################################################################# # # cf.solaris - for iu.hio.no # # This file contains solaris specific patches # ################################################################# ### # # BEGIN cf.solaris # ### directories: # # httpd/netscape want this to exist for some bizarre reason # /usr/lib/X11/nls /var/run /var/spool/lpd ################################################################ tidy: /usr/tmp pattern=* age=1 /etc/rc2.d pattern=S80lp age=0 ################################################################# links: /opt/gnu -> /local/gnu /etc/services ->! /etc/inet/services /usr/bin/perl ->! /local/bin/perl /var/spool/mail -> /var/mail solaris2.7:: /bin/bash -> /local/gnu/bin/bash ############################################################## copy: # # Some standard setup files, can't link because # machine won't boot if their not on / partition. # /local/bin/tcsh dest=/bin/tcsh mode=755 /local/iu/etc/nsswitch.standalone dest=/etc/nsswitch.conf /local/iu/etc/S99rc-local dest=/etc/rc2.d/S99rc-local mode=755 /local/iu/etc/etc_ntp_conf.solaris dest=/etc/ntp.conf mode=644 ############################################################## disable: /etc/.login type=file /bin/rdist /etc/auto_home /etc/auto_master /usr/lib/print/printd nexus:: /usr/openwin/bin/Xsun # See cert vulnerability. setuid! ############################################################## files: # # If this doesn't exist fork will not work and the # system will not even be able to run the /etc/rc # scripts at boottime # /etc/system o=root g=root m=644 action=touch /usr/sbin/mount o=bin g=bin m=555 action=fixplain /usr/sbin/ping m=4555 action=fixplain /etc/passwd m=0644 o=root g=other action=fixplain /etc/shadow m=0600 o=root g=other action=fixplain /etc/defaultrouter m=0644 o=root g=other action=touch /etc/inet m=755 o=root g=other action=fixdirs /var/adm/wtmpx m=0644 o=adm g=adm action=touch # /var/adm/wtmp m=0644 o=root g=adm action=touch # /var/adm/utmp m=0644 o=root g=adm action=fixplain /var/adm/utmpx m=0644 o=root g=bin action=fixplain /tmp m=1777 action=fixdirs /usr/openwin/bin/xdm m=0755 o=root g=bin action=fixplain /usr/dt/bin r=inf m=-6000 action=fixall /usr/bin/tip m=0711 action=fixplain inform=true # bof /usr/openwin/bin/Xsun m=0755 action=fixplain inform=false # bof /usr/openwin/bin/kcms_configure m=0755 action=fixplain inform=false # bof /usr/bin/sparcv7/ipcs m=0555 action=fixplain # bof /usr/bin/sparcv9/ipcs m=0555 action=fixplain # bof /usr/lib/dmi/snmpXdmid m=0000 action=fixplain # bof CA-2001-05 /usr/bin/at m=0755 action=fixplain # string format vuln /usr/sbin/sparcv7/whodo m=0555 action=fixplain # bof bugtraq id 2935 /usr/sbin/sparcv9/whodo m=0555 action=fixplain # bof bugtraq id 2935 solaris2_7:: /usr/bin/mail m=0511 action=fixplain # bof CheckIntegrity.Rest:: /etc o=root,bin,uucp,lp,adm action=warnall r=inf /usr o=root,bin,uucp,lp,adm action=warnall r=inf checksum=md5 ignore=tmp ignore=authdir syslog=true /var/spool/cron/crontabs checksum=md5 r=inf ############################################################## disable: # # CERT security patch # /usr/openwin/bin/kcms_calibrate /usr/openwin/bin/kcms_configure /usr/bin/admintool /etc/rc2.d/S99dtlogin ################################################################ shellcommands: dax|quetzalcoatal:: "/bin/echo hei" AllBinaryServers.Saturday.Hr00:: # # Make sure the man -k / apropos data are up to date # "/usr/bin/catman -M /local/iu/man" "/usr/bin/catman -M /local/man" "/usr/bin/catman -M /local/gnu/man" "/usr/bin/catman -M /local/teTeX/man" any.Hr00.Saturday:: "/usr/bin/catman -M /usr/openwin/share/man" "/usr/bin/catman -M /usr/share/man" any:: "/local/bin/ntpdate cube > /dev/null 2>&1" inform=false (Hr23.HalfHour)|(nexus.percent_10):: # # Update the GNU find/locate database