15k OS Security Suite

7/28/2019 15k OS Security Suite

1/36

Sun Proprietary and Confidential: Need to Know

Application Readiness Service for Sun Fire 12K/15K Security

Application Readiness Service for Sun Fire 12K/15K:Sun Fire 12K/15K Security

Security Page 1 of 36 February 27, 2002

Copyright 2001 Sun Microsystems, Inc. All rights reserved.


2/36



Table of Contents

1. Introduction...............................................................................................31.1. Legal Disclaimer..............................................................................................3

1.2. Security Customization..................................................................................31.2.1. System Controller Security Options..........................................................................3

1.2.2. Domain Security Options............................................................................................3

1.3. Disabled Services/Applications/Scripts.........................................................4

1.4. Common Changes...........................................................................................41.4.1. /etc/dt/config/Xaccess...................................................................................................4

1.4.2. /etc/default/sendmail....................................................................................................4

1.4.3. /etc/nsswitch.conf..........................................................................................................4

1.5. Solaris Security Toolkit Sample Output.......................................................5

1.6. Solaris Security Toolkit Steps........................................................................5

1.7. Solaris Security Toolkit File Content............................................................91.7.1. /etc/issue and /etc/motd................................................................................................9

1.7.2. /etc/notrouter...............................................................................................................101.7.3. /etc/nsswitch.conf........................................................................................................10

1.7.4. /etc/syslog.conf............................................................................................................10

1.7.5. /etc/default/sendmail..................................................................................................10

1.7.6. /etc/dt/config/Xaccess.................................................................................................11

1.7.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig.................................................12

1.7.8. set-tmp-permissions scripts......................................................................................19

1.7.9. /etc/init.d/inetsvc.........................................................................................................20

1.7.10. /etc/inet/inetd.conf....................................................................................................20

1.7.11. /etc/init.d/nddconfig.................................................................................................21

1.7.12. /dev/ip qfe0:ip_forwarding (note: domains only)................................................22

Appendix A: Solaris Security Toolkit Sample Output...........................23




3/36



1. Introduction

This document provides information about the methods used to increase the security of the Sun Fire 12K/15K (it is applicableto either platform) during the delivery of the Application Readiness Service (ARS) for the Sun Fire 12K/15K. The securitymethods used in the delivery of this service conform with Sun's recommended practices. During the delivery of this service,OpenSSH for Solaris (secure shell, often abbreviated as ssh) is installed and configured. In addition, the Solaris Security

Toolkit1 (Toolkit), formerly known as JASS (JumpStart Architecture and Security Scripts) is installed and used to increase thesecurity of the Sun Fire 12K/15K. More information on the Security for the Sun Fire 12K/15K can be found at http://www.sun.com/blueprints/1101/sunfire15k.html. More information about the Solaris Security Toolkit can be found at http://www.sun.com/security/jass/.

The purpose of this document is to provide the information necessary to assess the impact of using the Toolkit. This documentwill provide a "representative" set of commands as executed by the Toolkit, as well as "representative" output captured fromthe use of the Toolkit. The output from the Toolkit, as executed on the Sun Fire 15K, will be provided as a part of the ARS forthe Sun Fire 12K/15K. This output is also applicable to Sun Fire 12K platforms. This information is not guaranteed to beaccurate because the Toolkit may change over time due to changes in the Sun Fire 12K/15K platform, changes in Solaris, ordue to general improvements in the Toolkit.

This document also provides the "representative" content of the files supplied by the Toolkit, so that it can be assessed bypotential users of the Toolkit and adjusted after the delivery of the service. The content of the files that are modified by theToolkit is not supplied in this document, but the content can be determined by examining the output of the Toolkit after it has

been used. It is important to note that the ARS for the Sun Fire 12K/15K does not include modification of the content of thesefiles by Sun during the delivery of the ARS for the Sun Fire 12K/15K service.

A list of disabled applications, services, and scripts is provided in this document along with identifying the files which arecommonly considered as candidates for change, subsequent to use of the Toolkit.

1.1. Legal Disclaimer

This document contains include Sun intellectual property and Sun confidentialinformation, especially trade secrets, and is covered as a Service Item by assumption #10in the Statement of Work for the Application Readiness Service for the Sun Fire12K/15K.

1.2. Security Customization

The following choices are available to customize the platform hardening of the Sun Fire12K/15K. Any customization beyond the options below is beyond the scope of the ARSservice.

1.2.1. System Controller Security Options

The following is the only available option when implementing the security hardening ofthe Sun Fire 12K/15K system controllers.

Telnet - Available only when telnet is the only available protocol that can be used to

establish an interactive session to the system controller.

1.2.2. Domain Security Options

The following options are available when implementing the security hardening of the SunFire 12K/15K domains.

Telnet -Available only when telnet is the only available protocol that can be used toestablish an interactive session to the domain.

NFS Client - Recommended for domain configurations that require NFS client

services to start automatically during the multi-user stage of system boot.

RPC - Recommended when the domain configuration requires RPC services to start

automatically during the multi-user stage of system boot.

RPC/NFS Server - Recommended when the domain configuration requires RPC and

1 The Solaris Security Toolkit is not a traditional SunTM product, and as such, is not supported by Sun Microsystems. However, any resultingconfiguration of the Solaris Operating Environment after using the toolkit is supported.




4/36



NFS server services to start automatically during the multi-user stage of system boot.

Note: Options may be combined with any other, except for the RPC, and RPC/NFS Serveroptions, which are mutually exclusive.

1.3. Disabled Services/Applications/Scripts

The following services,applications,and scripts are disabled by the Toolkit without

selecting any of the options. Selection of one or more options (such as selecting theoption for NFS Client services) may modify the list of disabled services, applications, andscripts.

1. The Apache web server shipped with Solaris OE 8.

2. Asynchronous PPP (asppp).

3. Solaris scripts used to re-initialize or re-install the system, including S30sysid.net,S71sysid.sys, and S72autoinstall.

4. The automounter.

5. The DHCP server included in Solaris OE version 8.

6. Sun Solstice Enterprise DMI Service Provider and Sun Solstice Enterprise SNMP-DMI mapper subagent.

7. The Common Desktop Environment.

8. The LDAP client daemons included with Solaris OE version 8.

9. lp services

10. Mobile IP (MIP) agents included in Solaris OE version 8.

11. NFS client.

12. NFS server.

13. The Platform Information and Control Library (PICL) server.

14. The auto power shutdown option.

15. rhosts authentication for rlogin and rsh.

16. Remote Procedure Calls (RPC).

17. The sendmail daemon.

18. Service Location Protocol (SLP).

19. The default Solaris OE SNMP daemons.

20. SunSoft Print Client.

21. UUCP.

22. Volume management service.

23. Web Based Enterprise Management (WBEM) daemons.

1.4. Common Changes

Files which are commonly considered as candidates for change, subsequent to use of theToolkit are identified in this section of the document.

