hasys -force sys
Following is taken from “http://blogs.sun.com/gbrunett/date/20040923”
The next item of my list of lesser known and/or publicized security enhancements to the Solaris 10 OS is account lockout. Account lockout is the ability of a system or service to administratively lock an account after that account has suffered “n” consecutive failed authentication attempts. Very often “n” is three hence the “three strikes” reference.
Recall from yesterday’s entry on non-login and locked accounts that there is in fact a difference. Locked accounts are not able to access any system services whether interactively or through the use of delayed execution mechanisms such as cron(1M). So, when an account is locked out using this capability, only a system administrator is able to re-enable the account, using the passwd(1) command with the “-u” option.
Account lockout can be enabled in one of two ways. The first way will enable account lockout globally for all users. The second method will all more granular control of which users will or will not be subject to account lockout policy. Note that the account lockout capability will only apply to accounts local to the system. We will look at both in a little more detail below.
Before we look at how to enable or disable the account lockout policy, let’s first take a look at how you configure the number of consecutive, failed authentication attempts that will serve as your line in the sand. Any number of consecutive, failed attempts beyond the number selected will result in the account being locked. This number is based on the RETRIES parameter in the /etc/default/login file. By default, this parameter is set to 5. You can certainly customize this parameter based on your local needs and policy. By default, the Solaris Security Toolkit will set the RETRIES parameter to 3.
Now that we know how to define how many consecutive, unsuccessful authentication attempts we will allow, let’s take a look at how you can enable the account lockout policy globally. This policy can be altered using the LOCK_AFTER_RETRIES variable in the /etc/security/policy.conf file. Just as it sounds, if you set this parameter to YES, then the account lockout policy is enabled for all users on the system (unless there is a user override which we will talk about in a minute). By default, this parameter is set to NO which means that account lockout is not enabled.
So, let’s try a simple example. First, I created a test account called gmb. Next, I set the LOCK_AFTER_RETRIES parameter in /etc/security/policy.conf to YES. To see, how this feature works, I attempted to authenticate to a system (and failed) using three different services:(1) TELNET, (2) FTP and (3) RLOGIN. I failed the login attempt for each of these services (in turn) twice with the exception of RLOGIN since after the fifth failed attempt the account was locked. I ran this test from the system’s console so that the log messages could be injected into the output stream to give you a better idea of what was happening. Here is the actual log of the test that was run:
# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login: gmb Password: Login incorrect login: gmb Password: Login incorrect login: Connection to localhost closed by foreign host. # ftp localhost Connected to localhost. 220 sampleHost FTP server ready. Name (localhost:root): gmb 331 Password required for gmb. Password: 530 Login incorrect. Login failed. ftp> user gmb 331 Password required for gmb. Password: 530 Login incorrect. Login failed. ftp> quit 221 Goodbye. # rlogin -l gmb localhost Password: Sep 23 23:23:47 sampleHost login: Excessive (5) login failures for gmb: locking account. Login incorrect login:
As you can see, after the fifth attempt, the gmb account was locked. This can also be verified by looking at the shadow(4) file entry for that account:
# grep "^gmb:" /etc/shadow gmb:*LK*R12OfCMPngtJQ:12685::::::5
You can see that the account has been locked and that a record of the number of failures is available in the last column. From the shadow(4) manual page, the last field (called “flag”) stores the failed login count in the low order four bits while reserving the remainder for future use. This means that you can also look at individual shadow(4) entries and see how many consecutive failed authentication attempts have been made per user. For example, you could do the following to see how many users have had failed authentication attempts since their last successful login:
# awk -F: '$NF >= 1 { print; }' /etc/shadow
gmb:*LK*R12OfCMPngtJQ:12685::::::5
foo:02YZb5ZaMrcrk:12685::::::2
bar:XF0Ggjq1c6tYQ:12685::::::1
baz:.VxOG4ytNE8es:12685::::::3
If a user who has had failed authentication attempts is finally able to successfully login to the system, that user will be presented with a message like:
# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login: baz Password: Warning: 3 failed login attempts since last successful login. Last login: Thu Sep 23 23:36:44 from localhost
This warning message is available for interactive login services (not FTP) and is very helpful in providing warning to users who may not have been responsible for the failed authentication attempts. It is important that you educate your users to not simply ignore these messages as they could be a symptom of an ongoing attack on their account.
Also, note that once a user has successfully authenticated to a system, the failed login count is reset:
# grep "^baz" /etc/shadow baz:.VxOG4ytNE8es:12685::::::
Note that the use of alternate authentication mechanisms such as rhosts or Secure Shell public key authentication will not reset the failed login count even on successful login. Should an account be locked however (either administratively or through the account lockout facility), the account would no longer be accessible even when using these alternate authentication methods. For example:
# grep gmb /etc/shadow gmb:*LK*R12OfCMPngtJQ:12685:::::: # rsh -l gmb localhost /bin/finger account expired
or for Secure Shell…
# ssh -l gmb -i /export/home/gmb/.ssh/id_dsa localhost Enter passphrase for key '/export/home/gmb/.ssh/id_dsa': Sep 24 00:34:59 sampleHost sshd[1504]: Failed publickey for gmb from 127.0.0.1 port 32801 ssh2 Password:
The second way in which account lockout can be configured is per-user in the /etc/user_attr file. Each user listed in the /etc/user_attr file can have an attribute defined called lock_after_retries. For a description of the format of this file, see the user_attr(4) manual page. By default, this value is set to no.
To configure account lockout for a specific user, simply add the lock_after_retries attribute with a value of yes. For example, let’s assume you have an entry for user gmb:
gmb::::type=normal;profiles=FOO Security Management;roles=secadm
To enable account lockout, you simple change the above line to:
gmb::::type=normal;profiles=FOO Security Management;roles=secadm;lock_after_retries=yes
Let’s take another view on this. Let’s assume that the account lockout policy has been enabled globally using the method described above. You can then configure some users to be immune to this policy using this user-specific override. For example, if the LOCK_AFTER_RETRIES parameter was set to YES in /etc/security/policy.conf, but you did not want the policy to apply to the gmb account, then you only need to make sure that the /etc/user_attr file contains an entry for the gmb account that sets the lock_after_retries attribute to no as in:
gmb::::lock_after_retries=no
Here is an example of how this works. I will attempt to access the gmb account with an invalid password five times using TELNET. In contrast to the above example, the account should not be locked and no account locked message should be generated. First, let’s confirm we have our system configured correctly for this test:
# grep "^gmb:" /etc/shadow gmb:h8HsRoqrne1oQ:12685:::::::::: # grep "^gmb:" /etc/user_attr gmb::::lock_after_retries=no # grep "^LOCK_AFTER_RETRIES=" /etc/security/policy.conf LOCK_AFTER_RETRIES=YES
Now, let’s see if the account actually gets locked after 5 failed authentication attempts.
# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login: gmb Password: Login incorrect login: gmb Password: Login incorrect login: gmb Password: Login incorrect login: gmb Password: Login incorrect login: gmb Password: Login incorrect Sep 23 23:51:46 sampleHost login: REPEATED LOGIN FAILURES ON /dev/pts/1 FROM localhost, gmb Connection to localhost closed by foreign host. # grep "^gmb:" /etc/shadow gmb:h8HsRoqrne1oQ:12685::::::
Just as expected, the gmb account is immune from the account lockout policy that applies to other users on the system. This is in fact what is implemented by default for the root account. That is, even if account lockout is enabled globally (which is not the default), the root account is still immune from being locked out. This is done to prevent a malicious user from locking the root account out of the system. If you would like this policy to apply to the root account, then simply change the value of the lock_after_retries parameter to yes in the /etc/user_attr file.
This concludes another installment. As always, I hope you find this information useful in understanding how some of the new Solaris 10 security enhancements work and how they can be applied to solve real-world problems in your environment.
Posted in Solaris | Leave a Comment »
Not a problem – the preferred way to fix this kind of problem is to install the (free) ‘Host Utilities Kit’ for Solaris from NetApp on the servers. But I think we can take care of things without that. There are two lines that I find recommended in our knowledgebase for addition to the server’s ssd.conf file:
ssd-config-list=”NETAPP LUN”,”netapp-ssd-config”;
netapp-ssd-config=1,0×9007,64,30,300,0,0,0,0,0,0,0,0,0,30,0,0,8,0,0;
On the storage side, there’s one command to run for each of the masking groups on each filer, which I’d do myself if I had access today, but you or anyone in the group can do them (I’ll call and walk you through it if you like):
igroup set <igroup> alua yes
This will need to be run for each igroup that will go out to multipathing Solaris hosts (all of the unix servers, I suppose), so
igroup set DIT_medwatch alua yes
igroup set CDER_ireview alua yes
igroup set ORA_oracle_back yes
and
igroup set ORA_oracle_test yes
on Netapp1, and then on Netapp2:
igroup set OC_EASE alua yes
and
igroup set ORA_oracle_prod alua yes
Posted in Solaris, Storage | Leave a Comment »
If you are working on a new T2000 with Qlogic HBAs, you may see an “insufficient condition” message when trying to use cfgadm to configure them for the first batch of provisioned SAN storage. If you do see this, you can use the following commands to fix is without a reboot:
The “before” cfgadm:
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c0::dsk/c0t0d0 disk connected configured unknown
c1 scsi-bus connected configured unknown
c1::dsk/c1t0d0 CD-ROM connected configured unknown
c2 fc-fabric connected unconfigured unknown
c2::50060e80042cc540 unavailable connected unconfigured failed
c3 fc-fabric connected unconfigured unknown
c3::50060e80042cc550 unavailable connected unconfigured failed
usb0/1 unknown empty unconfigured ok
usb0/2 unknown empty unconfigured ok
usb1/1.1 unknown empty unconfigured ok
usb1/1.2 unknown empty unconfigured ok
usb1/1.3 unknown empty unconfigured ok
usb1/1.4 unknown empty unconfigured ok
usb1/2 unknown empty unconfigured ok
Look at your FC devices:
bash-3.00# ls -l /dev/fc
total 6
lrwxrwxrwx 1 root root 58 Apr 29 15:17 fp0 -> ../../devices/pci@7c0/pci@0/pci@8/SUNW,qlc@0/fp@0,0:devctl
lrwxrwxrwx 1 root root 58 Apr 29 15:17 fp1 -> ../../devices/pci@7c0/pci@0/pci@9/SUNW,qlc@0/fp@0,0:devctl
lrwxrwxrwx 1 root root 60 Apr 29 15:17 fp2 -> ../../devices/pci@7c0/pci@0/pci@8/SUNW,qlc@0,1/fp@0,0:devctl
Determine which ones are the HBAs by looking at the WWNs (the cc540 and cc550 are the XP12K, so these two are the HBAs):
bash-3.00# luxadm -e dump_map /dev/fc/fp0
Pos Port_ID Hard_Addr Port WWN Node WWN Type
0 ba000 0 50060e80042cc540 50060e80042cc540 0x1f (Unknown Type)
1 bcb00 0 2100001b3200ef93 2000001b3200ef93 0x1f (Unknown Type,Host Bus Adapter)
bash-3.00# luxadm -e dump_map /dev/fc/fp1
Pos Port_ID Hard_Addr Port WWN Node WWN Type
0 c2000 0 50060e80042cc550 50060e80042cc550 0x1f (Unknown Type)
1 ccb00 0 2100001b320290f3 2000001b320290f3 0x1f (Unknown Type,Host Bus Adapter)
bash-3.00# luxadm -e forcelip /dev/fc/fp0
Jul 11 06:59:52 fdssa125 scsi: WARNING: /scsi_vhci/ssd@g60060e80042cc50000002cc5000001c0 (ssd0):
Jul 11 06:59:52 fdssa125 Corrupt label; wrong magic number
bash-3.00# luxadm -e forcelip /dev/fc/fp1
The “after” cfgadm:
bash-3.00# cfgadm -al
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c0::dsk/c0t0d0 disk connected configured unknown
c1 scsi-bus connected configured unknown
c1::dsk/c1t0d0 CD-ROM connected configured unknown
c2 fc-fabric connected configured unknown
c2::50060e80042cc540 disk connected configured unknown
c3 fc-fabric connected configured unknown
c3::50060e80042cc550 disk connected configured unknown
usb0/1 unknown empty unconfigured ok
usb0/2 unknown empty unconfigured ok
usb1/1.1 unknown empty unconfigured ok
usb1/1.2 unknown empty unconfigured ok
usb1/1.3 unknown empty unconfigured ok
usb1/1.4 unknown empty unconfigured ok
usb1/2 unknown empty unconfigured ok
Posted in Uncategorized | Leave a Comment »
Setting Up JumpStart With Solaris 10 OS for SPARC Platforms and ZFS
Lucas Williams, January 2008
Introduction
The setup I had was one Sun Enterprise 3500 server running the Solaris 10 Operating System for SPARC platforms with ZFS and one client machine (a Sun Netra X1 server). I needed to get the Solaris 10 OS installed on the client for a project my company was getting ready to start.
