Titan Titan is the program which runs all the other shell scripts (*.sh) and accepts either the -I (intro) -F (fix) -C (configuration) [ + filename] )or -V (verify) flag.
MinimizeOS is a new module that takes a configuration file and does a pkgrm of all modules that are not found in the configuration file. This minimizes the OS and removes unused (and potentially insecure) packages from the system.Use with caution.
Titan.top This module is the same as Titan except the path has been modified so that When "Titan-Config" is run, Titan can be run from the top most directory.
TitanReport. This file runs all Titan modules in the $TITANDIR/bin/modules directory using the "-v" flag. TitanReport then sends email with the results. Titanreport is intended to run out of cron, or as an auditing tool. See the FAQ for more.
Sample.Desktop, sample.Firewall, sample.Server, sample.config. These files are used as sample templates when titan is run as "Titan -c config-file". See the FAQ for more.
backtit.sh This modules is called by "Titan-Config" when run "Titan-Config -i" (install). Backtit.sh makes a backup copy of all the files Titan modifies (backtit.sh currently does not backup file permission changes) SEE Note above!
untit.sh Untit.sh is called by "Titan-Config" when run 'Titan-Config -d" (de-install) Untit.sh replaces the files modified by Titan with the original unsecured versions, and is provided as a recovery mechanism if we were too aggressive about securing the system.
src1 directory
noshell.c This is the preferred way of doing a noshell. This should be statically compiled (see Titan.v4.0/src1/Makefile.linux) and should replace the shell script that disable-accounts.sh placed in /usr/sbin/noshell.
noshell-simple.c This is a simplified version of noshell.c . I don't expect this to get much use, but should be statically compiled (see Titan,v4.0/src1/Makefile) and replace the /usr/sbin/noshell script that disable-accounts.sh creates. the script that disable-accounts.sh creates is better than nothing, (better than /bin/true which is also a shell script) but a statically linked C program is the best way to go.
Titan,v4.0/src1/Makefile.linux It turned out that with a few simple changes to the makefile, that noshell and runas worked fine with Linux distributions (probably other Unix variants too).
runas.c This is a simple generic program that allows administrators to start daemons as non privileged users, and optionally to run in a chrooted environment. A really good example is the license manager daemon. Sun sets the license manager daemon (in /etc/rc2.d/S85lmgrd) to start up with the command (line 84 on my system) :
su nobody -c $lic_srvr_start
This isn't bad, but it requires that the user shell for user "nobody" be a valid shell. Well being paranoid, Titan sets the shell to "noshell" so when some intruder tries to login as user "nobody" we get a warning message. So to get the license manager daemon to start, while keeping our security intact, we change the /etc/rc2.d/S86lmgrd to use runas with the following syntax:
/sbin/runas 60001 60001 022 $lic_srvr_start
^^^^^ ^^^^ ^^^
nobodyUID nobodyGID umask to use
viola! Secure as well as functional. With the latest runas.c you can also run things in a chrooted environment. This isn't required for the license manager daemon, but will come in handy for http daemons.
Titan modules (arch/RedHat/bin/modules)
add-umask.sh Adds system wide umasks for rc?.d files causing system daemon to create more secure files; (From Casper Dik's code.)
adjust-arp-timers.sh This changes the system configuration to shorten the ARP expiration timer to one minute instead of the default 20 minutes.
atset.sh This script checks/puts CRONLOG=YES in /etc/default/cron,
changes the permissions of /var/cron so that the users cannot
peek in the cron log file (it seems the file is created with 600
perms anyhow, but one never knows), and modifies /etc/cron.daily/logchecker
to rotate the log files at 2MB file size.
For linux this creates /etc/cron.allow and adds only root by default.
All other local password accounts are added to /etc/cron.deny.
create.issue.sh Creates the /etc/issue banner that gets displayed at login time.
cronset.sh. This script check/fixes CRONLOG-YES in /etc/default/cron, rotates the cron log files at 2Mb, and changes cron permissions.
decode.sh Looks for any ``|'' in /etc/aliases and fixes if found.
disable-accounts.sh Disables ``system'' accounts like ``bin'' and ``daemon'' and creates a /usr/sbin/noshell script. The noshell script should only be a place holder until you compile and install the noshell statically linked C program. NOTE: if you don't have a root password set, titan WILL disable root as well.
duplicate-root.sh Check for extra root accounts.
file-own.sh Changes system files (mainly in /usr ) to be owned by "root"." I personally don't like anything that the root user is going to run not being owned by root. When /usr/bin is owned by user ``bin'' user ``bin can trojan anything root runs; thus bin=root. Thus I change everything back to root to begin with. We need not mention NFS where root=nobody but bin=bin; I think you get the point.
fix-cronpath.sh Changes permission and ownership of things run out of roots cron. Otherwise every time cron is run a new trojan/setuid-root-file could be created.
ftpaccess_secure.sh Changes or creates /etc/ftpaccess file to add in a umask, ftp banner
and restrictions on file transfers. If you are unlucky enough to lose
your root password this change will restrict downloads of any files named
passwd or shadow, period...