1.4.1. /etc/dt/config/Xaccess

This file disables all remote access, whether directed or broadcast, to any X serverrunning on this system. If your use of the system requires that users have remote access toan X server running on your Sun Fire 12K/15K domain or system controller, you willneed to remove this file, or edit the contents of the file to match your specificrequirements.

1.4.2. /etc/default/sendmail

This script disables the sendmail daemon startup and shutdown scripts, and adds an entryto the cron subsystem which executes sendmail once an hour. This method of purgingoutgoing mail is more secure than having the daemon running continually.

Removing or editing of the /etc/default/sendmail file may be necessary to meet yourrequirements.




5/36



1.4.3. /etc/nsswitch.conf

It may be necessary to edit the contents of this file, or replace it, if your name servicerequirements differ from those enabled by the file provided through the Toolkit.

1.5. Solaris Security Toolkit Steps

The following table provides a "representative" set of steps as executed by the Toolkit.

Notice that backup copies of a number of files are made. This enables the Toolkit to havea limited "undo" capability. Removal of these file copies is discouraged since it willeliminate the limited "undo" ability of the Toolkit.

# Step

1 Copy /etc/profile to /etc/profile.JASS.DATE-OF-EXECUTION

2 Add default terminal type (vt100) to /etc/profile.

3 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION

4 Add default terminal type (vt100) to /etc/.login.

5 Copy /etc/dt/config/Xaccess from /opt/SUNWjass/Files/etc/dt/config/Xaccess.

6 Copy /etc/init.d/inetsvc to /etc/init.d/inetsvc.JASS.DATE-OF-EXECUTION

7 Copy /etc/init.d/inetsvc from /opt/SUNWjass/Files/etc/init.d/inetsvc.

8 Copy /etc/init.d/nddconfig from /opt/SUNWjass/Files/etc/init.d/nddconfig.

9 Copy /etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files/etc/init.d/set-tmp-permissions.

10 Copy /etc/issue from /opt/SUNWjass/Files/etc/issue.

11 Copy /etc/motd to /etc/motd.JASS.DATE-OF-EXECUTION

12 Copy /etc/motd from /opt/SUNWjass/Files/etc/motd.

13 Copy /etc/notrouter from /opt/SUNWjass/Files/etc/notrouter.

14 Copy /etc/nsswitch.conf to /etc/nsswitch.conf.JASS.DATE-OF-EXECUTION

15 Copy /etc/nsswitch.conf from /opt/SUNWjass/Files/etc/nsswitch.conf.

16 Link /etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S00set-tmp-permissions.

17 Link /etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S07set-tmp-permissions.

18 Link /etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files/etc/rc2.d/S70nddconfig.

19 Rename /etc/rc3.d/S50apache to /etc/rc3.d/_S50apache.JASS.DATE-OF-EXECUTION

20 Rename /etc/rc2.d/S47asppp to /etc/rc2.d/_S47asppp.JASS.DATE-OF-EXECUTION

21 Rename /etc/rc2.d/S30sysid.net to /etc/rc2.d/_S30sysid.net.JASS.DATE-OF-EXECUTION

22 Rename /etc/rc2.d/S71sysid.sys to /etc/rc2.d/_S71sysid.sys.JASS.DATE-OF-EXECUTION

23 Rename /etc/rc2.d/S72autoinstall to /etc/rc2.d/_S72autoinstall.JASS.DATE-OF-EXECUTION

24 Rename /etc/rc2.d/S74autofs to /etc/rc2.d/_S74autofs.JASS.DATE-OF-EXECUTION

25 Rename /etc/rc3.d/S34dhcp to /etc/rc3.d/_S34dhcp.JASS.DATE-OF-EXECUTION

26 Rename /etc/rc3.d/S77dmi to /etc/rc3.d/_S77dmi.JASS.DATE-OF-EXECUTION

27 Rename /etc/rc2.d/S99dtlogin to /etc/rc2.d/_S99dtlogin.JASS.DATE-OF-EXECUTION

28 Copy /etc/init.d/rpc to /etc/init.d/rpc.JASS.DATE-OF-EXECUTION

29 Add the -d option to /usr/sbin/keyserv in /etc/init.d/rpc.

30 Rename /etc/rc2.d/S71ldap.client to /etc/rc2.d/_S71ldap.client.JASS.DATE-OF-EXECUTION

31 Rename /etc/rc2.d/S80lp to /etc/rc2.d/_S80lp.JASS.DATE-OF-EXECUTION

32 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION

33 Add the lp account to the cron.deny file.

34 Create backup directory /var/spool/cron/crontabs.JASS

35 Move /var/spool/cron/crontabs/lp to /var/spool/cron/crontabs.JASS/lp.JASS.DATE-OF-EXECUTION

36 Rename /etc/rc3.d/S80mipagent to /etc/rc3.d/_S80mipagent.JASS.DATE-OF-EXECUTION

37 Rename /etc/rc2.d/S73nfs.client to /etc/rc2.d/_S73nfs.client.JASS.DATE-OF-EXECUTION

38 Rename /etc/rc3.d/S15nfs.server to /etc/rc3.d/_S15nfs.server.JASS.DATE-OF-EXECUTION

39 Copy /etc/nscd.conf to /etc/nscd.conf.JASS.DATE-OF-EXECUTION

40 Add enable-cache no for the passwd group and hosts entries.




6/36


7/36



# Step

91 Add sms-pcd to /etc/ftpusers.

92 Add sms-tmd to /etc/ftpusers.

93 Add sms-svc to /etc/ftpusers.

94 Create the /var/adm/loginlog file.

95 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION

96 Copy /etc/shells to /etc/shells.JASS.DATE-OF-EXECUTION97 Add /usr/bin/sh to /etc/shells.

98 Add /usr/bin/csh to /etc/shells.

99 Add /usr/bin/ksh to /etc/shells.

100 Add /usr/bin/jsh to /etc/shells.

101 Add /bin/sh to /etc/shells.

102 Add /bin/csh to /etc/shells.

103 Add /bin/ksh to /etc/shells.

104 Add /bin/jsh to /etc/shells.

105 Add /sbin/sh to /etc/shells.

106 Add /sbin/jsh to /etc/shells.

107 Add /bin/bash to /etc/shells.

108 Add /bin/pfcsh to /etc/shells.

109 Add /bin/pfksh to /etc/shells.

110 Add /bin/pfsh to /etc/shells.

111 Add /bin/tcsh to /etc/shells.

112 Add /bin/zsh to /etc/shells.

113 Add /usr/bin/bash to /etc/shells.

114 Add /usr/bin/pfcsh to /etc/shells.

115 Add /usr/bin/pfksh to /etc/shells.

116 Add /usr/bin/pfsh to /etc/shells.

117 Add /usr/bin/tcsh to /etc/shells.

118 Add /usr/bin/zsh to /etc/shells.

119 Copy /etc/passwd to /etc/passwd.JASS.DATE-OF-EXECUTION

120 Copy /etc/shadow to /etc/shadow.JASS.DATE-OF-EXECUTION

121 Remove the account listen from the system.122 Remove the account nobody4 from the system.