I hope this walk-through of my process will help whoever needs to do something similar.
Note: I used the Solaris 10 08/07 release, but this will also work with earlier versions back to 03/05.
Contents
This article covers the following topics:
- Prerequisites
- Setting Up ZFS Storage Pools
- Copying Files
- Setting Up Configuration Files
- Setting Up the Server to Boot Correctly
- Setting Up the Client
- Booting the Client
- About the Author
Prerequisites
Make sure you are logged in as root or another system administrator.
You should also have your boot server be your DHCP server. However, because my machines get DHCP from another server, and I am set up with static IPs on my servers, I didn’t do this.
Also, you need to have tftp and nfs services running. When I installed the Solaris 10 OS on my server, I enabled NFS from the start, but I had to create a service for tftp. Fortunately, this is extremely easy, since it is mostly already set up. All you have to do is a couple of quick changes, as follows:
1. Edit the inetd.conf file. If you are pretty handy with vi, use that. Otherwise, use another text editor. I did the following from an SSH terminal, since neither of my machines had a monitor or keyboard plugged into them.
# cd /etc # vi inetd.conf
2. Scroll down to the bottom of the file to the lines that look like this:
# TFTPD - tftp server (primarily used for booting) # tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
3. Uncomment the last line and save the document so it looks like this:
tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
4. Type :wq to save the file and quit vi.
5. Run inetconv to get the service added to Service Management Facility (SMF):
# inetconv
6. Then run svcadm to get the service enabled, and you are ready to go:
# svcadm enable tftpd
Now it’s time to set up the ZFS storage pools, copy the files, and set up the configuration files…the fun stuff.
Setting Up ZFS Storage Pools
I created a new pool on the Solaris JumpStart server:
# zpool create install c1t7d0
I had a spare disk that wasn’t being used in the server, so I made this my Solaris JumpStart server pool. After that, I created the shares.
# zfs create install/config # zfs create install/boot # zfs set sharenfs=ro,anon=0 install # zfs set sharenfs=ro,anon=0 install/config # zfs set sharenfs=ro,anon=0 install/boot
I then checked to make sure all my directories were there and everything was being shared properly:
# cd /install # ls -l drwxr-xr-x 4 root sys 5 Jan 8 10:25 boot drwxr-xr-x 2 root sys 9 Jan 8 10:16 config # # share - /install ro,anon=0 "" - /install/config ro,anon=0 "" - /install/boot ro,anon=0 ""
Copying Files
I then put the first CD of Solaris 10 HW807 SPARC in the CD-ROM drive on my Sun Enterprise 3500 server. Then I changed to the cdrom directory on the CD and ran the setup_install_server script:
# cd /cdrom/cdrom0/s0/Solaris_10/Tools # ./setup_install_server /install
The script ran and copied the necessary files to my /install directory. After it was complete, I changed to the root directory and ejected the CD:
# cd / # eject cdrom
Then I put the second CD in the CD-ROM drive, changed to the Tools directory, and ran the add_to_install_server script:
# cd /cdrom/cdrom0/Solaris_10/Tools # ./add_to_install_server /install
I did similar steps until all the files for the five OS CDs and the Language CD were copied to the /install directory.
I put Disc 1 back in my CD-ROM drive on the Sun Enterprise 3500 server and changed to the Misc directory. Then I copied the check script so that I could use it to verify the profile and rules files that I planned to create in the next few steps:
# cd /cdrom/cdrom0/s0/Solaris_10/Misc/jumpstart_sample # cp check /install/config # cd /install/config
Setting Up Configuration Files
Now comes the fun part, which is actually writing the files to get the Solaris JumpStart server off and running.
You can copy the samples from the disc and modify them as you see fit. Since I knew what I wanted my system to be used for, I wrote my own files and then ran the check script to verify that the files would work and to create the rules.ok file.
The first file I created was sysidcfg. This file tells the client what its settings are going to be after initial boot. If you don’t add information to this file, the system will make you supply all the requested information. I used vi to create my file in /install/config:
# vi sysidcfg
system_locale=en_US.ISO8859-1
timezone=US/Pacific
timeserver=localhost
terminal=vt100
name_service=NONE
security_policy=NONE
root_password=<encrypted password from /etc/shadow>
network_interface=dmfe0 {hostname=<hostname of client>
netmask=<your network's netmask>
protocol_ipv6=no
default_route=<your gateway>}
:wq
Next is the rules file. This file is extremely easy for my setup, since I have only one server that I want to set up. There are a lot of things you can do with the rules file. If you look at the sample rules file included on the Solaris CD, you can get an idea of what you can do with it. The following is what I used.
# vi rules hostname <hostname of client> - profile - :wq
The two “-” symbols must be in the code above unless you are using a begin script and a finish script. In that case, you put the name of your scripts in place of the “-” symbols.
Make sure you change permissions on your scripts using chmod 755 before booting your client. More information on this can be found in the sample rules script on the Solaris CD under /Solaris_10/Misc/jumpstart_samples.
Next you have to create your profile file using the file name you specified in your rules file. Funny how things reference each other. You have to use whatever you specified in the rules file for the name of the profile file. Since I specified profile as the file name in my rules file, my file is named profile. My profile file specifies how my client will be set up as far as partition sizes, the installation type, and the client type.
Once again, I used vi to create my file, but there are a bunch of samples on the Solaris CD you can edit to suit your needs. The important thing is knowing the correct installation type.
The cluster option specifies the type of installation according to software group. The following table describes the available values.
Table 1: Values of Software Groups and Group Names
|
Software Group
|
Group Name
|
|---|---|
|
Reduced Network Support Software Group
|
SUNWCrnet |
|
Core System Support Software Group
|
SUNWCreq |
|
End User Solaris Software Group
|
SUNWCuser |
|
Developer Solaris Software Group
|
SUNWCprog |
|
Entire Solaris Software Group
|
SUNWCall |
|
Entire Solaris Software Group Plus OEM Support
|
SUNWCXall |
Here’s what I used:
# vi profile install_type initial_install cluster SUNWCXall partitioning explicit filesys c0t0d0s0 14000 / filesys c0t0d0s1 2048 /var filesys c0t0d0s3 1024 swap filesys c0t0d0s7 19500 /export/home system_type standalone :wq
The next step was to check to make sure I didn’t make any mistakes in my files. To do that, I just ran check.
# ./check
If everything comes out fine, you will have a file called rules.ok in your /install/config directory.
# ls -l -rwxr-xr-x 1 root root 59701 Jan 8 10:16 check -rw-r--r-- 1 root root 232 Jan 8 10:14 profile -rw-r--r-- 1 root root 32 Jan 8 10:15 rules -rw-r--r-- 1 root root 57 Jan 8 10:16 rules.ok -rw-r--r-- 1 root root 278 Jan 8 09:33 sysidcfg
Setting Up the Server to Boot Correctly
Now comes the fun of actually setting up the server to boot. You have to get the MAC address of the client. You can get this two ways: either run ifconfig -a on the client or get it off the openboot prompt.
After you get the MAC address, add it to your /etc/ethers file. If you don’t have this file, as I didn’t, go ahead and create it:
# cd /etc # vi ethers 0a:3b:ba:f5:d1:e6 <client hostname> :wq
Next, add your client to your /etc/hosts file:
# vi hosts <ip.address.for.client> <client hostname> :wq
Now you have to make the boot server. Make sure you have Disc 1 for Solaris 10 OS in the CD-ROM, and then run setup_install_server again, this time specifying the -b option and the /install/boot directory:
# cd /cdrom/cdrom0/s0/Solaris_10/Tools # ./setup_install_server -b /install/boot
After this is complete, you can eject the CD:
# cd / # eject cdrom
Setting Up the Client
Now it’s time to set up the client. I ran the following commands. I ran them straight from the files I copied off the CD in the /install directory.
Note: It is very important that you run the following commands from your installation image, not from the CD, since where you run the commands determines where the client will look for the boot image. If you install from the CD, the client will look on the CD for the boot image, and unless you are using NFS to share the CD-ROM drive on your server, the commands will fail.
# cd /install/Solaris_10/Tools # ./add_install_client -e 0a:3b:ba:f5:d1:e6 -s <server hostname>:/install -c <server hostname>:/install/config -p <server hostname>:/install/config <client hostname> sun4u
The previous commands create all the needed files so the client can boot and find everything it needs to start installing the Solaris OS. The following describes what the flags mean:
-especifies the MAC address of the client.-sspecifies the location of the server’s installation files.-cspecifies the Solaris JumpStart configuration location.-pspecifies thesysidcfgfile’s location.sun4uspecifies the architecture of the client.
Booting the Client
Now you are ready to boot up the client and have it find the server.
Note: On my Sun Netra X1 server, I could get to the lights on management (LOM) console by pressing #. and typing break at the LOM> prompt. Do whatever you need to do to get to the OpenBoot prompt.
On the client, be at the OpenBoot OK prompt and run the following command:
ok> boot net - install
When I ran this command, the client connected to my server, downloaded the OS, and commenced installing it. All I had to do was tell it to use the default IPv4 setting detected, and it did the rest, including rebooting and coming up in console mode.
Posted in Solaris | Leave a Comment »
From the host:
shutdown -g0 -y -i0
From okay prompt, type
boot -x # which boots it in non cluster mode.
