desktops.
nuke-powerd.sh This program simply renames S85power to s85power so that powerd does not start at system boot
nuke-rpc.sh Just eliminates RPC. Used for Servers and Firewalls.
nuke-sendmail.sh This module does as it implies. Disables sendmail. This modules should be used on Firewalls that are not sendmail servers, Servers that are not sendmail servers, and all desktops that have their mail delivered to a server.
nuke-smc.sh This module stops the Sun Management Console from starting.
pam-rhosts-2.6.sh This solaris 2.6 module saves and modifies the /etc/pam.conf file removing the line: " rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1" such that rhosts are not allowed by the PAM system.
passwd.sh Checks that all accounts have passwords and adds in a "*" password if run in fix mode.
powerd2.8.sh Checks that the power suspend (/usr/openwin/bin/sys-suspend) can only be run by the root user.
psfix.sh This program creates /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777
queue-sendmail.sh Changes sendmail to queue mode only. Not much use if you already killed sendmail above.
rhosts.sh Originally from COPS. Scans for .rhosts in NIS and local directories but unlike COPS if run in fix mode it removes/renames them.
rmmount.sh This module adds in the nosuid option into /etc/rmmount.conf forcing vold to always mount CD's and floppies with the nosuid option enabled. Not needed if vold.sh has already disabled vold completely.
rootchk.sh Checks roots path and makes sure that root owns the directories and binaries in roots path. Changes them (when run -F) if they are wrong. Also removes the ``.'' from the path.
routed.sh Starts in.routed in the quiet mode (-q)
- Big note here! - REMEMBER to re-run this whenever you add any patches for in.routed.If you don't, the in.routed will start up advertising routes again since titans in.routed will be over written by the patch.
sendmail-forward.sh Takes advantage of new sendmail features to disable forwarding of mail (spammers using you to bounce their mail)
sendmail.sh changes sendmail.cf adding in the option ``goaway'' so that telnet hostname 25" (connecting to the sendmail port) doesn't allow cracker to look up user info. Note- you should also changes the P=/bin/sh to P=/bin/false if you can or look into using smrsh for servers and desktops. Note- firewalls should TURN OFF/wrapper sendmail on the firewall system. Now would be a good time to look into Postfix.
smtpbanner-8.8.sh Modified sendmail version 8.8 sendmail.cf to change the banner to give out less information.
ssh-banner.sh Changes to /etc/ssh/sshd_config file to force ssh to display a banner when connecting.
syslog-block-remote.sh New module. Configures syslog to NOT accept remote calls to your syslogd. This should be run on all systems that ARE NOT defined as "loghost". Loghost systems SHOULD NOT run this module. Note: For critical systems you should have at least one system defiled as "loghost" somewhere in your /etc/hosts (or NIS;NIS+) such that local logs are also sent to a remote "loghost" server. This is so you can do a sanity check to see if your local logs have been erased (intrusion).
snmpdx-2.6.sh 2.6snmpdx.sh Simply moves aside all the snmpdx daemons start up files. Snmpdx give out more information than you really want it to. Who needs a port scanner if snmpdx is running?
sulog.sh This script checks for existence of /var/adm/sulog, and whether its permissisons/ownership are 600 root:sys. It will create the file if it doesn't exist and fix the permissions/ownership
syslog.sh Modifies /etc/syslog.conf so that console messages are also saved to system log files. Note: For critical systems, you should have at least one remote system defined as "loghost" in your /etc/hosts (or NIS/NIS+) so you can do sanity checks to see if your local logs have been changed/deleted by an intruder.
syslog_failed_logins.sh Modifies /etc/default/login taking advantage of SYSLOG_FAILED_LOGINS variable. If the variable is set to 0, login will log -all- failed login attempts.
tcp_connection_logging.sh
This program checks/sets the ENABLE_CONNECTION_LOGGING=YES variable in
/etc/default/inetd which allows for logging of tcp connections.
tcp-sequence.sh Solaris 2.6 and newer. Changes the TCP initial sequence number generation parameters to use RFC 1948 sequence number generation, unique-per-connection-ID.
tcp_wrap.sh
This program checks/sets the ENABLE_TCPWRAPPERS=YES variable in
/etc/default/inetd which allows for tcp wrappers support for
all solaris /etc/inetd
services.
telnet-banner.sh This module was contributed by Jason R. Rhoads mailto:jasonr@net.com. telnet-banner.sh sets BANNER="" in /etc/default/telnetd so that the Solaris version is not
tmpfs-fixsize.sh donated module by Joachim.Knoke@germany.sun.com. Checks if /tmp is a virtual filesystem and if so sets it up to have a size limit. This blocks some user level DoS type attacks.
userumask.sh Adds in a umask of 022 for users in /etc/skel and /etc files.
useraddset.sh Set up modifications to the default useradd program.
utmp2.7.sh Checks utmpx just to be sure it isn't world writeable.
vold.sh Turns off vold. Vold is not needed on a Firewall and Servers, but might be left on on desktop systems where users are allowed to mount CD's and Floppy disks via windowing tools.
x-nolisten.sh New for Solaris 9! Changes the X startup configuration to not listen for remote X connections, by adding "-nolisten tcp" to the X startup file in the /usr/dt/config/Xservers file. This does not prevent the X server (cde/gnome) from running, only prevents remote persons from connecting. FROM: :0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner TO: :0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -nolisten tcp
ziplock.sh The final step in tightening - READ CAREFULLY -This program absolutely tightens perms for much of the OS. Caution after this is run ONLY root and group STAFF will be able run many system functions!!! Not intended to be run on normal systems only those with strict access rules.
Optional Modules
This directory contains some specific case modules, where you don't want or need to run them except in specific configurations. They are put into the optional directory just so they don't get run by accident.
anon-ftp.setup.sh Straight from the Man page for in.ftpd. Sets up Anonymous ftp area in a reasonable way. This should NOT be used very often, only on systems that are supposed to allow anonymous ftp. Titan does not run this by default.
suid.sh This
is a "check only" module. Run it once, and it will report the number of
setuid binaries on the local file systems. EDIT the script once this number
is known and change "known_suid" variable. On subsequent checks, suid.sh
will check and report any new suid binaries that appear (on local file
systems only). This is meant for audit purposes and possibly for use in
cron. Tripwire is a much better solution, and if suid.sh makes you think
about getting and installing Tripwire then its achieved its purpose.