Changes or created /etc/banner for the ftpaccess parser to display an approriate
warnign message on connection.. Similar to /etc/issue...
"This system is for authorized users only. Monitoring may occur"
ftpusers.sh Creates a sane /etc/ftpusers which stops users such as root or "bin" from using ftp. This prevents "root" from ftping over a new /etc/shadow file, and forces the administrators to ftp as themselves and then "su" to root thus keeping the audit trail (more) intact.
hosts.equiv.sh Checks for /etc/hosts.equiv. it should also check /etc/nsswitch.conf "password and group" entries but currently doesn't.
inetd.sh Changes /etc/inetd.conf and turns off most of the services. You will want to localize this. For desktops for instance you might want to leave on the services for calendar manager and tooltalk (assuming windows) My suggestion is to get tcp_wrappers and wrap all services. Then get ssh and turn off rsh/rlogin and ftp and only use ssh/scp for remote access needs.
inetd2.sh A more restrictive version of the inetd.sh module. This one turns off everything, and runs a little cleaner for servers.
limit-core-redhat.sh This changed the /etc/rc.d/init.d/functions file making the core dump
size limited to zero length. This prevents bad-guys forcing a core dump to examine
any information that might be stored in the core.
log-tcp.sh Changes the inet startup configuration to use the "-d" flag
in /etc/rc.d/init.d/inet.
From the inetd man page:
-d Instructs inetd to trace the incoming connections
for all of its TCP services. It does this by log-
ging the client's IP address and TCP port number,
along with the name of the service, using the sys-
log(3) facility.
loginlog.sh Fixes the syntax so that log entries are made for failed login attempts.
lpsched.sh Disables lp. For firewalls, and non-print servers. Probably want to leave this service on for desktops.
nsswitch.sh Modifies /etc/nsswitch.conf removing all the nis/nis+/dns entries. This is useful on a firewall, but you may want to tune it down a little on networked servers and desktops. It also sets password and group to only look at local password/group files; again network servers or desktops might not want this behavior.
nuke-sendmail.sh This module does as it implies. Disables sendmail. This modules should be used on Firewalls that are not sendmail servers, Servers that are not sendmail servers, and all desktops that have their mail delivered to a server.
pam-rhosts.sh This saves and modifies the /etc/pam.conf file removing the line: " rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1" such that rhosts are not allowed by the PAM system.
passwd.sh Checks that all accounts have passwords and adds in a "*" password if run in fix mode.
psfix.sh This program creates /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777
rhosts.sh Originally from COPS. Scans for .rhosts in NIS and local directories but unlike COPS if run in fix mode it removes/renames them.
rootchk.sh Checks roots path and makes sure that root owns the directories and binaries in roots path. Changes them (when run -F) if they are wrong. Also removes the ``.'' from the path.
rootpath.sh Check root's path for .
routed-quiet.sh Starts in.routed in the quiet mode (-q)
- Big note here! - REMEMBER to re-run this whenever you add any patches for in.routed.If you don't, the in.routed will start up advertising routes agai
sendmail-forward.sh Takes advantage of new sendmail features to disable forwarding of mail (spammers using you to bounce their mail)
sendmail.sh changes sendmail.cf adding in the option ``goaway'' so that telnet hostname 25" (connecting to the sendmail port) doesn't allow cracker to look up user info. Note- you should also changes the P=/bin/sh to P=/bin/false if you can or look into using smrsh for servers and desktops. Note- firewalls should TURN OFF/wrapper sendmail on the firewall system. Now would be a good time to look into Postfix.
Modified sendmail version 8.8 sendmail.cf to change the banner to give out less information.
snmpdx.sh Simply moves aside all the snmpdx daemons start up files. Snmpdx give out more information than you really want it to. Who needs a port scanner if snmpdx is running?
syslog.sh Modifies /etc/syslog.conf so that console messages are also saved to system log files. Note: For critical systems, you should have at least one remote system defined as "loghost" in your /etc/hosts (or NIS) so you can do sanity checks to see if your local logs have been changed/deleted by an intruder.
telnet-banner.sh This module was contributed by Jason R. Rhoads mailto:jasonr@net.com. telnet-banner.sh sets BANNER="" in /etc/default/telnetd so that the Solaris version is not
tftp-disable.sh Disables tftp.
tftpServer.sh configures tftp to allow specific directories to be tftp'd (for things like cisco
router or boot servers)
ttytab.sh This program checks /etc/securetty to disable b -s problems.
tune-perm.sh Runs a modified file permission fixes origionally from Sun'
patch 100103-12
Tune attributes on file system objects
This portion will set file system object permissions
to a more secure setting.
userumask.sh Adds in a umask of 022 for users in /etc/skel and /etc files.
useraddset.sh Set up modifications to the default useradd program.
utmp.sh Checks utmpx just to be sure it isn't world writeable.
uucp-disable.sh Check login shell for uucp is disabled
ypserver-client.sh Check that /etc/passwd on ypserver does not have client line
ziplock.sh The final step in tightening - READ CAREFULLY -This program absolutely tightens perms for much of the OS. Caution after this is run ONLY root and group STAFF will be able run many system functions!!! Not intended to be run on normal systems only those with strict access rules.