Then
cd /
scinstall -r #removes sun cluster
Posted in Uncategorized | Leave a Comment »
prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s – /dev/rdsk/c0t1d0s2
metadb -a -f -c3 /dev/rdsk/c0t0d0s5 /dev/rdsk/c0t1d0s5
metainit -f d10 1 1 c0t0d0s0
metainit -f d20 1 1 c0t1d0s0
metainit d0 -m d10
metaroot d0
metainit -f d11 1 1 c0t0d0s1
metainit -f d21 1 1 c0t1d0s1
metainit d1 -m d11
metainit -f d13 1 1 c0t0d0s3
metainit -f d23 1 1 c0t1d0s3
metainit d3 -m d13
metainit -f d17 1 1 c0t0d0s7
metainit -f d27 1 1 c0t1d0s7
metainit d7 -m d17
cp /etc/vfstab /etc/vfstab.bak
# Edit /etc/vfstab
lockfs -fa
init 6
metattach d0 d20
metattach d1 d21
metattach d3 d23
metattach d7 d27
Posted in Uncategorized | Leave a Comment »
moving data b/w servers or file systems:
ufsdump 0f – / | ( cd /mnt ;ufsrestore xvf – )
ufsdump 0f – /r01 | ( cd /tmp/r01 ;ufsrestore xvf – )
SSH file from one server to another when SCP does not work:
ssh remote_server cat < local_file_to_send “|” dd of=desination_filename
Using tar and ssh to move directories between servers:
( cd /r01 && tar cvf – . ) | ssh hostname “(cd /tmp/r01 && tar xvpf – )”
Grow SVM file system:
metattach d101 50g
growfs -M /export/home /dev/md/rdsk/d101
Examples of creating concats using multiple disks
# metainit d25 2 1 c0t1d0s0 1 c0t2d0s0
d25: Concat/Stripe is setup
# metainit d40 4 1 c0t1d0s0 1 c0t2d0s0 1 c0t2d0s0 1 c0t2d1s0
d40: Concat/Stripe is setup
# metainit d50 4 1 c1t1d0s6 1 c1t2d0s6 1 c1t2d0s6 1 c1t2d1s6
d50: Concat/Stripe is setup
Partition a disk with info from existing disk:
prtvtoc /dev/rdsk/c0t0d0s2 | fmthard -s – /dev/rdsk/c1t1d1s2
If you only have two internal disks (i.e. the boot disk and mirror disk), consider adding the following parameter to /etc/system to bypass the SVM/DiskSuite “quorum” rule. Without this parameter, the system will not boot in multiuser mode if half or fewer of its state database replicas are available. (http://www.sun.com/blueprints/0402/solstice.pdf)
set md:mirrored_root_flag = 1
Posted in Uncategorized | Leave a Comment »
#!/bin/ksh
#############################################################################################
# Solaris Security Script Version 2.0
#
# This script is created to be run on Solaris 10 servers in order to secure the OS,
# remove unnecessary services, change the default and out of the box configurations
# and settings in order to make the server more secure.
#
# This script will be updated as needed in order to comply with changes in security policies
# and to accomodate the security needs of the environment.
#
# There is an associated Microsoft Word Readme file with this script. The file is named
# fdaunixsecurity.doc and should be found in the same location as this script file.
#
# Created by Shahid Hussain of Booz Allen & Hamilton in March of 2005 for
# Food and Drug Administration Solaris environment.
# Modified by Sean Parkinson of Booz Allen & Hamilton in February of 2006 for
# Food and Drug Administration Solaris 10 environment.
# Edited October 20th, 2005; streamlined for Solaris 9 only
# Edited February 2nd, 2006; streamlined for Solaris 10 only
#############################################################################################
LOGFILE=/tmp/logfile.log # This file contains the results from running this script, both successful and unsuccessful.ef
echo “Results from the Security Script.” >> $LOGFILE
echo “”
echo “Solaris Security Script Version 2.0”
echo “”
echo “”
echo “Hardening Logins and User Account Policies”
echo “——————————————-”
echo “———————————————————————-” >> $LOGFILE
echo “2.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking value for CONSOLE…”
if [ `grep “^CONSOLE=/dev/console” /etc/default/login | wc -l` -lt 1 ]; then
if [ `grep “CONSOLE=” /etc/default/login |wc -l` -lt 1 ];
then
cp /etc/default/login /etc/default/login.orig.21A
echo “CONSOLE=/dev/console” >> /etc/default/login;
echo “CONSOLE=/dev/console has been added to /etc/default/login” >> $LOGFILE;
echo ” added CONSOLE value to /etc/default/login.”
else
cp /etc/default/login /etc/default/login.21A
awk ‘/CONSOLE=/ { $1 = “CONSOLE=/dev/console” }; { print }’ /etc/default/login.21A > /etc/default/login
chmod 600 /etc/default/login
chown root:sys /etc/default/login
echo “CONSOLE value has been changed to /dev/console in /etc/default/login” >> $LOGFILE;
echo ” changed CONSOLE value in /etc/default/console.”
fi
else
echo “CONSOLE=/dev/console is already set in /etc/default/login” >> $LOGFILE
echo ” CONSOLE value already set in /etc/default/login.”
fi
sshdconfig=/etc/ssh/sshd_config;
echo “” >> $LOGFILE
echo “Checking value for PermitRootLogin…”
if [ -f $sshdconfig ]; then
if [ `grep “^PermitRootLogin no” $sshdconfig | wc -l` -lt 1 ]; then
if [ `grep “PermitRootLogin” $sshdconfig |wc -l` -lt 1 ]; then
cp $sshdconfig $sshdconfig.orig.21A
echo “PermitRootLogin no” >> $sshdconfig;
echo “PermitRootLogin no has been added to $sshdconfig” >> $LOGFILE;
echo ” added PermitRootLogin to $sshdconfig.”
else
cp $sshdconfig $sshdconfig.21F
grep -v PermitRootLogin $sshdconfig >> $sshdconfig.temp
mv $sshdconfig.temp $sshdconfig
echo “PermitRootLogin no” >> $sshdconfig;
chmod 600 $sshdconfig
chown root:sys $sshdconfig
echo “PermitRootLogin value has been changed to no in ” $sshdconfig >> $LOGFILE;
echo ” changed value for PermitRootLogin in $sshdconfig.”
fi
else
echo “PermitRootLogin no is already set in “$sshdconfig >> $LOGFILE
echo ” PermitRootLogin already set in $sshdconfig.”
fi
else
echo $sshdconfig ” does not exist or Secure Shell has not been installed” >> $LOGFILE
echo ” $sshdconfig does not exist or Secure Shell has not been installed.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.B” >> $LOGFILE
echo “Checking value for PASSREQ…”
if [ `grep “^PASSREQ=YES” /etc/default/login | wc -l` -lt 1 ]; then
if [ `grep “PASSREQ=” /etc/default/login | wc -l` -lt 1 ];
then
cp /etc/default/login /etc/default/login.orig.21B
echo “PASSREQ=YES” >> /etc/default/login;
echo “PASSREQ=YES has been added to /etc/default/login” >> $LOGFILE;
else
cp /etc/default/login /etc/default/login.21B
awk ‘/PASSREQ=/ { $1 = “PASSREQ=YES” }; { print }’ /etc/default/login.21B > /etc/default/login
chmod 600 /etc/default/login
chown root:sys /etc/default/login
echo “PASSREQ value has been changed to YES in /etc/default/login” >> $LOGFILE;
fi
else
echo “PASSREQ=YES is already set in /etc/default/login” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.C” >> $LOGFILE
echo “Locking down users that do not require logins…”
for user in adm bin daemon listen lp noaccess sys nobody nobody4 nuucp uucp; do
if [ `grep $user: /etc/shadow | grep LK | wc -l` -lt 1 ]; then
passwd -l $user
/usr/sbin/passmgmt -m -s /dev/null $user
echo $user ” has been locked” >> $LOGFILE
echo ” $user locked.”
else
echo $user ” was already locked out” >> $LOGFILE
fi
done
echo “Checking user shells that should be set to /dev/null…”
for user in adm bin daemon listen lp noaccess sys nobody nobody4 nuucp uucp; do
if [ `grep $user: /etc/passwd | grep null | wc -l` -lt 1 ]; then
/usr/sbin/passmgmt -m -s /dev/null $user
echo $user ” shell has been set to /dev/null” >> $LOGFILE
echo $user “‘s shell set to /dev/null.”
else
echo $user ” shell is already set to /dev/null” >> $LOGFILE
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.D” >> $LOGFILE
echo “Checking for existence of /etc/shells…”
if [ -f /etc/shells ]; then
echo “/etc/shells already exists” >> $LOGFILE
echo ” /etc/shells exists.”
else
echo /sbin/sh > /etc/shells
for shell in sh csh ksh bash tcsh zsh; do
[ -f /bin/$shell ] && echo /bin/$shell >> /etc/shells
[ -f /usr/bin/$shell ] && echo /usr/bin/$shell >> /etc/shells
done
chown root:root /etc/shells
chmod 644 /etc/shells
echo “/etc/shells had been created and updated with list of shells.” >> $LOGFILE
echo ” created /etc/shells.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.E” >> $LOGFILE
echo “Checking home directory permissions…”
for dir in `logins -ox | awk -F: ‘($8 == “PS” && $1 != “root” && $1 != “audit”) { print $6 }’`; do
if [ `ls -ld $dir | grep “^l” | wc -l` -gt 0 ]; then
echo $dir “is a link” >> $LOGFILE
else
if [ `ls -ld $dir | grep “drwxr-x—” | wc -l` -gt 0 ]; then
echo $dir “already has correct permissions” >> $LOGFILE
echo ” $dir OK!”
else
chmod g-w $dir
chmod o-rwx $dir
echo $dir “permissions have been corrected.” >> $LOGFILE
echo $dir “‘s permissions changed.”
fi
fi
done
echo “” >> $LOGFILE
echo “The following directories are specified in /etc/passwd as user home directories, but do not exist. Check /etc/passwd” >> $LOGFILE
for dir in `logins -ox | awk -F: ‘($8 == “PS” && $1 != “root”) { print $6 }’`; do
if [ ! -d $dir ]; then
echo $dir ” does not exist” >> $LOGFILE
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.F” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking for Secure Shell banner…”
if [ -f $sshdconfig ]; then
if [ `grep “^Banner /etc/issue” $sshdconfig | wc -l` -lt 1 ]; then
if [ `grep “Banner” $sshdconfig |wc -l` -lt 1 ]; then
cp $sshdconfig $sshdconfig.orig.21B
echo “Banner /etc/issue” >> $sshdconfig;
echo “Banner /etc/issue has been added to ” $sshdconfig >> $LOGFILE;
else
cp $sshdconfig $sshdconfig.21F
grep -v Banner $sshdconfig >> $sshdconfig.temp
mv $sshdconfig.temp $sshdconfig
echo “Banner /etc/issue” >> $sshdconfig;
chmod 600 $sshdconfig
chown root:sys $sshdconfig
echo “Banner value has been changed to /etc/issue in “$sshdconfig >> $LOGFILE;
fi
else
echo ” ssh banner already set up.”
echo “Banner /etc/issue is already set in ” $sshdconfig >> $LOGFILE
fi
else
echo $sshdconfig ” does not exist or Secure Shell has not been installed” >> $LOGFILE
echo ” $sshdconfig does not exist or Secure Shell has not been installed.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.G” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking issue file…”
if [ ! -f /etc/issue ]; then
echo “This computer system, including all related equipment, networks and network devices (specifically including Internet access), is provided primarily for authorized U.S. Government use. Limited personal use is authorized in accordance with FDA Staff Manual Guide 3140.1, FDA Policy on Use of Government Electronic Equipment and Systems.