123 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION

124 Set BANNER to "Authorized Use Only" in /etc/default/ftpd.

125 Copy /etc/default/telnetd to /etc/default/telnetd.JASS.DATE-OF-EXECUTION

126 Set BANNER to "Authorized Use Only" in /etc/default/telnetd.

127 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION

128 Set UMASK to 22 in /etc/default/ftpd.

129 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION

130 Set RETRIES to 3 in /etc/default/login.

131 Copy /etc/default/power to /etc/default/power.JASS.DATE-OF-EXECUTION

132 Change PMCHANGEPERM setting from console-owner to -. in /etc/default/power

133 Change CPRCHANGEPERM setting from console-owner to -. in /etc/default/power

134 Copy /etc/default/sys-suspend to /etc/default/sys-suspend.JASS.DATE-OF-EXECUTION

135 Change PERMS setting from console-owner to -. in /etc/default/sys-suspend

136 Copy /etc/vfstab to /etc/vfstab.JASS.DATE-OF-EXECUTION

137 Set maximum /tmp filesystem size to be 512m

138 Copy /etc/default/passwd to /etc/default/passwd.JASS.DATE-OF-EXECUTION

139 Change MINWEEKS setting from NONE to 1

140 Change MAXWEEKS setting from NONE to 8

141 Change WARNWEEKS setting from NONE to 1

142 Change PASSLENGTH setting from 6 to 8




8/36



# Step

143 Set umask (UMASK) value to 22 in /etc/.login

144 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION

145 Copy /etc/skel/local.login to /etc/skel/local.login.JASS.DATE-OF-EXECUTION

146 Set umask (UMASK) value to 22 in /etc/skel/local.login

147 Copy /etc/skel/local.profile to /etc/skel/local.profile.JASS.DATE-OF-EXECUTION

148 Set umask (UMASK) value to 22 in /etc/skel/local.profile149 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION

150 Set umask (UMASK) value to 22 in /etc/default/login

151 Copy /etc/cron.d/at.deny to /etc/cron.d/at.deny.JASS.DATE-OF-EXECUTION

152 Add root to /etc/cron.d/at.deny

153 Add sys to /etc/cron.d/at.deny

154 Add adm to /etc/cron.d/at.deny

155 Add lp to /etc/cron.d/at.deny

156 Add uucp to /etc/cron.d/at.deny

157 Add sms-codd to /etc/cron.d/at.deny

158 Add sms-dca to /etc/cron.d/at.deny

159 Add sms-dsmd to /etc/cron.d/at.deny

160 Add sms-dxs to /etc/cron.d/at.deny

161 Add sms-efe to /etc/cron.d/at.deny

162 Add sms-esmd to /etc/cron.d/at.deny

163 Add sms-fomd to /etc/cron.d/at.deny

164 Add sms-frad to /etc/cron.d/at.deny

165 Add sms-osd to /etc/cron.d/at.deny

166 Add sms-pcd to /etc/cron.d/at.deny

167 Add sms-tmd to /etc/cron.d/at.deny

168 Add sms-svc to /etc/cron.d/at.deny

169 Copy /etc/cron.d/cron.allow to /etc/cron.d/cron.allow.JASS.DATE-OF-EXECUTION

170 Add root to /etc/cron.d/cron.allow.

171 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION

172 Add sys to /etc/cron.d/cron.deny.

174 Add adm to /etc/cron.d/cron.deny.174 Add uucp to /etc/cron.d/cron.deny.

175 Add sms-codd to /etc/cron.d/cron.deny.

176 Add sms-dca to /etc/cron.d/cron.deny.

177 Add sms-dsmd to /etc/cron.d/cron.deny.

178 Add sms-dxs to /etc/cron.d/cron.deny.

179 Add sms-efe to /etc/cron.d/cron.deny.

180 Add sms-esmd to /etc/cron.d/cron.deny.

181 Add sms-fomd to /etc/cron.d/cron.deny.

182 Add sms-frad to /etc/cron.d/cron.deny.

183 Add sms-osd to /etc/cron.d/cron.deny.

184 Add sms-pcd to /etc/cron.d/cron.deny.

185 Add sms-tmd to /etc/cron.d/cron.deny.

186 Add sms-svc to /etc/cron.d/cron.deny.

187 Copy /etc/cron.d/logchecker to /etc/cron.d/logchecker.JASS.DATE-OF-EXECUTION

188 Set the maximum size of the CRON facility log to 20480 from its previous value of 1024

189 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION

190 Disable service ftp (/usr/sbin/in.ftpd).

191 Disable service telnet (/usr/sbin/in.telnetd).

192 Disable service name (/usr/sbin/in.tnamed).

193 Disable service talk (/usr/sbin/in.talkd).

194 Disable service uucp (/usr/sbin/in.uucpd).




9/36



# Step

195 Disable service finger (/usr/sbin/in.fingerd).

196 Disable service rquotad (/usr/lib/nfs/rquotad).

197 Disable service rusersd (/usr/lib/netsvc/rusers/rpc.rusersd).

198 Disable service sprayd (/usr/lib/netsvc/spray/rpc.sprayd).

199 Disable service walld (/usr/lib/netsvc/rwall/rpc.rwalld).

200 Disable service comsat (/usr/sbin/in.comsat).201 Disable service time (internal).

202 Disable service echo (internal).

203 Disable service discard (internal).

204 Disable service daytime (internal).

205 Disable service chargen (internal).

206 Disable service rstatd (/usr/lib/netsvc/rstat/rpc.rstatd).

207 Disable service 100068 (/usr/dt/bin/rpc.cmsd).

208 Disable service 100083 (/usr/dt/bin/rpc.ttdbserverd).

209 Disable service 100221 (/usr/openwin/bin/kcms_server).

210 Disable service fs (/usr/openwin/lib/fs.auto).

211 Disable service 100232 (/usr/sbin/sadmind).

212 Disable service 100235 (/usr/lib/fs/cachefs/cachefsd).

213 Disable service printer (/usr/lib/print/in.lpd).

214 Disable service 100234 (/usr/lib/gss/gssd).

215 Disable service dtspc (/usr/dt/bin/dtspcd).

216 Disable service 100146 (/usr/lib/security/amiserv).

217 Disable service 100147 (/usr/lib/security/amiserv).

218 Disable service 100150 (/usr/sbin/ocfserv).

219 Disable service 100134 (/usr/lib/krb5/ktkt_warnd).

220 Disable service 100229 (/usr/sbin/rpc.metad).

221 Disable service 100230 (/usr/sbin/rpc.metamhd).

222 Disable service 300326 (/platform/SUNWUltra-Enterprise-10000/lib/dr_daemon).

1.6. Solaris Security Toolkit File Content

Representative file content provided by the Toolkit during the delivery of the ARS for theSun Fire 12K/15K is illustrated in Appendix A.

