Titan Titan is the program which runs all the other shell scripts (*.sh) and accepts either the -I (intro) -F (fix) -C (configuration) [ + filename] )or -V (verify) flag.
MinimizeOS is a new module that takes a configuration file and does a pkgrm of all modules that are not found in the configuration file. This minimizes the OS and removes unused (and potentially insecure) packages from the system.Use with caution.
Titan.top This module is the same as Titan except the path has been modified so that When "Titan-Config" is run, Titan can be run from the top most directory.
TitanReport. This file runs all Titan modules in the $TITANDIR/bin/modules directory using the "-v" flag. TitanReport then sends email with the results. Titanreport is intended to run out of cron, or as an auditing tool. See the FAQ for more.
backtit.sh This modules is called by "Titan-Config" when run "Titan-Config -i" (install). Backtit.sh makes a backup copy of all the files Titan modifies (backtit.sh currently does not backup file permission changes) SEE Note above!
untit.sh Untit.sh is called by "Titan-Config" when run 'Titan-Config -d" (de-install) Untit.sh replaces the files modified by Titan with the original unsecured versions, and is provided as a recovery mechanism if we were too aggressive about securing the system.
src1 directory
noshell.c This is the preferred way of doing a noshell. This should be statically compiled (see Titan.v4.0/src1/Makefile.linux) and should replace the shell script that disable-accounts.sh placed in /usr/sbin/noshell.
noshell-simple.c This is a simplified version of noshell.c . I don't expect this to get much use, but should be statically compiled (see Titan,v4.0/src1/Makefile) and replace the /usr/sbin/noshell script that disable-accounts.sh creates. the script that disable-accounts.sh creates is better than nothing, (better than /bin/true which is also a shell script) but a statically linked C program is the best way to go.
Titan,v4.0/src1/Makefile.fbsdIt turned out that with a few simple changes to the makefile, that noshell and runas worked fine with Linux distributions (probably other Unix variants too).
runas.c This is a simple generic program that allows administrators to start daemons as non privileged users, and optionally to run in a chrooted environment. A really good example is the license manager daemon. Sun sets the license manager daemon (in /etc/rc2.d/S85lmgrd) to start up with the command (line 84 on my system) :
su nobody -c $lic_srvr_start
This isn't bad, but it requires that the user shell for user "nobody" be a valid shell. Well being paranoid, Titan sets the shell to "noshell" so when some intruder tries to login as user "nobody" we get a warning message. So to get the license manager daemon to start, while keeping our security intact, we change the /etc/rc2.d/S86lmgrd to use runas with the following syntax:
/sbin/runas 60001 60001 022 $lic_srvr_start
^^^^^ ^^^^ ^^^
nobodyUID nobodyGID umask to use
viola! Secure as well as functional. With the latest runas.c you can also run things in a chrooted environment. This isn't required for the license manager daemon, but will come in handy for http daemons.
Titan modules (arch/RedHat/bin/modules)
create.issue.sh Creates the /etc/issue banner that gets displayed at login time.
ftpusers.sh Creates a sane /etc/ftpusers which stops users such as root or "bin" from using ftp. This prevents "root" from ftping over a new /etc/shadow file, and forces the administrators to ftp as themselves and then "su" to root thus keeping the audit trail (more) intact.
inetd.sh Changes /etc/inetd.conf and turns off most of the services. You will want to localize this. For desktops for instance you might want to leave on the services for calendar manager and tooltalk (assuming windows) My suggestion is to get tcp_wrappers and wrap all services. Then get ssh and turn off rsh/rlogin and ftp and only use ssh/scp for remote access needs.
This program copies /etc/inetd.conf to /etc/inetd.conf.ORIG-DATE.
Then makes an addition to /etc/rc.conf to increase the number of times a
service can be invoked in one minute.(the default is 256- 1024 sounds more
reasonable adjust as needed)
change RATE=1024 to adjust number of times service can be invoked.
NOTE: This changes inetd_flags, if you have existing flags that you
want to keep, make changes to script as needed.
log_in_vain.sh This program copies /etc/inetd.conf to /etc/inetd.conf.ORIG-DATE.
Then makes an addition to /etc/rc.conf to log all connection attempts to
TCP/UDP ports with out services running on them.
Use this module with caution, all inetd network services will be
disabled.
This program copies /etc/inetd.conf to /etc/inetd.conf.ORIG-DATE. Then makes an
addition to /etc/rc.conf to turn off inetd from starting at startup.
Use this module with caution.
This program copies /etc/inetd.conf to /etc/inetd.conf.ORIG-DATE. Then makes an
addition to /etc/rc.conf to turn off portmapper from starting at startup.
nuke-sendmail.sh This module does as it implies. Disables sendmail. This modules should be used on Firewalls that are not sendmail servers, Servers that are not sendmail servers, and all desktops that have their mail delivered to a server.
This program copies /etc/hosts.allow to /etc/hosts.allow.ORIG
and modifies the runtime /etc/hosts.allow so that the following
tcp services will present a pre-login banner.
tcp banner services include:
telnetd ftpd rlogind
NOTE: Important -> this overrides existing host.allow filters!
To place your access filters in this script change filter entry.
Should you need to change this vi this script and modify the
\$ServiceList variable to include/exclude as you wish....