This computer system may be monitored for all lawful purposes, including ensuring that its use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Use of this computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution, and/or administrative disciplinary action, including reprimand, suspension from duty without pay, or removal from your position and Federal employment.” >> /etc/issue
chown root:sys /etc/issue
chmod 444 /etc/issue
echo “/etc/issue file have been created with appropriate login message” >> $LOGFILE
echo ” created /etc/issue file.”
else
echo “/etc/issue already exists on the server” >> $LOGFILE
echo ” /etc/issue already exists.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.H” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking ftp banner…”
ftpd=/etc/ftpd/banner.msg;
if [ -f $ftpd ]; then
echo $ftpd ” already exists on the server.” >> $LOGFILE
echo ” ftp banner already exists.”
else
echo ‘BANNER=”AUTHORIZED USERS ONLY. All activity may be monitored and reported.”‘ >> $ftpd
echo $ftpd ” has been created on the server.” >> $LOGFILE
chmod 444 $ftpd
chown root:sys $ftpd
echo “Permissions for “$ftpd ” have been changed to 444 and ownership changed to root:sys” >> $LOGFILE
echo ” ftp banner created.”
fi
echo “Checking telnet banner…”
if [ -f /etc/default/telnetd ]; then
echo “/etc/default/telnetd already exists on the server.” >> $LOGFILE
echo ” telnet banner already exists.”
else
echo ‘BANNER=”AUTHORIZED USERS ONLY. All activity may be monitored and reported.”‘ >> /etc/default/telnetd
echo “/etc/default/telnetd has been created on the server.” >> $LOGFILE
chmod 444 /etc/default/telnetd
chown root:sys /etc/default/telnetd
echo “Permissions for /etc/default/telnetd have been changed to 444 and ownership changed to root:sys” >> $LOGFILE
echo ” telnet banner created.”
fi
echo “Checking eeprom banner…”
if [ “`zonename`” = “global” ]; then
if [ `eeprom | grep banner | grep false | wc -l` -gt 0 ]; then
eeprom oem-banner\?=true
eeprom oem-banner=”Authorized uses only. All activity may be monitored and reported.”
echo “eeprom banner has been set.” >> $LOGFILE
echo ” eeprom banner set.”
else
echo “eeprom banner is already set.” >> $LOGFILE
echo ” eeprom banner already set.”
fi
else
echo ” aborting because this is NOT the global zone.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.I” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking CMASK and UMASK…”
if [ `grep “^CMASK=022” /etc/default/init | wc -l` -lt 1 ]; then
if [ `grep “CMASK=” /etc/default/init |wc -l` -lt 1 ];
then
cp /etc/default/init /etc/default/init.orig.21I
echo “CMASK=022” >> /etc/default/init;
echo “CMASK=022 has been added to /etc/default/init” >> $LOGFILE;
echo ” set CMASK to 022.”
else
cp /etc/default/init /etc/default/init.21I
awk ‘/CMASK=/ { $1 = “CMASK=022” }; { print }’ /etc/default/init.21I > /etc/default/init
chmod 600 /etc/default/init
chown root:sys /etc/default/init
echo “CMASK value has been changed to 022 in /etc/default/init” >> $LOGFILE;
echo ” set CMASK to 022.”
fi
else
echo “CMASK=022 is already set in /etc/default/init” >> $LOGFILE
echo ” CMASK was already set to 022.”
fi
echo “” >> $LOGFILE
if [ `grep “^UMASK=027” /etc/default/login | wc -l` -lt 1 ]; then
if [ `grep “UMASK=” /etc/default/login |wc -l` -lt 1 ];
then
cp /etc/default/login /etc/default/login.orig.21I
echo “UMASK=027” >> /etc/default/login;
echo “UMASK=027 has been added to /etc/default/login” >> $LOGFILE;
echo ” set UMASK to 027.”
else
cp /etc/default/login /etc/default/login.21I
awk ‘/UMASK=/ { $1 = “UMASK=027” }; { print }’ /etc/default/login.21I > /etc/default/login
chmod 600 /etc/default/login
chown root:sys /etc/default/login
echo “UMASK value has been changed to 027 in /etc/default/login” >> $LOGFILE;
echo ” set UMASK to 027.”
fi
else
echo “UMASK=022 is already set in /etc/default/init” >> $LOGFILE
echo ” UMASK already set to 027.”
fi
echo “” >> $LOGFILE
if [ `grep “^umask 022” /etc/.login | wc -l` -lt 1 ]; then
if [ `grep “umask” /etc/.login |wc -l` -lt 1 ];
then
cp /etc/.login /etc/.login.orig.21I
echo “umask 022” >> /etc/.login;
echo “umask 022 has been added to /etc/.login” >> $LOGFILE;
else
cp /etc/.login /etc/.login.21I
awk ‘/umask/ { $1 = “UMASK 022” }; { print }’ /etc/.login.21I > /etc/.login
chmod 600 /etc/.login
chown root:sys /etc/.login
echo “umask value has been changed to 022 in /etc/.login” >> $LOGFILE;
fi
else
echo “umask 022 is already set in /etc/.login” >> $LOGFILE
fi
echo “” >> $LOGFILE
if [ `grep “^umask 027” /etc/profile | wc -l` -lt 1 ]; then
if [ `grep “umask” /etc/profile |wc -l` -lt 1 ];
then
cp /etc/profile /etc/profile.orig.21I
echo “umask 027” >> /etc/profile;
echo “umask 027 has been added to /etc/profile” >> $LOGFILE;
else
cp /etc/profile /etc/profile.21I
awk ‘/umask/ { $1 = “umask 027” }; { print }’ /etc/profile.21I > /etc/profile
chmod 644 /etc/profile
chown root:sys /etc/profile
echo “umask value has been changed to 027 in /etc/profile” >> $LOGFILE;
fi
else
echo “umask 027 is already set in /etc/profile” >> $LOGFILE
fi
echo “” >> $LOGFILE
if [ `grep “^umask 027” /etc/skel/local.cshrc | wc -l` -lt 1 ]; then
if [ `grep “^umask” /etc/skel/local.cshrc |wc -l` -lt 1 ];
then
cp /etc/skel/local.cshrc /etc/skel/local.cshrc.21I
echo “umask 027” >> /etc/skel/local.cshrc;
echo “umask 027 has been added to /etc/skel/local.cshrc” >> $LOGFILE;
else
cp /etc/skel/local.cshrc /etc/skel/local.cshrc.21I
awk ‘/umask/ { $2 = “umask 027” }; { print }’ /etc/skel/local.cshrc.21I > /etc/skel/local.cshrc
chmod 644 /etc/skel/local.cshrc
chown root:sys /etc/skel/local.cshrc
echo “umask value has been changed to 027 in /etc/skel/local.cshrc” >> $LOGFILE;
fi
else
echo “umask 027 is already set in /etc/skel/local.cshrc” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.J” >> $LOGFILE
echo “” >> $LOGFILE
echo “This is a manual check. As root, type echo $PATH and make sure . (period) is not set in the path.” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.K” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking /etc/ftpd/ftpusers…”
ftpusers=/etc/ftpd/ftpusers;
if [ -f $ftpusers ]; then
echo $ftpusers ” already exists” >> $LOGFILE
echo ” $ftpusers already exists.”
else
for user in adm bin daemon listen lp noaccess sys nobody nobody4 nuucp uucp; do
echo $user >> $ftpusers
echo $user ” has been added to ” $ftpusers >> $LOGFILE
echo ” $user added to $ftpusers.”
done
echo $ftpusers ” has been created.” >> $LOGFILE
chmod 600 $ftpusers
chown root:sys $ftpusers
echo “Permissions for ” $ftpusers “has been changed to 600 and ownership changed to root:root.” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.L” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking PAM configuration…”
if [ `grep rhosts_auth /etc/pam.conf |wc -l` -gt 0 ]; then
mv /etc/pam.conf /etc/pam.conf.old
grep -v rhosts_auth /etc/pam.conf.old > /etc/pam.conf
echo “PAM will longer support rsh and rlogins” >> $LOGFILE
else
echo “PAM is already configured to not support rsh and rlogins” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.M” >> $LOGFILE
echo “” >> $LOGFILE
echo “Disabling messaging…”
for file in /etc/profile /etc/.login; do
if [ `grep “mesg n” $file | wc -l` -lt 1 ]; then
awk ‘$1 == “mesg” { $2 = “n” }
{ print }’ $file > $file.new
mv $file.new $file
chown root:sys $file
chmod 444 $file
echo “mesg n has been added to ” $file >> $LOGFILE
else
echo “mesg n is already added to ” $file >> $LOGFILE
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.N” >> $LOGFILE
echo “” >> $LOGFILE
echo “Setting max login retries to 3…”
if [ `grep “^RETRIES=3” /etc/default/login | wc -l` -lt 1 ]; then
if [ `grep “^RETRIES” /etc/default/login |wc -l` -lt 1 ]; then
cp /etc/default/login /etc/default/login.orig.22A
echo “RETRIES=3” >> /etc/default/login;
echo “RETRIES=3 has been added to /etc/default/login” >> $LOGFILE;
echo ” added RETRIES to /etc/default/login and set value to 3.”
else
cp /etc/default/login /etc/default/login.orig.22A
grep -v “^RETRIES” /etc/default/login >> /etc/default/login.temp
mv /etc/default/login.temp /etc/default/login
echo “RETRIES=3” >> /etc/default/login;
echo “RETRIES=3 value has been changed to 8 in /etc/default/login” >> $LOGFILE;
echo ” set value for RETRIES to 3 in /etc/default/login.”
fi
else
echo “RETRIES is already set to 3 in /etc/default/login” >> $LOGFILE
echo ” RETRIES already set to 3 in /etc/default/login.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.O” >> $LOGFILE
echo “” >> $LOGFILE
echo “Setting up account lockout…”
if [ `grep “^LOCK_AFTER_RETRIES=YES” /etc/security/policy.conf | wc -l` -lt 1 ]; then
if [ `grep “^LOCK_AFTER_RETRIES” /etc/security/policy.conf |wc -l` -lt 1 ]; then
cp /etc/security/policy.conf /etc/security/policy.conf.22A
echo “LOCK_AFTER_RETRIES=YES” >> /etc/security/policy.conf ;
echo “LOCK_AFTER_RETRIES=YES has been added to /etc/security/policy.conf ” >> $LOGFILE;
echo ” added LOCK_AFTER_RETRIES to /etc/security/policy.conf and set value to ‘YES’.”
else
cp /etc/security/policy.conf /etc/security/policy.conf.22A
grep -v “^LOCK_AFTER_RETRIES” /etc/security/policy.conf >> /etc/security/policy.conf.temp
mv /etc/security/policy.conf.temp /etc/security/policy.conf
echo “LOCK_AFTER_RETRIES=YES” >> /etc/security/policy.conf ;
echo “LOCK_AFTER_RETRIES=YES value has been changed to 8 in /etc/security/policy.conf ” >> $LOGFILE;
echo ” set value for LOCK_AFTER_RETRIES to ‘YES’ in /etc/security/policy.conf.”
fi
else
echo “LOCK_AFTER_RETRIES is already set to ‘YES’ in /etc/security/policy.conf” >> $LOGFILE
echo ” LOCK_AFTER_RETRIES already set to ‘YES’ in /etc/security/policy.conf .”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.1.P” >> $LOGFILE
echo “” >> $LOGFILE
echo “Setting root’s home to /root…”
if [ `grep “Super-User:/root:” /etc/passwd | wc -l` -lt 1 ]; then
cp /etc/passwd /etc/passwd.orig.21P
sed ‘s/Super-User:\/:/Super-User:\/root:/’ /etc/passwd > /etc/passwd.temp
mv /etc/passwd.temp /etc/passwd
echo ” set root’s home to /root.”
mkdir /root
echo ” created /root.”
chown root:root /root
echo ” set /root ownership to root:root.”
chmod 744 /root
echo ” set permissions of /root to 744.”
echo ” created /root directory and set to root:root rwxr–r–” >> $LOGFILE;
else
echo ” /root already set in /etc/passwd.”
chown root:root /root
echo ” set /root ownership to root:root.”
chmod 744 /root
echo ” set permissions of /root to 744.”