1.6.1. /etc/issue and /etc/motd

These files are based on U.S. government recommendations. They provide users legalnotice that their activities may be monitored. If an organization has specific legal banners,they can be installed into these files. The file content is shown below.

#################################################################### This system is for the use of authorized users only. ## Individuals using this computer system without authority, or in ## excess of their authority, are subject to having all of their ## activities on this system monitored and recorded by system ## personnel. ## ## In the course of monitoring individuals improperly using this ## system, or in the course of system maintenance, the activities #

# of authorized users may also be monitored. ## ## Anyone using this system expressly consents to such monitoring ## and is advised that if such monitoring reveals possible ## evidence of criminal activity, system personnel may provide the ## evidence of such monitoring to law enforcement officials. ####################################################################

1.6.2. /etc/notrouter

This file disables IP forwarding between interfaces on the system by creating an/etc/notrouter file. Once the JumpStart client is rebooted, the client will no longer functionas a router, regardless of the number of network interfaces. This is an empty file.




10/36



1.6.3. /etc/nsswitch.conf

This is an nsswitch.conf file configured so that a system will use files for name resolution.It is a copy of the /etc/nsswitch.files shipped with Solaris 8 OE. The file content is shownbelow.

# /etc/nsswitch.files:## An example file that could be copied over to /etc/nsswitch.conf; it

# does not use any naming service.## "hosts:" and "services:" in this file are used only if the# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.passwd: filesgroup: fileshosts: files # dnsipnodes: filesnetworks: filesprotocols: filesrpc: filesethers: filesnetmasks: filesbootparams: filespublickey: files# At present there isn't a 'files' backend for netgroup; the system will# figure it out pretty quickly, and won't use netgroups at all.netgroup: filesautomount: filesaliases: filesservices: filessendmailvars: filesprinters: user files

auth_attr: filesprof_attr: files

1.6.4. /etc/syslog.conf

This modified /etc/syslog.conf file is installed to perform additional logging. It serves as aplaceholder for organizations to add in their own centralized log server (or servers) so thatproactive log analysis can be done. The file content is shown below.

## Copyright (c) 2000, 2001 by Sun Microsystems, Inc.# All rights reserved.##ident "@(#)syslog.conf 2.2 01/06/10 SMI"#

# This "syslog.conf" file was installed by JASS. This# file should be used to log information both locally as# well as to a centralized log server (or servers) so that# proactive log analysis can be done.*.err;kern.notice;auth.notice /dev/console*.alert root*.emerg **.debug /var/adm/message# *.debug @loghost1# *.debug @loghost2

1.6.5. /etc/default/sendmail

This script is copied onto the system being hardened by the disable-sendmail.fin script ona Solaris 8 OE system. The file content is shown below. This sendmail.cf file sends allmail to the root account on the local host

# sendmail.cf to local root user

# Define versionV8# Whom errors should appear to be fromDnMailer-Daemon# Formatting of the unix from lineDlFrom $g $d# SeparatorsDo.:%@!^=/[]# From of the sender's addressDq# Spool directoryOQ/usr/spool/mqueue### Mailer Delivery Agents

Mlocal, P=/usr/lib/mail.local, F=lsDFMAw5:/|@qSXfmnz9, S=10/30, R=20/40,




11/36



T=DNS/RFC822/X-UNIX, A=mail.local -l

Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0, A=/dev/null### Rule sets - whitespace between columns must be tabs!!!S0R@$+ $#error $: missing user nameR$+ $#local $@$R $:root forward to local root userS3R$*$* $:root handle error addressR$*$* $:root basic rfc822 parsing

1.6.6. /etc/dt/config/Xaccess

This file disables all remote access, whether directed or broadcast, to any X serverrunning on this system. The file content is shown below.

########################################################################### Xaccess## Common Desktop Environment#### (c) Copyright 1993, 1994 Hewlett-Packard Company## (c) Copyright 1993, 1994 International Business Machines Corp.## (c) Copyright 1993, 1994 Sun Microsystems, Inc.## (c) Copyright 1993, 1994 Novell, Inc.#### ************** DO NOT EDIT THIS FILE **************#### /usr/dt/config/Xaccess is a factory-default file and will

## be unconditionally overwritten upon subsequent installation.## Before making changes to the file, copy it to the configuration## directory, /etc/dt/config. You must also update the accessFile## resource in /etc/dt/config/Xconfig.#### $XConsortium: Xaccess.src /main/cde1_maint/2 1995/08/30 16:21:28 gtsang $############################################################################# This file contains a list of host names which are allowed or## denied XDMCP connection access to this machine. When a remote## display (typically an X-termimal) requests login service, Dtlogin## will consult this file to determine if service should be granted## or denied.#### # Access control file for XDMCP connections#### To control Direct and Broadcast access:#### pattern

#### To control Indirect queries:#### pattern list of hostnames and/or macros ...#### To use the chooser:#### pattern CHOOSER BROADCAST#### or#### pattern CHOOSER list of hostnames and/or macros ...#### To define macros:#### %name list of hosts ...###### The first form tells dtlogin which displays to respond to itself.## The second form tells dtlogin to forward indirect queries from hosts## matching the specified pattern to the indicated list of hosts.## The third form tells dtlogin to handle indirect queries using the## chooser; the chooser is directed to send its own queries out via the## broadcast address and display the results on the terminal.## The fourth form is similar to the third, except instead of using the## broadcast address, it sends DirectQuerys to each of the hosts in## the list#### In all cases, dtlogin uses the first entry which matches the terminal;## for IndirectQuery messages only entries with right hand sides can## match, for Direct and Broadcast Query messages, only entries without## right hand sides can match.#### Information regarding the format of entries in this file is




12/36



## included at the end of the file.############################################################################ Entries...##* # grant service to all remote displays##### The nicest way to run the chooser is to just ask it to broadcast## requests to the network - that way new hosts show up automatically.

