##############################################################
#
# cf.services : local network service configuration
#
###############################################################
###
#
# BEGIN cf.services
#
###
###############################################################
control:
AddInstallable = ( nfs_update )
###############################################################
shellcommands:
nexus::
# Clear a bad RPC channel. Someone using a bad port number?
"/usr/sbin/shareall"
cube.nfs_update::
"/etc/init.d/nfs-server restart > /dev/null 2>&1"
###############################################################
copy:
/iu/nexus/local/iu/etc/hosts.deny dest=/etc/hosts.deny mode=644 server=nexus
!(dax|cube|sigmund)::
/iu/nexus/local/iu/etc/hosts.allow dest=/etc/hosts.allow mode=644 server=nexus
dax|cube::
/iu/nexus/local/iu/etc/hosts.allow.dax dest=/etc/hosts.allow mode=644 server=nexus
sigmund::
/iu/nexus/local/iu/etc/hosts.allow.sigmund dest=/etc/hosts.allow mode=644 server=nexus
nexus::
/iu/nexus/local/iu/etc/dfstab dest=/etc/dfs/dfstab
/iu/nexus/local/iu/etc/options.tcl dest=/iu/nexus/local/share/tkrat2.0/options.tcl mode=644
cube::
/iu/cube/local/iu/etc/exports.cube dest=/etc/exports mode=644 define=nfs_update
/iu/cube/local/iu/etc/options.tcl dest=/iu/cube/local/share/tkrat2.0/options.tcl mode=644
securehosts::
/iu/nexus/local/iu/etc/ssh_banner_message_secure dest=/etc/ssh2/ssh_banner_message
mode=644 owner=root group=root
128_39_89.!securehosts::
/iu/nexus/local/iu/etc/ssh_banner_message_89 dest=/etc/ssh2/ssh_banner_message
mode=644 owner=root group=root
###############################################################
links:
nexus:: # Mirroring
/etc/rsyncd.conf -> /local/iu/etc/rsyncd.conf
###############################################################
editfiles:
!rom21X::
{ /etc/ssh2/sshd2_config
ReplaceAll "PrintMotd.*yes" With "PrintMotd no"
ReplaceAll ".*Ssh1Compatibility.*yes.*" With "Ssh1Compatibility no"
AppendIfNoSuchLine "Ssh1Compatibility no"
HashCommentLinesMatching ".*Sshd1Path.*"
DeleteLinesMatching ".*PasswordAuthentication.*"
DeleteLinesMatching ".*PubkeyAuthentication.*"
DeleteLinesMatching ".*AllowCshrcSourcingWithSubsystems.*"
}
securehosts:: # Limited access to certain hosts
{ /etc/ssh2/sshd2_config
AppendIfNoSuchLine "AllowGroups drift"
AppendIfNoSuchLine "DenyGroups student,ansatt"
}
128_39_89.!securehosts.!haddock::
{ /etc/ssh2/sshd2_config
AppendIfNoSuchLine "AllowGroups drift,ansatt"
AppendIfNoSuchLine "DenyGroups student"
}
haddock::
{ /etc/ssh2/sshd2_config
DeleteLinesMatching ".*AllowGroups.*"
DeleteLinesMatching ".*DenyGroups.*"
}
128_39_74.!securehosts.!rom21X:: # Not really necessary as all are allowed by default
{ /etc/ssh2/sshd2_config
AppendIfNoSuchLine "AllowGroups drift,ansatt,student"
}
!rom21X::
{ /etc/ssh2/ssh2_config
AppendIfNoSuchLine "AuthenticationSuccessMsg no"
}
FTPservers::
{ /etc/shells
AppendIfNoSuchLine "/bin/tcsh"
AppendIfNoSuchLine "/bin/bash"
AppendIfNoSuchLine "/local/gnu/bin/bash"
}
!FTPservers::
{ /etc/inetd.conf
HashCommentLinesContaining "in.ftpd"
}
!rom21X::
{ /etc/inetd.conf
DeleteLinesContaining "bootp"
DeleteLinesContaining "bootps"
AppendIfNoSuchLine "finger stream tcp nowait nobody /local/iu/sbin/tcpd in.fingerd"
# AppendIfNoSuchLine "cfinger stream tcp nowait nobody /local/iu/sbin/tcpd in.cfingerd"
HashCommentLinesContaining "rshd"
HashCommentLinesContaining "pop"
HashCommentLinesContaining "swat"