echo “Root’s home directory already set to /root in /etc/passwd” >> $LOGFILE;
echo “Set /root to root:root and 744” >> $LOGFILE;
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.2.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Configuring password requirements…”
if [ `grep “^PASSLENGTH=8” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “PASSLENGTH” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “PASSLENGTH=8” >> /etc/default/passwd;
echo “PASSLENGTH=8 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^PASSLENGTH” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “PASSLENGTH=8” >> /etc/default/passwd;
echo “PASSLENGTH value has been changed to 8 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “PASSLENGTH=8 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^MINWEEKS=1” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “MINWEEKS” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “MINWEEKS=1” >> /etc/default/passwd;
echo “MINWEEKS=1 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^MINWEEKS” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “MINWEEKS=1” >> /etc/default/passwd;
echo “MINWEEKS value has been changed to 1 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “MINWEEKS=1 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^WARNWEEKS=12” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “WARNWEEKS” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “WARNWEEKS=12” >> /etc/default/passwd;
echo “WARNWEEKS=12 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^WARNWEEKS” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “WARNWEEKS=12” >> /etc/default/passwd;
echo “WARNWEEKS value has been changed to 12 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “WARNWEEKS=12 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^MAXWEEKS=13” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “MAXWEEKS” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “MAXWEEKS=13” >> /etc/default/passwd;
echo “MAXWEEKS=13 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^MAXWEEKS” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “MAXWEEKS=13” >> /etc/default/passwd;
echo “MAXWEEKS value has been changed to 13 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “MAXWEEKS=13 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^MINALPHA=1” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “MINALPHA” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “MINALPHA=1” >> /etc/default/passwd;
echo “MINALPHA=1 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^MINALPHA” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “MINALPHA=1” >> /etc/default/passwd;
echo “MINALPHA value has been changed to 1 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “MINALPHA=1 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^MINDIGIT=1” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “MINDIGIT” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “MINDIGIT=1” >> /etc/default/passwd;
echo “MINDIGIT=1 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^MINDIGIT” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “MINDIGIT=1” >> /etc/default/passwd;
echo “MINDIGIT value has been changed to 1 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “MINDIGIT=1 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^MINSPECIAL=1” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “MINSPECIAL” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “MINSPECIAL=1” >> /etc/default/passwd;
echo “MINSPECIAL=1 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^MINSPECIAL” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “MINSPECIAL=1” >> /etc/default/passwd;
echo “MINSPECIAL value has been changed to 1 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “MINSPECIAL=1 is already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^HISTORY=5” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “HISTORY” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “HISTORY=5” >> /etc/default/passwd;
echo “HISTORY=5 has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^HISTORY” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “HISTORY=5” >> /etc/default/passwd;
echo “HISTORY value has been changed to 5 in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “HISTORY=5 already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^DICTIONLIST=/usr/share/lib/dict/words” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “DICTIONLIST” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “DICTIONLIST=/usr/share/lib/dict/words” >> /etc/default/passwd;
echo “DICTIONLIST=/usr/share/lib/dict/words has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^DICTIONLIST” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “DICTIONLIST=/usr/share/lib/dict/words” >> /etc/default/passwd;
echo “DICTIONLIST value has been changed to /usr/share/lib/dict/words in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “DICTIONLIST=/usr/share/lib/dict/words already set in /etc/default/passwd” >> $LOGFILE
fi
if [ `grep “^DICTIONDBDIR=/var/passwd” /etc/default/passwd | wc -l` -lt 1 ]; then
if [ `grep “DICTIONDBDIR” /etc/default/passwd |wc -l` -lt 1 ]; then
cp /etc/default/passwd /etc/default/passwd.orig.22A
echo “DICTIONDBDIR=/var/passwd” >> /etc/default/passwd;
echo “DICTIONDBDIR=/var/passwd has been added to /etc/default/passwd” >> $LOGFILE;
else
cp /etc/default/passwd /etc/default/passwd.22A
grep -v “^DICTIONDBDIR” /etc/default/passwd >> /etc/default/passwd.temp
mv /etc/default/passwd.temp /etc/default/passwd
echo “DICTIONDBDIR=/var/passwd” >> /etc/default/passwd;
echo “DICTIONDBDIR value has been changed to /var/passwd in /etc/default/passwd” >> $LOGFILE;
fi
else
echo “DICTIONDBDIR=/var/passwd already set in /etc/default/passwd” >> $LOGFILE
fi
mkpwdict 1> /dev/null 2> /dev/null
echo “The password dictionary database has been created in /var/passwd using /usr/share/lib/dict/words” >> $LOGFILE
echo “Setting ownership and permissions on passwd files…”
chmod 755 /var/passwd
chown root:sys /var/passwd
chmod 600 /etc/default/passwd
chown root:sys /etc/default/passwd
echo “Permissions have been set on /var/passwd and /etc/default/passwd” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “2.2.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Building upd_accounts…”
# This command searches for all valid accounts except for root, audit or those that are locked.
# It then compares the min, max and warn values of each valid account and if it is different than
# the password policy, it builds a command to correct it. The command is kept in /tmp/upd_accounts.
# Once the entire passwd file has been looked at, the commands are run to correct the password settings.
logins -ox |awk -F: ‘($1 == “root” || $1 == “audit” || $8 == “LK”) \
{ next }
{ $cmd = “passwd” }
($11 <= 0 || $11 > 91) { $cmd = $cmd ” -x 91″ }
($10 < 7) { $cmd = $cmd ” -n 7″ }
($12 < 7) { $cmd = $cmd ” -w 7″ }
($cmd != “passwd”) { print $cmd ” ” $1 }’ > /tmp/upd_accounts
/sbin/sh /tmp/upd_accounts
echo “The following password settings for the accounts were corrected” >> $LOGFILE
cat /tmp/upd_accounts >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Hardening General Services”
echo “——————————————-”
echo “3.1.A” >> $LOGFILE
echo “” >> $LOGFILE
F=/var/tmp/$$.1
rm -f $F
echo ‘/^#/ { print $0; next; }’ >> $F
for i in bpcd vnetd vopied bpjava-msvc; do
T=`echo $i | sed -e ‘s/\//\\\\\//g’`
echo “/^$T[ \\t]/ { print \$0; next; }” >> $F
done
echo “Everything except for bpcd vnetd vopied bpjava-msvc have been commented out in /etc/inet/inetd.conf” >> $LOGFILE
echo ‘ { print “# ” $0; }’ >> $F
awk -f $F /etc/inet/inetd.conf > $F.out
cp /etc/inet/inetd.conf /etc/inet/inetd.conf.31A
cp $F.out /etc/inet/inetd.conf
echo “Disabling unecessary inetd services…”
for service in network/rpc/gss:default network/rpc/mdcomm:default network/rpc/meta:default network/rpc/metamed:default network/rpc/metamh:default network/rpc/rstat:default network/rpc/rusers:default network/rpc-100235_1/rpc_ticotsord:default network/rpc-100083_1/rpc_tcp:default network/rpc-100068_2-5/rpc_udp:default network/rpc/smserver:default network/security/ktkt_warn:default network/nfs/rquota:default network/finger:default network/login:rlogin network/shell:default application/x11/xfs:default application/print/rfc1179:default application/font/stfsloader:default; do
inetadm -d $service
echo $service “Disabled” >> $LOGFILE
echo ” $service disabled.”
done
echo “All extraneous inetd services disabled” >> $LOGFILE
#cat $F.out >> $LOGFILE
#rm -f $F.out
chown root:sys /etc/inet/inetd.conf
chmod 444 /etc/inet/inetd.conf
inetconv
echo “Converted services in /etc/inet/inetd.conf to SMF services” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “3.1.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Enabling TCP Tracing…”
inetadm -M tcp_trace=true
echo “Enabled TCP Tracing using inetadm” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “3.2.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Disabling unecessary RC scripts…”
#cd /etc/rc3.d
for file in S77dmi S50apache S76snmpdx S34dhcp S80mipagent S16boot.server S81volmgt S84appserv S52imq S90samba S13kdc.master; do
if [ -f /etc/rc3.d/$file ]; then
mv /etc/rc3.d/$file /etc/rc3.d/off$file
chmod 000 /etc/rc3.d/off$file
echo “/etc/rc3.d/”$file ” has been moved to /etc/rc3.d/off”$file >> $LOGFILE
echo ” $file disabled for run-level 3.”
else
echo “/etc/rc3.d/”$file ” does not exist. No further action is necessary” >> $LOGFILE
fi
done
for file in S72directory S40llc2 S47asppp S47pppd S70uucp S70sckm S71ldap.client S71sysid.sys S72autoinstall S72slpd S73cachefs.daemon S74autofs S75flashprom S80lp S80PRESERVE S80spc S85power S89bdconfig S90wbem S91afbinit S91ifbinit S92volmgt S93cacheos.finish S94ncalogd S95ncad ; do
if [ -f /etc/rc2.d/$file ]; then
mv /etc/rc2.d/$file /etc/rc2.d/off$file
chmod 000 /etc/rc2.d/off$file
echo “/etc/rc2.d/”$file ” has been moved to /etc/rc2.d/off”$file >> $LOGFILE
echo ” $file disabled for run-level 2.”
else
echo “/etc/rc2.d/”$file ” does not exist. No further action is necessary” >> $LOGFILE
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “3.2.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Creating umask.sh run control scripts…”
if [ -f /etc/init.d/umask.sh ]; then
echo “/etc/init.d/umask.sh already exists” >> $LOGFILE
else
echo “umask 022” >> /etc/init.d/umask.sh
echo “/etc/init.d/umask.sh has been created” >> $LOGFILE
chmod 744 /etc/init.d/umask.sh
chown root:sys /etc/init.d/umask.sh
echo “Permissions for /etc/init.d/umask.sh have been changed to 744 and ownership changed to 744.” >> $LOGFILE
fi
for d in /etc/rc?.d; do
if [ -f $d/S00umask.sh ]; then
echo $d”/S00umask.sh already exists” >> $LOGFILE;
else
ln /etc/init.d/umask.sh $d/S00umask.sh;
echo $d”/S00umask.sh link has been created.” >> $LOGFILE;
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “3.2.C” >> $LOGFILE
echo “” >> $LOGFILE
echo “Ensuring files in /var/tmp deleted at reboot…”
# Updated section to only replace first exit from service script
if [ `grep “^exit” /lib/svc/method/rmtmpfiles | wc -l` -gt 1 ]; then
sed -e ‘37,37s/^exit/#exit/’ /lib/svc/method/rmtmpfiles > /lib/svc/method/rmtmpfiles.32c
cp /lib/svc/method/rmtmpfiles.32c /lib/svc/method/rmtmpfiles
# All /lib/svc/method files should be root:bin and 555 in Solaris 10
chown root:bin /lib/svc/method/rmtmpfiles
chmod 555 /lib/svc/method/rmtmpfiles
echo “/lib/svc/method/rmtmpfiles has been updated to remove all files in /var/tmp upon reboot” >> $LOGFILE
else
echo “/lib/svc/method/rmtmpfiles is already configured to remove all files in /var/tmp upon reboot” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “3.3.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking for hosts.deny/allow files…”
if [ ! -f /etc/hosts.deny ]; then
echo “ALL: ALL ” > /etc/hosts.deny
echo “/etc/hosts.deny has been created” >> $LOGFILE
echo ” created hosts.deny.”
else
echo “/etc/hosts.deny already exists” >> $LOGFILE
echo ” hosts.deny already exists.”
fi
if [ ! -f /etc/hosts.allow ]; then
echo ” hosts.allow already exists.”
echo “sshd:ALL ” >> /etc/hosts.allow
echo “bpcd,vnetd,vopied,bpjava-msvc: apsrv03a, fdawfin01″ >> /etc/hosts.allow
echo ” added sshd, bpcd, vnetd, vopied and bpjava-msvc entries to hosts.allow.”
echo “/etc/hosts.allow has been created” >> $LOGFILE
else
echo “/etc/hosts.allow already exists” >> $LOGFILE
fi
echo “Enabling TCP Wrappers…”
inetadm -M tcp_wrappers=true
echo “Enabled TCP Wrappers using inetadm.” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Hardening Commonly Exploited Services”
echo “——————————————-”
echo “4.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking noexec_user_stack values…”
if [ “`zonename`” = “global” ]; then
if [ `grep “set noexec_user_stack=1” /etc/system | wc -l` -lt 1 ]; then
echo “set noexec_user_stack=1” >> /etc/system
echo “set noexec_user_stack=1 has been added to /etc/system. This change requires a reboot.” >> $LOGFILE
echo ” set noexec_user_stack to 1.”
else
echo “set noexec_user_stack=1 is already set in /etc/system.” >> $LOGFILE
echo ” noexec_user_stack already set to 1.”
fi
if [ `grep “set noexec_user_stack_log=1” /etc/system | wc -l` -lt 1 ]; then
echo “set noexec_user_stack_log=1” >> /etc/system
echo “set noexec_user_stack_log=1 has been added to /etc/system. This change requires a reboot.” >> $LOGFILE
echo ” set noexec_user_stack_log to 1.”