## Sometimes, however, the chooser can't figure out how to broadcast,## so this may not work in all environments.####* CHOOSER BROADCAST #any indirect host can get a chooser##### If you'd prefer to configure the set of hosts each terminal sees,## then just uncomment these lines (and comment the CHOOSER line above)## and edit the %hostlist line as appropriate#####%hostlist host-a host-b###* CHOOSER %hostlist ############################################################################# ENTRY FORMAT

#### An entry in this file is either a host name or a pattern. A## pattern may contain one or more meta characters (`*' matches any## sequence of 0 or more characters, and `?' matches any single## character) which are compared against the host name of the remote## device requesting service.#### If the entry is a host name, all comparisons are done using## network addresses, so any name which converts to the correct## network address may be used. For patterns, only canonical host## names are used in the comparison, so do not attempt to match## aliases.#### Preceding either a host name or a pattern with a `!' character## causes hosts which match that entry to be excluded.#### When checking access for a particular display host, each entry is## scanned in turn and the first matching entry determines the## response.##

## Blank lines are ignored, `#' is treated as a comment delimiter## causing the rest of that line to be ignored,#### ex.## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra## bambi.ogi.edu # allow access from this particular display## *.lcs.mit.edu # allow access from any display in LCS## Deny all remote access (direct/broadcast) to this X server.!*

1.6.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig

These files copy over the nddconfig and S70nddconfig startup scripts. The file content isshown below.

#!/sbin/sh## Copyright (c) 1999-2001 by Sun Microsystems, Inc.# All rights reserved.

## $Id: nddconfig,v 1.5 2000/12/08 02:10:14 kaw Exp $## INTRODUCTION## This script sets network driver parameters to prevent some network# attacks. Install this script to make changes at system boot. For# further information on the parameters set in this script, see# the Sun Blueprints(tm) OnLine article entitled "Solaris Operating# Environment Network Settings for Security - updated for 8".## http://www.sun.com/blueprints/1200/network-updt1.pdf## The latest version of this script is available from the Blueprints# Online tools area at:




13/36



## http://www.sun.com/blueprints/tools/## This script is written for the Solaris 2.5.1, 2.6, 7, and 8 Operating# Environment releases.## WARNING## This script makes changes to the system default network driver# parameters. The settings included in this script are considered safe

# in terms of security. However, some settings may not work in your# environment. The comments provided for each parameter explain the# effect the setting has.## INSTALLATION## # cp /etc/init.d/nddconfig# # chmod 744 /etc/init.d/nddconfig# # chown root:sys /etc/init.d/nddconfig# # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig## WARNING MESSAGES## When adding specific privileged ports ({tcp|udp}_extra_priv_ports_add),# if a specific port number has already been applied, the following# warning message is displayed:## operation failed, File exists#

# This is a very poor ndd warning message. It can be safely ignored.## Keith A. Watson #

PATH=/usr/bin:/usr/sbin

## A note about parameter values:# '0' == false/off/disable# '1' == true/on/enable#

## verbose## This option enables verbose output generated by this script.#verbose=1

## arp_cleanup_interval## This option determines the period of time the Address Resolution# Protocol (ARP) cache maintains entries. ARP attacks may be effective# with the default interval. Shortening the timeout interval should# reduce the effectiveness of such an attack.# The default value is 300000 milliseconds (5 minutes).#arp_cleanup_interval=60000

## ip_forward_directed_broadcasts## This option determines whether to forward broadcast packets directed# to a specific net or subnet, if that net or subnet is directly# connected to the machine. If the system is acting as a router, this# option can be exploited to generate a great deal of broadcast network# traffic. Turning this option off will help prevent broadcast traffic# attacks.# The default value is 1 (true).#ip_forward_directed_broadcasts=0

## ip_forward_src_routed# ip6_forward_src_routed (Solaris 8)## This option determines whether to forward packets that are source# routed. These packets define the path the packet should take instead# of allowing network routers to define the path.




14/36



# The default value is 1 (true).#ip_forward_src_routed=0ip6_forward_src_routed=0

## ip_ignore_redirect# ip6_ignore_redirect (Solaris 8)#

# This option determines whether to ignore Internet Control Message# Protocol (ICMP) packets that define new routes. If the system is# acting as a router, an attacker may send redirect messages to alter# routing tables as part of sophisticated attack (man in the middle# attack) or a simple denial of service.# The default value is 0 (false).#ip_ignore_redirect=1ip6_ignore_redirect=1

## ip_ire_flush_interval (Solaris 2.5.1, 2.6, and 7)# ip_ire_arp_interval (Solaris 8)## This option determines the period of time at which a specific route# will be kept, even if currently in use. ARP attacks may be effective# with the default interval. Shortening the time interval may reduce# the effectiveness of attacks.# The default interval is 1200000 milliseconds (20 minutes).#ip_ire_flush_interval=60000ip_ire_arp_interval=60000

## ip_respond_to_address_mask_broadcast## This options determines whether to respond to ICMP netmask requests# which are typically sent by diskless clients when booting. An# attacker may use the netmask information for determining network# topology or the broadcast address for the subnet.# The default value is 0 (false).#ip_respond_to_address_mask_broadcast=0

## ip_respond_to_echo_broadcast# ip6_respond_to_echo_multicast (Solaris 8)#

# This option determines whether to respond to ICMP broadcast echo# requests (ping). An attacker may try to create a denial of service# attack on subnets by sending many broadcast echo requests to which all# systems will respond. This also provides information on systems that# are available on the network.# The default value is 1 (true).#ip_respond_to_echo_broadcast=0ip6_respond_to_echo_multicast=0

## ip_respond_to_timestamp## This option determines whether to respond to ICMP timestamp requests# which some systems use to discover the time on a remote system. An# attacker may use the time information to schedule an attack at a# period of time when the system may run a cron job (or other time-# based event) or otherwise be busy. It may also be possible predict# ID or sequence numbers that are based on the time of day for spoofing# services.# The default value is 1 (true).#ip_respond_to_timestamp=0

## ip_respond_to_timestamp_broadcast## This option determines whether to respond to ICMP broadcast timestamp# requests which are used to discover the time on all systems in the# broadcast range. This option is dangerous for the same reasons as# responding to a single timestamp request. Additionally, an attacker# may try to create a denial of service attack by generating many# broadcast timestamp requests.