}
rom21X::
{ /etc/inetd.conf
AppendIfNoSuchLine "finger stream tcp nowait nobody /usr/sbin/tcpd /local/iu/sbin/in.fingerd"
AppendIfNoSuchLine "cfinger stream tcp nowait nobody /usr/sbin/tcpd /local/iu/sbin/in.cfingerd"
}
nexus::
{ /etc/inetd.conf
AppendIfNoSuchLine "netbios-ssn stream tcp nowait root /local/sbin/smbd smbd"
AppendIfNoSuchLine "netbios-ns dgram udp wait root /local/sbin/nmbd nmbd"
AppendIfNoSuchLine "rsync stream tcp nowait root /local/iu/sbin/tcpd rsync --daemon"
# HashCommentLinesContaining "telnet"
}
cube::
{ /etc/inetd.conf
AppendIfNoSuchLine "netbios-ssn stream tcp nowait.100 root /local/sbin/smbd smbd"
AppendIfNoSuchLine "netbios-ns dgram udp wait root /local/sbin/nmbd nmbd"
}
!sysloghost::
{ /etc/syslog.conf
AppendIfNoSuchLine "*.warning @loghost"
DefineClasses "syslogdhup"
}
###############################################################
processes:
linux::
SetOptionString "aucx"
any::
"bootp" signal=kill exclude=rpc.bootparamd
"inetd" signal=hup inform=false
"cfservd"
restart "/usr/local/sbin/cfservd"
useshell=false
syslogdhup::
"syslogd" signal=hup
!rom21X::
"sshd"
restart "/local/sbin/sshd"
useshell=false
inform=true
rom21X:: # openssh
"sshd" restart "/etc/init.d/ssh restart"
any::
"snmp" signal=kill
"powerd" signal=kill
"mibiisa" signal=kill
# nexus.percent_10:: # strategy, problems with stupid named
# "named" signal=term restart "/local/sbin/named -u dns" inform=false
nexus::
"fingerd" restart "/local/etc/fingerd"
useshell=false
"mysqld" restart "/local/iu/bin/StartMysql"
useshell=false
"named" restart "/local/sbin/named -u dns" useshell=false inform=true
quetzalcoatal::
"named" restart "/local/sbin/named -u dns -c /local/etc/named.conf.slave" inform=true
cube:: # until we can use v9
"named" restart "/local/iu/bind/bin/named -u dns -g nogroup" inform=true
NameServers.dns_update::
"named" signal=hup
cube.Hr05:: # used kill before, will HUP do?
"rpc.mountd" signal=hup # restart "/usr/sbin/rpc.mountd"
"rpc.nfsd" signal=hup # restart "/usr/sbin/rpc.nfsd"
# sunos_5_6::
# "identd" restart "/local/sbin/identd" inform=true
###############################################################
files:
PrimeServers::
/local/iu/dns/pz o=dns m=644 act=fixall r=1 exclude=Fixserial
/local/iu/dns/pz/Fixserial m=755 action=fixplain
SlaveServers::
/local/iu/dns/sz o=dns m=644 act=fixall r=1
NameServers::
/local/iu/logs/admin o=dns m=644 act=fixplain
/local/iu/logs/security o=dns m=644 act=fixplain
/local/iu/logs/updates o=dns m=644 act=fixplain
/local/iu/logs/xfer o=dns m=644 act=fixplain
WWWServers.Rest.Hr00.HalfHour::
/local/iu/etc/apache m=644 act=fixall r=inf
FTPservers.nexus::
#
# Make sure anonymous ftp areas have the correct
# protection, or logins won't be able to read
# files - or perhaps a security risk. This is
# solaris 2 specific...
#
$(ftp)/pub mode=644 o=root g=other act=fixall
$(ftp)/pub mode=644 act=fixall r=inf
$(ftp)/etc mode=111 o=root g=other act=fixdirs
$(ftp)/usr/bin/ls mode=111 o=root g=other act=fixall
$(ftp)/dev mode=555 o=root g=other act=fixall
$(ftp)/usr mode=555 o=root g=other act=fixdirs
!rom21X::
/etc/ssh2 mode=755 o=root g=root act=fixall # set wrong by install
###############################################################
disable:
nexus.Sunday.All::
/var/log/xferlog rotate=3
cube.Sunday.All::
/var/log/xferlog rotate=3
# Sunday.nexus::
# /local/etc/fingerdir/userdata rotate=empty
###
#
# END cf.services
#
###