else
echo “set noexec_user_stack_log=1 is already set in /etc/system.” >> $LOGFILE
echo ” noexec_user_stack_log already set to 1.”
fi
else
echo ” aborting because this is NOT the global zone.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.2.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Hardening sendmail configuration…”
#MODE=”-bd -ODaemonPortOptions=Addr=localhost”
if [ `grep “MODE=\”-bd\”” /lib/svc/method/smtp-sendmail |wc -l` -gt 0 ]; then
cp /lib/svc/method/smtp-sendmail /lib/svc/method/smtp-sendmail.bak
sed ‘s/MODE=\”-bd\”/MODE=\”\”/’ /lib/svc/method/smtp-sendmail > /lib/svc/method/smtp-sendmail.new
mv /lib/svc/method/smtp-sendmail.new /lib/svc/method/smtp-sendmail
chown root:bin /lib/svc/method/smtp-sendmail
chmod 555 /lib/svc/method/smtp-sendmail
echo “MODE=-bd has been changed to MODE= in /lib/svc/method/smtp-sendmail and the server will no longer be able to receive mail.” >> $LOGFILE
echo ” set MODE to ‘-bd’in /lib/svc/method/smtp-sendmail.”
else
echo “MODE= is already set in /lib/svc/method/smtp-sendmail” >> $LOGFILE
echo ” MODE already set to ‘-bd’ in /lib/svc/method/smtp-sendmail.”
fi
if [ ! -f /etc/default/sendmail ]; then
echo ” creating /etc/default/sendmail.”
touch /etc/default/sendmail
echo MODE= >> /etc/default/sendmail
echo ” added MODE to /etc/default/sendmail.”
echo QUEUEINTERVAL=\”15m\” >> /etc/default/sendmail
echo ” added QUEUEINTERVAL to /etc/default/sendmail.”
chown root:sys /etc/default/sendmail
chmod 644 /etc/default/sendmail
else
if [ `grep “MODE=” /etc/default/sendmail |wc -l` -lt 0 ]; then
echo “MODE=” >> /etc/default/sendmail
echo “MODE=-bd has been changed to MODE= in /etc/default/sendmail and the server will no longer be able to receive mail.” >> $LOGFILE
echo ” set MODE in /etc/default/sendmail.”
else
echo “MODE= is already set in /etc/default/sendmail” >> $LOGFILE
echo ” MODE already set in /etc/default/sendmail.”
fi
if [ `grep “QUEUEINTERVAL=” /etc/default/sendmail |wc -l` -lt 0 ]; then
echo QUEUEINTERVAL=”15m” >> /etc/default/sendmail
echo “QUEUEINTERVAL=15m has been added in /etc/default/sendmail.” >> $LOGFILE
echo ” set QUEUEINTERVAL in /etc/default/sendmail.”
else
echo “QUEUEINTERVAL=15m is already set in /etc/default/sendmail.” >> $LOGFILE
echo ” QUEUEINTERVAL already set in /etc/default/sendmail.”
fi
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.2.B” >> $LOGFILE
echo “” >> $LOGFILE
if [ `grep “O SmtpGreetingMessage=$j” /etc/mail/sendmail.cf | grep Sendmail | wc -l` -lt 1 ]; then
echo “SmtpGreetingMessage is already set in /etc/mail/sendmail.cf to hide the Sendmail version” >> $LOGFILE
echo ” SmtpGreetingMessage already set in /etc/mail/sendmail.cf.”
else
sed ‘s/SmtpGreetingMessage=$j Sendmail $v\/$Z; $b/SmtpGreetingMessage=$j $b/’ /etc/mail/sendmail.cf > /etc/mail/sendmail.cf.new
cp /etc/mail/sendmail.cf.new /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:sys /etc/mail/sendmail.cf
echo “SmtpGreetingMessage has been updated in /etc/mail/sendmail.cf to hide the Sendmail Version” >> $LOGFILE
echo ” set SmtpGreetingMessage in /etc/mail/sendmail.cf.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.2.C” >> $LOGFILE
echo “” >> $LOGFILE
if [ `grep “PrivacyOptions=goaway,novrfy,noexpn” /etc/mail/sendmail.cf |wc -l` -lt 1 ]; then
awk ‘/PrivacyOptions=/ { $2 = “PrivacyOptions=goaway,novrfy,noexpn” }; { print }’ /etc/mail/sendmail.cf > /etc/mail/sendmail.cf.new
mv /etc/mail/sendmail.cf.new /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:sys /etc/mail/sendmail.cf
echo “/etc/mail/sendmail.cf has been updated with PrivacyOptions=goaway,novrfy,noexpn” >> $LOGFILE
echo ” set PrivacyOptions in /etc/mail/sendmail.cf.”
else
echo “/etc/mail/sendmail.cf is already configured with PrivacyOptions=goaway,novrfy,noexpn” >> $LOGFILE
echo ” PrivacyOptions already set in /etc/mail/sendmail.cf.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.2.D” >> $LOGFILE
echo “” >> $LOGFILE
if [ `grep “P=/bin/sh” /etc/mail/sendmail.cf |wc -l` -lt 1 ]; then
echo “/etc/mail/sendmail.cf is already configured with /bin/false as a shell for Mprog” >> $LOGFILE
echo ” Mprog’s shell is already /bin/false in /etc/mail/sendmail.cf.”
else
sed ‘s/P=\/bin\/sh/P=\/bin\/false/’ /etc/mail/sendmail.cf > /etc/mail/sendmail.cf.new
mv /etc/mail/sendmail.cf.new /etc/mail/sendmail.cf
chmod 444 /etc/mail/sendmail.cf
chown root:sys /etc/mail/sendmail.cf
echo “/etc/mail/sendmail.cf has been configured with /bin/false as a shell for Mprog” >> $LOGFILE
echo ” set Mprog’s shell to /bin/false in /etc/mail/sendmail.cf.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.5.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Hardening nfs configuration…”
if [ “`zonename`” = “global” ]; then
if [ `grep “set nfssrv:nfs_portmon = 1” /etc/system | wc -l` -ge 1 ]
then echo “/etc/system already contains set nfssrv:nfs_portmon = 1″ >> $LOGFILE
echo ” nfssrv:nfs_portmon already set to 1 in /etc/system.”
else
echo “set nfssrv:nfs_portmon = 1” >> /etc/system
echo “/etc/system has been udpated with set nfssrv:nfs_portmon = 1″ >> $LOGFILE
echo ” set nfssrv:nfs_portmon to 1 in /etc/system.”
fi
else
echo ” aborting because this is NOT the global zone.”
fi
echo “———————————————————————-” >> $LOGFILE
#echo “” >> $LOGFILE
#echo “4.6.A” >> $LOGFILE
#echo “” >> $LOGFILE
#echo “Checking core dump size…”
#if [ “`zonename`” = “global” ]; then
# if [ `grep “set sys:coredumpsize = 0” /etc/system | wc -l` -ge 1 ]; then
# echo “set sys:coredumpsize = 0 is already set /etc/system” >> $LOGFILE
# echo ” core dump size already 0.”
# else
# echo “set sys:coredumpsize = 0” >> /etc/system
# echo “set sys:coredumpsize = 0 has been added to /etc/system” >> $LOGFILE
# echo ” set core dump size to 0.”
# fi
#else
# echo ” aborting because this is NOT the global zone.”
#fi
#echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.6.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking TCP_STRONG_ISS value in /etc/default/inetinit…”
if [ `grep “^TCP_STRONG_ISS=2” /etc/default/inetinit | wc -l` -lt 1 ]; then
if [ `grep “TCP_STRONG_ISS” /etc/default/inetinit |wc -l` -lt 1 ]; then
cp /etc/default/inetinit /etc/default/inetinit.orig.46B
echo “TCP_STRONG_ISS=2” >> /etc/default/inetinit;
echo “TCP_STRONG_ISS=2 has been added to /etc/default/inetinit” >> $LOGFILE;
echo ” added TCP_STRONG_ISS to /etc/default/inetinit and set value to 2.”
else
cp /etc/default/inetinit /etc/default/inetinit.46B
grep -v TCP_STRONG_ISS /etc/default/inetinit >> /etc/default/inetinit.temp
mv /etc/default/inetinit.temp /etc/default/inetinit
echo “TCP_STRONG_ISS=2” >> /etc/default/inetinit;
chmod 600 /etc/default/inetinit
chown root:sys /etc/default/inetinit
echo “TCP_STRONG_ISS value has been changed to 2 in /etc/default/inetinit” >> $LOGFILE;
echo ” set TCP_STRONG_ISS value to 2 in /etc/default/inetinit.”
fi
else
echo “TCP_STRONG_ISS=2 is already set in /etc/default/inetinit” >> $LOGFILE
echo ” TCP_STRONG_ISS already set to 2 in /etc/default/inetinit.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.6.C” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking LOG_FROM_REMOTE value for syslog…”
if [ `grep “^LOG_FROM_REMOTE=NO” /etc/default/syslogd | wc -l` -lt 1 ]; then
if [ `grep “LOG_FROM_REMOTE” /etc/default/syslogd |wc -l` -lt 1 ]; then
cp /etc/default/syslogd /etc/default/syslogd.orig.22A
echo “LOG_FROM_REMOTE=NO” >> /etc/default/syslogd;
echo “LOG_FROM_REMOTE=NO has been added to /etc/default/syslogd” >> $LOGFILE;
echo ” added LOG_FROM_REMOTE to /etc/default/syslogd and set value to ‘NO’.”
else
cp /etc/default/syslogd /etc/default/syslogd.22A
awk ‘/LOG_FROM_REMOTE=/ \
{ $1 = “LOG_FROM_REMOTE=NO” }
{ print }’ /etc/default/syslogd > /etc/default/syslogd.new
mv /etc/default/syslogd.new /etc/default/syslogd
chmod 444 /etc/default/syslogd
chown root:sys /etc/default/syslogd
echo “LOG_FROM_REMOTE value has been changed to NO in /etc/default/syslogd” >> $LOGFILE;
echo ” set LOG_FROM_REMOTE value to ‘NO’ in /etc/default/syslogd.”
fi
else
echo “LOG_FROM_REMOTE=NO is already set in /etc/default/syslogd” >> $LOGFILE
echo ” LOG_FROM_REMOTE already set in /etc/default/syslogd.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “4.6.D” >> $LOGFILE
echo “” >> $LOGFILE
mkdir -p /etc/dt/config
echo “Creating /etc/dt/Xaccess…”
cat <<EOXaccess > /etc/dt/config/Xaccess
*.fda.gov
!*
!* CHOOSER BROADCAST
EOXaccess
chown root:sys /etc/dt/config/Xaccess
chmod 755 /etc/dt/config
chmod 644 /etc/dt/config/Xaccess
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “5.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Critical File Permissions/Ownership”
echo “——————————————-”
echo “Checking critical configuration file permissions in /etc…”
for file in /etc/passwd /etc/group /etc/syslog.conf /etc/default/cron /etc/default/init /etc/default/login /etc/default/passwd /etc/default/su /etc/default/inetinit /etc/ftpd/ftpusers /etc/ssh/sshd_config; do
if [ `ls -l $file | grep ‘rw——-‘ | wc -l` -lt 1 ]; then
chmod 600 $file
echo “Permission for ” $file ” has been changed to 600″ >> $LOGFILE
echo ” set $file permissions to 600.”
else
echo “Permission for ” $file ” is already 600″ >> $LOGFILE
echo ” $file permissions already 600.”
fi
done
echo “” >> $LOGFILE
echo “Checking critical configuration file ownership in /etc…”
for file in /etc/passwd /etc/group /etc/syslog.conf /etc/default/cron /etc/default/init /etc/default/login /etc/default/passwd /etc/default/su /etc/default/inetinit /etc/ssh/sshd_config /etc/ftpd/ftpusers; do
# if [ `ls -l $file | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = $file ]; then
if [ “`ls -l $file | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys $file
echo $file “has been changed so root is owner and sys is the group owner” >> $LOGFILE
echo ” set $file owner:group to root:sys.”
else
echo $file “is already owned by root:sys.” >> $LOGFILE
echo ” $file ownership already root:sys.”