15/36



# The default value is 1 (true).#ip_respond_to_timestamp_broadcast=0

## ip_send_redirects# ip6_send_redirects (Solaris 8)## This option determines whether to send ICMP redirect messages which

# can introduce changes into remote system's routing table. It should# only be used on systems that act as routers.# The default value is 1 (true).#ip_send_redirects=0ip6_send_redirects=0

## ip_strict_dst_multihoming# ip6_strict_dst_multihoming (Solaris 8)## This option determines whether to enable strict destination# multihoming. If this is set to 1 and ip_forwarding is set to 0, then# a packet sent to an interface from which it did not arrive will be# dropped. This setting prevents an attacker from passing packets across# a machine with multiple interfaces that is not acting a router.# The default value is 0 (false).#ip_strict_dst_multihoming=1ip6_strict_dst_multihoming=1

## tcp_conn_req_max_q0## This option sets the size of the queue containing unestablished# connections. This queue is part of a protection mechanism against# SYN flood attacks. The queue size default is adequate for most# systems but should be increased for busy servers.# The default value is 1024.#tcp_conn_req_max_q0=4096

## tcp_conn_req_max_q## This option sets the maximum number fully established connections.# Increasing the size of this queue provides some limited protection# against resource consumption attacks. The queue size default is

# adequate for most systems but should be increased for busy servers.# The default value is 128.#tcp_conn_req_max_q=1024

## tcp_rev_src_routes (Solaris 8)## This option determines whether the specified route in a source# routed packet will be used in returned packets. TCP source routed# packets may be used in spoofing attacks, so the reverse route should# not be used.# The default value is 0 (false).#tcp_rev_src_routes=0

## Adding specific privileged ports (Solaris 2.6, 7, and 8)#

# These options define additional TCP and UDP privileged ports outside# of the 1-1023 range. Any program that attempts to bind the ports# listed here must run as root. This prevents normal users from# starting server processes on specific ports. Multiple ports can be# specifed by quoting and separating them with spaces.## Defaults values:# tcp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)# udp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)#tcp_extra_priv_ports_add="6112"udp_extra_priv_ports_add=""## Ephemeral port range adjustment (Solaris 2.5.1, 2.6, 7, and 8)




16/36



## These options define the upper and lower bounds on ephemeral ports.# Ephemeral (means short-lived) ports are used when establishing# outbound network connections.## Defaults values:# tcp_smallest_anon_port=32768# tcp_largest_anon_port=65535# udp_smallest_anon_port=32768# udp_largest_anon_port=65535

#tcp_smallest_anon_port=32768tcp_largest_anon_port=65535udp_smallest_anon_port=32768udp_largest_anon_port=65535

## Nonprivileged port range adjustment (Solaris 2.5.1, 2.6, 7, and 8)## These options define the start of nonprivileged TCP and UDP ports.# The nonprivileged port range normally starts at 1024. Any program# that attempts to bind a nonprivileged port does not have to run as# root.## Defaults values:# tcp_smallest_nonpriv_port=1024# udp_smallest_nonpriv_port=1024#tcp_smallest_nonpriv_port=1024

udp_smallest_nonpriv_port=1024

# +-----------------------------------------+# | No modification needed below this line. |# +-----------------------------------------+

## base parameters (the same across the 2.5.1, 2.6, 7, 8, and 9 (alpha)# releases)#base_parameters="arp_cleanup_interval \

ip_forward_directed_broadcasts \ip_forward_src_routed \ip_ignore_redirect \ip_respond_to_address_mask_broadcast \ip_respond_to_echo_broadcast \

ip_respond_to_timestamp \ip_respond_to_timestamp_broadcast \ip_send_redirects \ip_strict_dst_multihoming \tcp_conn_req_max_q0 \tcp_conn_req_max_q \tcp_smallest_anon_port \tcp_largest_anon_port \udp_smallest_anon_port \udp_largest_anon_port \tcp_smallest_nonpriv_port \udp_smallest_nonpriv_port"

## OS_revision specific parameters#

# Solaris 2.5.1 specific parametersSunOS5_5_1="ip_ire_flush_interval"

# Solaris 2.6 specific parametersSunOS5_6="ip_ire_flush_interval \

tcp_extra_priv_ports_add \udp_extra_priv_ports_add"

# Solaris 7 specific parametersSunOS5_7="ip_ire_flush_interval \

tcp_extra_priv_ports_add \udp_extra_priv_ports_add"

# Solaris 8 specific parametersSunOS5_8="ip_ire_arp_interval \




17/36



tcp_extra_priv_ports_add \udp_extra_priv_ports_add \tcp_rev_src_routes"

# Solaris 9 (alpha) specific parametersSunOS5_9="ip_ire_arp_interval \

tcp_extra_priv_ports_add \udp_extra_priv_ports_add \tcp_rev_src_routes"

## IPv6 parameters (apply to Solaris 8 and 9 (alpha))#ip6_parameters="ip6_forward_src_routed \

ip6_respond_to_echo_multicast \ip6_send_redirects \ip6_ignore_redirect \ip6_strict_dst_multihoming"

## system privilege ports defaults#extra_priv_ports_defaults="2049 4045 "

## get OS name and revision information#os=ùname -s`

revision=ùname -rÒSRev=$osècho $revision | sed -e 's/\./_/g'`

## check if IPv6 is enabled#ip6_interfaces="ècho /etc/hostname6.*[0-9] 2> /dev/null`"[ "$ip6_interfaces" != "/etc/hostname6.*[0-9]" ] && ip6_enabled=true

## do_in_order -- This function executes the specified functions with# the appropriate parameters for the local OS, revision, and# configuration. Currently it acts on a specific base set of# parameters, OS and revision specific parameters, and IPv6# parameters.#do_in_order() { # function_name

function_name=$1

# handle the base parametersfor param in $base_parameters; do

$function_name $paramdone

# handle the OS/revision specific parameterseval OSRev_params=\$$OSRevfor param in $OSRev_params; do

$function_name $paramdone

# handle IPv6 parametersif [ "$ip6_enabled" = "true" ]; then

for param in $ip6_parameters; do$function_name $param

done

fi

}

## set_parameter -- This function uses ndd to set a parameter.# The supplied parameter name has a shell variable with the same# name which contains the value for the parameter.#set_parameter() { # parameter

# definition for local variableparam=$1




18/36



# determine the driver from the first substring in the parameter namedriver=/dev/ècho $param | sed -e 's/_.*//'`

eval values=\$$param

# First check that a value for the parameter exists. If not, skip it.if [ -n "$values" ]; then

# Some parameters may have multiple values specified in one# assignment further up in the script. ndd only accepts one# parameter at a time. Loop through and set each value.for value in $values; do

[ "$verbose" = "1" ] && \echo "Setting $driver $param to $value"

ndd -set $driver $param $valuedone

fi}

## display_parameter -- This function uses ndd to extract the value of# a parameter and display it.#display_parameter() { # parameter