each night # "$(gnu)/bin/updatedb > /dev/null 2>&1" ############################################################## editfiles: # # Makes sure that cfengine will be run by cron # installs itself as a cron job - sneaky! :) # { /var/spool/cron/crontabs/root AutoCreate DeleteLinesMatching "0,30 * * * * /usr/local/sbin/cfexecd -F -L /local/iu/lib:/local/lib/mysql:/local/lib" AppendIfNoSuchLine "0,30 * * * * /usr/local/sbin/cfexecd -F -L /local/iu/lib:/local/lib/mysql:/local/lib:/local/gnu/lib" } # # Solaris configuration for extra logins # { /etc/auto_home DeleteLinesContaining "+" } { /etc/auto_master DeleteLinesContaining "+" } { /etc/system AppendIfNoSuchLine "set pt_cnt=128" AppendIfNoSuchLine "set noexec_user_stack_log = 1" AppendIfNoSuchLine "set noexec_user_stack = 1" } !Net75:: { /etc/netmasks AppendIfNoSuchLine "128.39.89.0 255.255.255.0" } Net75:: { /etc/netmasks AppendIfNoSuchLine "128.39.74.0 255.255.254.0" } any:: { /etc/netmasks DeleteLinesContaining "128.39.0.0" DeleteLinesContaining "128.39 255.255.255.0" } any.!Net75:: { /etc/defaultrouter AppendIfNoSuchLine "128.39.89.1" } Net75:: { /etc/defaultrouter AppendIfNoSuchLine "128.39.74.1" } any:: { /usr/openwin/lib/app-defaults/XConsole AppendIfNoSuchLine "XConsole.autoRaise: on" } # # CERT security patch for vold vulnerability # { /etc/rmmount.conf HashCommentLinesContaining "action cdrom" HashCommentLinesContaining "action floppy" } { /etc/inet/inetd.conf # ReplaceAll "/usr/sbin/in.ftpd" With "/local/iu/sbin/tcpd" # ReplaceAll "/usr/sbin/in.telnetd" With "/local/iu/sbin/tcpd" ReplaceAll "/usr/sbin/in.rshd" With "/local/iu/sbin/tcpd" ReplaceAll "/usr/sbin/in.rlogind" With "/local/iu/sbin/tcpd" HashCommentLinesContaining "rwall" HashCommentLinesContaining "/usr/sbin/in.fingerd" HashCommentLinesContaining "comsat" HashCommentLinesContaining "exec" AppendIfNoSuchLine "talk dgram udp wait root /usr/sbin/in.talkd in.talkd" HashCommentLinesContaining "echo" HashCommentLinesContaining "discard" HashCommentLinesContaining "charge" HashCommentLinesContaining "quotas" HashCommentLinesContaining "users" HashCommentLinesContaining "spray" HashCommentLinesContaining "sadmin" HashCommentLinesContaining "rquota" HashCommentLinesContaining "kcms" HashCommentLinesContaining "comsat" HashCommentLinesContaining "xaudio" HashCommentLinesContaining "uucp" HashCommentLinesContaining "tftp" HashCommentLinesContaining "/dt" HashCommentLinesContaining "tnamed" HashCommentLinesContaining "in.r" HashCommentLinesContaining "kerbd" HashCommentLinesContaining "rpc.rstatd" HashCommentLinesContaining "cachefsd" HashCommentLinesContaining "gssd" # HashCommentLinesContaining "telnet" } # # umask define when inetd starts is inherited by all subprocesses # this makes ftp post files open to the world { /etc/rc2.d/S72inetsvc PrependIfNoSuchLine "umask 022" HashCommentLinesContaining "/usr/sbin/in.named &" } !nexus:: { /etc/vfstab HashCommentLinesContaining "/iu/nexus/u1" HashCommentLinesContaining "/iu/nexus/u2" HashCommentLinesContaining "/iu/nexus/u3" HashCommentLinesContaining "/iu/nexus/u4" } ############################################################################ processes: # # Don't need CDE stuff # "ttdbserverd" signal=kill "dmispd" signal=kill "automount" signal=kill "kwmsound" signal=kill "hpnp" signal=kill "cmsd" signal=kill "nfsd" restart /usr/lib/nfs/nfsd useshell=false "mountd" restart /usr/lib/nfs/mountd useshell=false # xntpd virker ikke lenger... dessuten root exploit # "xntpd" restart "/local/bin/xntpd" useshell=false "xntpd" signal=kill "inetd" matches=>1 restart "/usr/sbin/inetd -s" !(nexus|quetzalcoatal|dax):: "kdm" restart "/local/kde/bin/kdm -nodaemon -config /local/iu/X11/xdm/xdm-config" nexus|quetzalcoatal|dax:: "kdm" signal=kill # quetzalcoatal:: # "sshd" signal=kill ### # # END cf.solaris # ###