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “5.1.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking permissions on /etc/shadow…”
if [ `ls -l /etc/shadow | grep r——– | wc -l` -lt 1 ]; then
chmod 400 /etc/shadow
echo “Permission for /etc/shadow has been changed to 400″ >> $LOGFILE
echo ” set /etc/shadow permissions to 400.”
else
echo “Permission for /etc/shadow is already 400″ >> $LOGFILE
echo ” /etc/shadow permissions already 400.”
fi
echo “Checking ownership of /etc/shadow…”
#if [ `ls -l /etc/shadow | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = /etc/shadow ]; then
if [ “`ls -l /etc/shadow | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys /etc/shadow
echo “Ownership for /etc/shadow has been changed to root:sys” >> $LOGFILE
echo ” set owner of /etc/shadow to root:sys.”
else
echo “Ownership for /etc/shadow is already root:sys” >> $LOGFILE
echo ” /etc/shadow ownership already root:sys.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “5.1.C” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking critical directory permissions…”
for dir in /bin /etc /sbin /usr /usr/bin /usr/sbin; do
if [ `ls -ld $dir | grep “^l” | wc -l` -gt 0 ]; then
echo $dir “is a link” >> $LOGFILE
else
if [ `ls -ld $dir | grep “drwxr-xr-x” | wc -l` -gt 0 ]; then
echo $dir “has correct permissions” >> $LOGFILE
echo ” $dir permissions already set to 755.”
else
chmod g-w $dir
chmod o-w $dir
echo $dir “permissions have been corrected” >> $LOGFILE
echo ” set $dir permissions to 755.”
fi
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “5.1.D” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking banner file permissions…”
for file in /etc/issue /etc/default/telnetd /etc/default/ftp /etc/ftpd/banner.msg; do
if [ `ls -l $file | grep r–r–r– | wc -l` -lt 1 ]; then
chmod 444 $file
echo “Permission for ” $file ” has been changed to 400″ >> $LOGFILE
echo ” set $file permissions to 400.”
else
echo “Permission for ” $file ” is already 400″ >> $LOGFILE
echo ” $file permissions already set to 400.”
fi
done
echo “” >> $LOGFILE
echo “Checking banner file ownership…”
for file in /etc/issue /etc/default/telnetd /etc/default/ftp /etc/ftpd/banner.msg; do
# if [ `ls -l $file | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = $file ]; then
if [ “`ls -l $file | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys $file
echo $file “has been changed so root is owner and sys is the group owner” >> $LOGFILE
echo ” set owner of $file to root:sys.”
else
echo $file “already has correct ownership” >> $LOGFILE
echo ” $file ownership already root:sys.”
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “5.1.E” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking permissions on /usr/bin/admintool…”
if [ `ls -l /usr/bin/admintool | grep x | wc -l` -gt 0 ]; then
chmod 000 /usr/bin/admintool
echo “Permission for /usr/bin/admintool been changed to 000″ >> $LOGFILE
echo ” set /usr/bin/admintool permissions to 000.”
else
echo “Permission for /usr/bin/admintool is already 000″ >> $LOGFILE
echo ” /usr/bin/admintool permissions already 000.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “6.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Network Settings”
echo “——————————————-”
echo “Checking for /etc/init.d/netconfig…”
if [ -f /etc/init.d/netconfig ]; then
echo “/etc/init.d/netconfig already exists” >> $LOGFILE
echo ” /etc/init.d/netconfig already exists.”
else
echo ” creating /etc/init.d/netconfig.”
cat << END_NDD > /etc/init.d/netconfig
ndd -set /dev/ip ip_forwarding 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip_respond_to_timestamp 0
END_NDD
chown root:sys /etc/init.d/netconfig
chmod 744 /etc/init.d/netconfig
ln -s /etc/init.d/netconfig /etc/rc2.d/S70netconfig
echo “/etc/init.d/netconfig has been created with proper and secure NDD settings.” >> $LOGFILE
echo “The file is owned by root:sys and has permissions of 744” >> $LOGFILE
echo “A link has been created /etc/rc2.d/S70netconfig that points to /etc/init.d/netconfig.” >> $LOGFILE
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “6.1.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking for /etc/notrouter…”
if [ -f /etc/notrouter ]; then
echo “/etc/notrouter already exists on this system” >> $LOGFILE
echo ” /etc/notrouter already exists.”
else
touch /etc/notrouter
chmod 400 /etc/notrouter
chown root:root /etc/notrouter
echo “/etc/notrouter has been created with permissions of 400 and ownership of root:root” >> $LOGFILE
echo ” creating /etc/notrouter.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Logging and Log File Permissions”
echo “——————————————-”
echo “Checking permissions for /var/adm/loginlog…”
if [ -f /var/adm/loginlog ]; then
echo “/var/adm/loginlog already exists” >> $LOGFILE;
if [ `ls -l /var/adm/loginlog | grep rw——- | wc -l` -lt 1 ]; then
chmod 600 /var/adm/loginlog
echo “Permission for /var/adm/loginlog has been changed to 600″ >> $LOGFILE
echo ” set /var/adm/loginlog permissions to 600.”
else
echo “Permission for /var/adm/loginlog is already 600″ >> $LOGFILE
echo ” /var/adm/loginlog permissions already 600.”
fi
# if [ `ls -l /var/adm/loginlog | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = /var/adm/loginlog ]; then
echo “Checking ownership of /var/adm/loginlog…”
if [ “`ls -l /var/adm/loginlog | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys /var/adm/loginlog
echo “Ownership for /var/adm/loginlog has been changed to root:sys” >> $LOGFILE
echo ” /var/adm/loginlog ownership set to root:sys.”
else
echo “Ownership for /var/adm/loginlog is already root:sys” >> $LOGFILE
echo ” /var/adm/loginlog ownership already root:sys.”
fi
else
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
echo “/var/adm/loginlog has been created with permissions of 600 and ownership of root:sys” >> $LOGFILE
fi
echo “” >> $LOGFILE
echo “Checking value for SYSLOG_FAILED_LOGINS…”
if [ `grep “^SYSLOG_FAILED_LOGINS=0” /etc/default/login | wc -l` -lt 1 ]; then
if [ `grep “SYSLOG_FAILED_LOGINS” /etc/default/login | wc -l` -lt 1 ]; then
cp /etc/default/login /etc/default/login.orig.71A
echo “SYSLOG_FAILED_LOGINS=0” >> /etc/default/login;
echo “SYSLOG_FAILED_LOGINS=0 has been added to /etc/default/login” >> $LOGFILE;
echo ” set SYSLOG_FAILED_LOGINS added to /etc/default/login with value set to 0.”
else
cp /etc/default/login /etc/default/login.71A
grep -v SYSLOG_FAILED_LOGINS /etc/default/login >> /etc/default/login.temp
mv /etc/default/login.temp /etc/default/login
echo “SYSLOG_FAILED_LOGINS=0” >> /etc/default/login;
chmod 600 /etc/default/login
chown root:sys /etc/default/login
echo “SYSLOG_FAILED_LOGINS value has been changed to 0 in /etc/default/login” >> $LOGFILE;
echo ” set SYSLOG_FAILED_LOGINS to 0 in /etc/default/login.”
fi
else
echo “SYSLOG_FAILED_LOGINS=0 is already set in /etc/default/login” >> $LOGFILE
echo ” SYSLOG_FAILED_LOGINS already set to 0 in /etc/default/login.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.1.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking if syslog is configured to capture auth.info messages…”
if [ `grep “^auth.info” /etc/syslog.conf | wc -l` -ge 1 ]; then
echo “syslog.conf is already configured to capture auth.info messages” >> $LOGFILE
echo ” syslog.conf already set to capture auth.info messages.”
else
echo “auth.info \t \t \t \t \t /var/log/authlog” >> /etc/syslog.conf
echo “syslog.conf has been configured to capture auth.info messages” >> $LOGFILE
echo ” set syslog.conf to capture auth.info messages.”
fi
echo “Checking permissions for /var/log/authlog…”
if [ -f /var/log/authlog ]; then
echo “/var/log/authlog already exists” >> $LOGFILE;
if [ `ls -l /var/log/authlog | grep rw——- | wc -l` -lt 1 ]; then
chmod 600 /var/log/authlog
echo “Permission for /var/log/authlog has been changed to 600″ >> $LOGFILE
echo ” permissions for /var/log/authlog set to 600.”
echo ” set /var/authlog permissions to 600.”
else
echo “Permission for /var/log/authlog is already 600″ >> $LOGFILE
echo ” /var/log/authlog permissions already 600.”
fi
# if [ `ls -l /var/log/authlog | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = /var/log/authlog ]; then
echo “Checking ownership for /var/log/authlog…”
if [ “`ls -l /var/log/authlog | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys /var/log/authlog
echo “Ownership for /var/log/authlog has been changed to root:sys” >> $LOGFILE
echo ” set /var/log/authlog ownership to root:sys.”
else
echo “Ownership for /var/log/authlog is already root:sys” >> $LOGFILE
echo ” /var/log/authlog ownership already root:sys.”
fi
else
touch /var/log/authlog
chown root:sys /var/log/authlog
chmod 600 /var/log/authlog
echo “/var/log/authlog has been created with permissions of 600 and ownership of root:sys” >> $LOGFILE
echo ” created /var/log/authlog with permissions of 600 and owner root:sys.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.1.C” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking value of CRONLOG…”
if [ `grep “^CRONLOG=YES” /etc/default/cron | wc -l` -lt 1 ]; then
if [ `grep “CRONLOG” /etc/default/cron |wc -l` -lt 1 ]; then
cp /etc/default/cron /etc/default/cron.orig.71C
echo “CRONLOG=YES” >> /etc/default/cron;
echo “CRONLOG=YES has been added to /etc/default/cron” >> $LOGFILE;
echo ” added CRONLOG to /etc/default/cron and set value to ‘YES’.”
else
cp /etc/default/cron /etc/default/cron.71C
grep -v CRONLOG /etc/default/cron >> /etc/default/cron.temp
mv /etc/default/cron.temp /etc/default/cron
echo “CRONLOG=YES” >> /etc/default/cron;
chmod 600 /etc/default/cron
chown root:sys /etc/default/cron
echo “CRONLOG value has been changed to YES in /etc/default/cron” >> $LOGFILE
echo ” set CRONLOG value in /etc/default/cron to ‘YES’.”
fi
else
echo “CRONLOG=YES is already set in /etc/default/cron” >> $LOGFILE
echo ” CRONLOG already set to ‘YES’.”
fi
echo “Checking crontab permissions…”
for file in /var/spool/cron/crontabs/*; do
if [ `ls -l $file | grep r——– | wc -l` -lt 1 ]; then
chmod 400 $file
echo “Permission for ” $file ” has been changed to 400″ >> $LOGFILE
echo ” set $file permissions to 400.”
else
echo “Permission for ” $file ” is already 400″ >> $LOGFILE
echo ” $file permissions already 400.”
fi
done
echo “Checking crontab ownership…”
for file in /var/spool/cron/crontabs/*; do
# if [ `ls -l $file | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = $file ]; then
if [ “`ls -l $file | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys $file
echo $file “has been changed so root is owner and sys is the group owner” >> $LOGFILE
echo ” set $file ownership to root:sys.”
else
echo $file “already has correct ownership” >> $LOGFILE
echo ” $file ownership already root:sys.”