# definition for local variable

param=$1

# hack for the "write only" extra privileged ports parametersparam=ècho $param | sed -e 's/_add$//'`

# determine the driver from the first substring in the parameter namedriver=/dev/ècho $param | sed -e 's/_.*//'`

# execute the ndd command to retrieve settings and remove newlinesvalue=`ndd $driver $param | tr -d '\n'`

# print parameter valueecho " $driver $param = '$value'"

}

#

# compare_parameter -- This function uses ndd to extract the value of# a parameter. It compares the current parameter value to the one# defined in this script.#compare_parameter() { # parameter

# definition for local variableoriginalParam=$1

# hack for the "write only" extra privileged ports parametersmodifiedParam=ècho $originalParam | sed -e 's/_add$//'`

# determine the driver from the first substring in the parameter namedriver=/dev/ècho $modifiedParam | sed -e 's/_.*//'`

# execute the ndd command to retrieve settings and remove newlinescurrentValue=`ndd $driver $modifiedParam | tr -d '\n'`

eval intendedValue="\$$originalParam"

# if the modified parameter name is different from the original# parameter, then we are dealing with the privileged port parametersif [ "$modifiedParam" != "$originalParam" ]; then

# the privileged port parameters have system defaults that must# be accounted for in the comparisonif [ -n "$intendedValue" ]; then

intendedValue="$extra_priv_ports_defaults$intendedValue "else

intendedValue="$extra_priv_ports_defaults"fi




19/36



fi

# print parameter value and note all deviationsecho " $driver $modifiedParam = '$currentValue'\c"if [ "$intendedValue" != "$currentValue" ]; then

echo " (should be '$intendedValue')"else

echo " (ok)"fi

}

# Process the command argumentcase "$1" in

'start')

# set the parameters in the defined orderdo_in_order set_parameter;;

'show')

echo "Current ndd parameter settings:"do_in_order display_parameter;;

'compare')

echo "Comparison of ndd parameter settings:"do_in_order compare_parameter;;

'stop')# ignored[ "$verbose" = "1" ] && \

echo "$0: 'stop' ignored. No network changes applied.";;

*)echo "Usage: $0 { start | stop | show | compare }"exit 1;;

esac

exit 0

1.6.8. set-tmp-permissions scripts

The purpose of these scripts (etc/init.d/set-tmp-permissions, /etc/rc2.d/S00set-tmp-permissions and /etc/rc2.d/S07set-tmp-permissions) is to set the correct permissions onthe /tmp and /var/tmp directories when the system is rebooted. If an inconsistency isfound, it will be displayed to standard output and logged via SYSLOG. This script isinstalled into /etc/rc2.d twice to permit this check to be performed both before and afterthe mountall command is run from S01MOUNTFSYS. This helps ensure that both themount point and the mounted filesystem have the correct permissions and ownership. Thefile content is shown below. The contents of each file is identical.

#!/bin/sh## Copyright (c) 2001 by Sun Microsystems, Inc.# All rights reserved.

##ident "@(#)set-tmp-permissions 1.2 01/06/10 SMI"## INTRODUCTION## The purpose of this script is to set the correct# permissions on the /tmp and /var/tmp directories# when the system is rebooted. If an inconsistency# is found, it will be displayed to standard output# and logged via SYSLOG.## INSTALLATION## To install this script, the following commands should# be performed as 'root'.




20/36



## # cp /etc/init.d/set-tmp-permissions# # chmod 744 /etc/init.d/set-tmp-permissions# # chown root:sys /etc/init.d/set-tmp-permissions# # ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S01set-tmp-permissions# # ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S07set-tmp-permissions## The reason that this script is installed into /etc/rc2.d# twice is to permit this check to be performed both before# and after the "mountall" command is run (from S01MOUNTFSYS).

# That way, both the mount point and the mounted filesystem# will be sure to have the correct permissions and ownership.## Glenn M. Brunette #

TMP_OWNER="root"TMP_GROUP="sys"

# If you change TMP_PERMS for any reason, be sure to update# TMP_PERMS_SET accordingly. These values are reasonable,# however, and should not need to be changed.

TMP_PERMS="drwxrwxrwt"TMP_PERMS_SET="1777"

# Verify both /tmp and /var/tmp.

for tmppath in /tmp /var/tmp; do

if [ -d "${tmppath}" ]; then

oldVal="`ls -ld ${tmppath}`"

# Obtain and verify the permissions on ${tmppath}.

perms="ècho ${oldVal} | awk '{ print $1 }'`"

if [ "${TMP_PERMS}" != "${perms}" ]; thenecho "WARNING: ${tmppath} had incorrect permissions (${perms})."

fi

# Obtain and verify the ownership of ${tmppath}.

owner="ècho ${oldVal} | awk '{ print $3 }'`"

if [ "${TMP_OWNER}" != "${owner}" ]; thenecho "WARNING: ${tmppath} had incorrect ownership (${owner})."

fi

# Obtain and verify the group of ${tmppath}.

group="ècho ${oldVal} | awk '{ print $4 }'`"

if [ "${TMP_GROUP}" != "${group}" ]; thenecho "WARNING: ${tmppath} had an incorrect group setting (${group})."

fi

# Make all of the changes to ${tmppath} to bring it into# compliance with the settings as defined above.

/bin/chown ${TMP_OWNER} ${tmppath}/bin/chgrp ${TMP_GROUP} ${tmppath}

/bin/chmod ${TMP_PERMS_SET} ${tmppath}fi

done

1.6.9. /etc/init.d/inetsvc

This file replaces the default /etc/init.d/inetsvc with a minimized version containing onlythose commands required for the configuration of the network interfaces. The minimizedscript has only four lines, as compared to the 256 lines of the Solaris 8 OE version. Theminimized inetsvc script is as follows:

#!/bin/sh




21/36



/usr/sbin/ifconfig -au netmask + broadcast +/usr/sbin/inetd -s -t &

1.6.10. /etc/inet/inetd.conf

The following table shows sample contents of the inetd.conf file contents, excluding theheader, prior to use of the Toolkit.