fi
done
echo “Hardening cron.allow and at.allow…”
cd /etc/cron.d
echo root > cron.allow
echo root > at.allow
chown root:root cron.allow at.allow
chmod 400 cron.allow at.allow
#################
cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
chown root /etc/cron.d/cron.deny
chmod 600 /etc/cron.d/cron.deny
# Create an /etc/cron.d/at.deny file:
cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.1.D” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking value for SULOG…”
if [ `grep “^SULOG=/var/adm/sulog” /etc/default/su | wc -l` -lt 1 ]; then
if [ `grep “SULOG” /etc/default/su |wc -l` -lt 1 ]; then
cp /etc/default/su /etc/default/su.orig.71D
echo “SULOG=/var/adm/sulog” >> /etc/default/su;
echo “SULOG=/var/adm/sulog has been added to /etc/default/su” >> $LOGFILE;
echo ” added SULOG to /etc/default/su and set value to ‘/var/adm/sulog’.”
else
cp /etc/default/su /etc/default/su.71D
grep -v SULOG /etc/default/su >> /etc/default/su.temp
mv /etc/default/su.temp /etc/default/su
echo “SULOG=/var/adm/sulog” >> /etc/default/su;
chmod 600 /etc/default/su
chown root:sys /etc/default/su
echo “SULOG value has been changed to YES in /etc/default/su” >> $LOGFILE;
echo ” set value for SULOG to ‘/var/adm/sulog’ in /etc/default/su.”
fi
else
echo “SULOG=/var/adm/sulog is already set in /etc/default/su” >> $LOGFILE
echo ” SULOG already set to ‘/var/adm/sulog’ in /etc/default/su.”
fi
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.2.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking permissions for critical log files…”
for file in /var/adm/sulog /var/cron/log /var/adm/loginlog /var/log/* /var/audit/*; do
if [ `ls -l $file | grep rw——- | wc -l` -lt 1 ]; then
chmod 600 $file
echo “Permission for ” $file ” has been changed to 600″ >> $LOGFILE
echo ” set $file permissions to 600.”
else
echo “Permission for ” $file ” is already 600″ >> $LOGFILE
echo ” $file permissions already 600.”
fi
done
echo “Checking ownership for critical log files…”
for file in /var/adm/sulog /var/cron/log /var/adm/loginlog /var/log/* /var/audit/* /var/adm/messages /var/adm/lastlog; do
#if [ `ls -l $file | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = $file ]; then
if [ “`ls -l $file | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys $file
echo $file “has been changed so root is owner and sys is the group owner” >> $LOGFILE
echo ” set $file owner to root:sys.”
else
echo $file “already has correct ownership” >> $LOGFILE
echo ” $file owner already root:sys.”
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.2.A Part 2” >> $LOGFILE
echo “” >> $LOGFILE
echo “Checking permissions on system logs…”
for file in /var/adm/lastlog /var/adm/messages; do
if [ `ls -l $file | grep rw-r–r– | wc -l` -lt 1 ]; then
chmod 644 $file
echo “Permission for ” $file ” has been changed to 644″ >> $LOGFILE
echo ” set $file permissions to 644.”
else
echo “Permission for ” $file ” is already 644″ >> $LOGFILE
echo ” $file permissions already set to 644.”
fi
done
echo “Checking ownership of system logs…”
for file in /var/adm/lastlog /var/adm/messages; do
# if [ `ls -l $file | awk -/t: ‘($3 != “root” || $4 != “sys”) { print $9 }’` = $file ]; then
if [ “`ls -l $file | awk ‘{ print $3,$4 }’`” != “root sys” ]; then
chown root:sys $file
echo $file ” has been changed so root is owner and sys is the group owner” >> $LOGFILE
echo ” set $file owner to root:sys.”
else
echo $file ” already has correct ownership” >> $LOGFILE
echo ” $file owner already root:sys.”
fi
done
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “7.2.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Enabling logging for all file systems in /etc/vfstab…”
awk ‘($4 == “ufs” && $3 == “/” && $7 == “-“) \
{ $7 = “logging” }; \
($4 == “ufs” && $3 == “/” && $7 !~ /logging/) \
{ $7 = $7″,logging”}; \
{ print }’ /etc/vfstab > /etc/vfstab.new
cp /etc/vfstab.new /export/home/sparkins/vfstab.sean
mv /etc/vfstab.new /etc/vfstab
chown root:sys /etc/vfstab
chmod 664 /etc/vfstab
echo “logging of root file system has been enabled” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “8.1.A” >> $LOGFILE
echo “” >> $LOGFILE
echo “”
echo “Auditing”
echo “——————————————-”
echo “Creating /etc/security/audit_control…”
rm /etc/security/audit_control
cat <<EOF > /etc/security/audit_control
#
# Copyright (c) 1988 by Sun Microsystems, Inc.
#
# ident “@(#)audit_control.txt 1.4 00/07/17 SMI”
#
dir:/var/audit
flags:lo,ad,-all,^-fm
minfree:20
naflags:lo,ad
EOF
chmod 640 /etc/security/audit_control
chown root:sys /etc/security/audit_control
echo “/etc/security/audit_control file has been setup” >> $LOGFILE
echo “———————————————————————-” >> $LOGFILE
echo “” >> $LOGFILE
echo “8.1.B” >> $LOGFILE
echo “” >> $LOGFILE
echo “Creating /etc/security/newauditlog.sh…”
#Create /etc/security/newauditlog.sh
cat <<EOF > /etc/security/newauditlog.sh
#!/sbin/sh
#
# newauditlog.sh – Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR=”/var/audit”
/usr/sbin/audit -n
cd $AUDIT_DIR
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE -exec rm {} > /dev/null 2>&1 \;
EOF
chmod 500 /etc/security/newauditlog.sh
chown root:sys /etc/security/newauditlog.sh
# Setup a cronjob to run the script nightly:
if [ `grep “/etc/security/newauditlog.sh” /var/spool/cron/crontabs/root | wc -l` -lt 1 ]; then
echo “0 0 * * * /etc/security/newauditlog.sh” >> /var/spool/cron/crontabs/root
echo “cron job has been set up to run nightly to remove audit logs that are older than 30 days” >> $LOGFILE
echo ” added /etc/security/newauditlog.sh to root crontab.”
else
echo “Newauditlog.sh already being run nightly from root crontab” >> $LOGFILE
echo ” /etc/security/newauditlog.sh already exists.”
fi
# Run the command to start bsmconv. A reboot will be necessary to begin logging.
echo “Running Basic Security Module…”
echo “”
echo “”
echo “”
echo “”
if [ “`zonename`” = “global” ]; then
/etc/security/bsmconv
echo “bsmconv has been run. Reboot of the server will be required.” >> $LOGFILE
else
echo “The Basic Security Module must be run in the global zone. Aborting.”
fi
echo “”
echo “”
echo “”
echo “”
echo “The Solaris 10 Security Hardening Script has completed.”
echo “Please reboot your system now.”
Posted in Solaris | Leave a Comment »
Step 1.
Install Solaris 10 OS either from Jumpstart or Solaris media.
Step 2.
The partitions we created on the root disk are below. Slice 6 is reserved for SVM while Slice 7 is reserved for Solaris Cluster. The root disk is mirrored using SVM.
Part Tag Flag Cylinders Size Blocks
0 root wm 0 – 11999 14.65GB (12000/0/0) 30720000
1 swap wu 12000 – 21599 11.72GB (9600/0/0) 24576000
2 backup wm 0 – 65532 80.00GB (65533/0/0) 167764480
3 var wm 21600 – 47199 31.25GB (25600/0/0) 65536000
4 unassigned wm 47200 – 63199 19.53GB (16000/0/0) 40960000
5 unassigned wm 0 0 (0/0/0) 0
6 unassigned wm 63200 – 63609 512.50MB (410/0/0) 1049600
7 unassigned wm 63610 – 64019 512.50MB (410/0/0) 1049600
Step 3.
We edit the /etc/hosts file to ensure that all the IP addresses of all Oracle RAC nodes are in each node’s /etc/hosts file. The three set of IPs assigned to each node are public IP on which the regular traffic to the server is directed, private IP on which the private RAC traffic is directed, and the virtual IP of each node. In the example below, we have a two node cluster, RAC01 and RAC02 built in an LDOM environment using virtual nics vnet0, vnet1,vnet2 and vnet3 configured in IPMP mode.
10.179.145.101 RAC01.fda.gov RAC01 loghost
10.179.145.102 RAC01-vnet0
10.179.145.103 RAC01-vnet1
10.179.145.104 RAC02.fda.gov RAC01
10.179.145.105 RAC02-vnet0
10.179.145.106 RAC02-vnet1
# Oracle PRIVATE NETWORK
192.168.146.1 RAC01-priv
192.168.146.2 RAC01-vnet2
192.168.146.3 RAC01-vnet3
192.168.146.4 RAC02-priv
192.168.146.5 RAC02-vnet2
192.168.146.6 RAC02-vnet3
# Oracle VIP
10.179.145.1 RAC01-vip
10.179.145.2 RAC02-vip
Step 4.
Add user and groups for oracle
groupadd oinstall
groupadd dba
useradd -d /export/home/oracle -m -s /bin/bash -g oinstall -G dba orafda
Step 5.
Although Solaris 10 uses projects to configure kernel parameters, we add the following to the /etc/system file as the Oracle installer seems to look at this file for certain parameters.
set shmsys:shminfo_shmmax=10737418240
set shmsys:shminfo_shmmin=1
set semsys:seminfo_semvmx=32767
set shmsys:shminfo_shmmni=512
set shmsys:shminfo_shmseg=128
set semsys:seminfo_semmap=64
set semsys:seminfo_semmni=4096
set semsys:seminfo_semmsl=4096
set semsys:seminfo_semmns=4096
set semsys:seminfo_semopm=100
set semsys:seminfo_semmnu=4096
set semsys:seminfo_semume=64
set rlim_fd_max=65536
set rlim_fd_cur=8192
set noexec_user_stack=1
set noexec_user_stack_log=1
Step 6.
As mentioned above, Solaris 10 users projects to configure kernel parameters. We create a project for oracle user and configure it as follows. These configurations get written in /etc/projects
projadd user.oracle
projmod -s -K “process.max-file-descriptor=(priv,65536,deny)” ‘user.oracle’
projmod -s -K “process.max-sem-nsems=(priv,1024,deny)” ‘user.oracle’
projmod -s -K “project.max-sem-nsems=(priv,8192,deny)” ‘user.oracle’
projmod -s -K “project.max-sem-ids=(priv,8192,deny)” ‘user.oracle’
projmod -s -K “project.max-shm-ids=(priv,1024,deny)” ‘user.oracle’
projmod -s -K “project.max-shm-memory=(priv,10GB,deny)” ‘user.oracle’
Step 7.
We harden Solaris OS. This is in a separate blog.
Step 8.
We configure oracle user equivalency for each node so oracle is able to log in from one node to another without requiring a password.
On each node, we edit /etc/hosts.equiv file and add the name of each node
We enable the shell service which is usually disabled by our security script
svcadm enable svc:/network/shell:default
We add the following to /etc/hosts.allow file
shell:ALL
in.rshd:ALL
We create SSH public / private keys
ssh-keygen -t rsa
cd .ssh
cp id_rsa.pub authorized_keys2
cat id_rsa.pub
vi authorized_keys2
Step 9.
Configure NTP on each node, replacing NTP_SERVER with the name of the NTP_server
echo “server NTP_SERVER” >> /etc/inet/ntp.conf
echo “driftfile /var/ntp/ntp.drift” >> /etc/inet/ntp.conf
touch /var/ntp/ntp.drift
svcadm enable ntp
Step 10.
Configure RAW storage for oracle to be used by ASM.
Posted in Oracle | Leave a Comment »
Technology Talk 