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd

telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd

name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

shell stream tcp nowait root /usr/sbin/in.rshd in.rshd

shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd

login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind

exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd

exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd

comsat dgram udp wait root /usr/sbin/in.comsat in.comsat

talk dgram udp wait root /usr/sbin/in.talkd in.talkd

uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd

finger stream tcp6 nowait nobody

/usr/sbin/in.fingerd in.fingerd

time stream tcp6 nowait root internal

time dgram udp6 wait root internal

echo stream tcp6 nowait root internal

echo dgram udp6 wait root internal

discard stream tcp6 nowait root internal

discard dgram udp6 wait root internal

daytime stream tcp6 nowait root internal

daytime dgram udp6 wait root internal

chargen stream tcp6 nowait root internal

chargen dgram udp6 wait root internal

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad

rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd

sprayd/1 tli rpc/datagram_v wait root /usr/ lib/netsvc/spray/rpc.sprayd rpc.spraydwalld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld

rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd

100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd

100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server

fs stream tcp wait nobody

/usr/openwin/lib/fs.auto fs

100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd

printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd

100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv

100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv

100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv

dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd

sun-dr stream tcp wait root /usr/lib/dcs dcs

sun-dr stream tcp6 wait root /usr/lib/dcs dcs

300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon

dr_daemon

100229/1 tli rpc/tcp wait root /usr/sbin/rpc.metad rpc.metad

100230/1 tli rpc/tcp wait root /usr/sbin/rpc.metamhd rpc.metamhd




22/36



The following table shows the contents of the inetd.conf file contents on the systemcontroller, excluding the header, after use of the Toolkit.

shell stream tcp nowait root /usr/sbin/in.rshd in.rshd

shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd

login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind

exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecdexec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd



The following table shows the contents of the inetd.conf file contents on the domains,excluding the header, after use of the Toolkit.



1.6.11. /etc/init.d/nddconfig

The following table is the baseline modifications to the network device drivers that aredone to harden the SCs and domains:

Network device driver configuration settings Default Hardened/dev/ip ip_forwarding 1 0/dev/ip lo0:ip_forwarding 1 0/dev/ip eri1:ip_forwarding (note: SCs only) 1 0/dev/ip hme0:ip_forwarding 1 0/dev/ip scman0:ip_forwarding (note: SCs only) 1 0/dev/ip scman1:ip_forwarding (note: SCs only) 1 0/dev/ip dman0:ip_forwarding (note: domains only) 1 0

1.6.12. /dev/ip qfe0:ip_forwarding (note: domains only)

/dev/arp arp_cleanup_interval 300000 60000/dev/ip ip_forward_directed_broadcasts 1 0/dev/ip ip_forward_src_routed 1 0

/dev/ip ip_ignore_redirect 0 1/dev/ip ip_respond_to_address_mask_broadcast 0 0/dev/ip ip_respond_to_echo_broadcast 1 0/dev/ip ip_respond_to_timestamp 1 0/dev/ip ip_respond_to_timestamp_broadcast 1 0/dev/ip ip_send_redirects 1 0/dev/ip ip_strict_dst_multihoming 0 1/dev/ip ip_def_ttl 255 255/dev/tcp tcp_conn_req_max_q0 1024 4096/dev/tcp tcp_conn_req_max_q 128 1024/dev/tcp tcp_smallest_anon_port 32768 32768/dev/tcp tcp_largest_anon_port 65535 65535/dev/udp udp_smallest_anon_port 32768 32768

/dev/udp udp_largest_anon_port 65535 65535/dev/tcp tcp_smallest_nonpriv_port 1024 1024/dev/udp udp_smallest_nonpriv_port 1024 1024/dev/ip ip_ire_arp_interval 1200000 60000/dev/tcp tcp_extra_priv_ports 2049, 4045 2049,

4045,6112

/dev/udp udp_extra_priv_ports 2049

4045

2049

4045/dev/tcp tcp_rev_src_routes 0 0




23/36



/dev/ip6 ip6_forward_src_routed 1 0/dev/ip6 ip6_respond_to_echo_multicast 1 0/dev/ip6 ip6_send_redirects 0 0/dev/ip6 ip6_ignore_redirect 0 1/dev/ip6 ip6_strict_dst_multihoming 0 1




24/36



Appendix A: Solaris Security Toolkit Sample OutputSample output captured from the use of the Toolkit is provided in this section of the document. Actual output from theToolkit will be provided after it has been used to enhance the security of the Sun Fire 12K/15K.

Note: A "driver" in the context of the Toolkit, provides input to the Toolkit. Customization of the driver for the Solaris Security Toolkitisnot included in this service.

==============================================================================sunfire_15k_domain-secure.driver.test: Driver started.==============================================================================

==============================================================================JASS Version: 0.3.2Node name: xcat-domain2Host ID: 82a84eafHost address: 129.148.202.158MAC address: 8:0:20:f6:42:30Date: Wed Oct 10 11:49:06 EDT 2001==============================================================================

==============================================================================sunfire_15k_domain-secure.driver.test: Copying personalized files.==============================================================================

Copying ///.cshrc from /opt/SUNWjass/Files//.cshrc.Copying ///.profile to ///.profile.JASS.20011010114906

Copying ///.profile from /opt/SUNWjass/Files//.profile.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: print-jass-environment.fin==============================================================================

JASS_ACCT_DISABLEdaemonbinadmlpuucpnuucpnobodysmtplistennoaccess

nobody4

JASS_ACCT_REMOVEsmtplistennobody4

JASS_AGING_MINWEEKS1

JASS_AGING_MAXWEEKS8

JASS_AT_ALLOW

JASS_AT_DENYrootdaemonbinsysadmlpuucpnuucplistennobodynoaccessnobody4oracleapache

JASS_BANNER_FTPD




25/36



Authorized Use Only

JASS_BANNER_TELNETDAuthorized Use Only

JASS_CPR_MGT_USER-

JASS_CRON_ALLOWroot

JASS_CRON_DENYrootdaemonbinsysadmlpuucpnuucplistennobodynoaccessnobody4

JASS_CRON_LOG_SIZE20480

JASS_FILES_DIR/opt/SUNWjass/Files

JASS_FINISH_DIR/opt/SUNWjass/Finish

JASS_FIXMODES_DIR

JASS_FIXMODES_OPTIONS

JASS_FTPUSERSrootdaemonbinsysadmlp

uucpnuucplistennobodynoaccessnobody4

JASS_FTPD_UMASK022

JASS_HOME_DIR/opt/SUNWjass

JASS_HOSTNAMExcat-domain2

JASS_KILL_SCRIPT_DISABLE0

JASS_LOGIN_RETRIES3

JASS_PACKAGE_DIR/opt/SUNWjass/Packages

JASS_PACKAGE_MOUNT

JASS_PASS_LENGTH8




26/36



JASS_PASSWD//etc/passwd

JASS_PATCH_DIR/opt/SUNWjass/Patches

JASS_PATCH_MOUNT

JASS_POWER_MGT_USER-

JASS_REC_PATCH_OPTIONS

JASS_RHOSTS_FILE

JASS_ROOT_DIR/

JASS_ROOT_PASSWORDJdqZ5HrSDYM.o

JASS_SADMIND_OPTIONS-S2

JASS_SAVE_BACKUP1

JASS_SENDMAIL_MODE

JASS_SGID_FILE

JASS_SHELLS/usr/bin/sh/usr/bin/csh/usr/bin/ksh/usr/bin/jsh/bin/sh/bin/csh/bin/ksh/bin/jsh/sbin/sh/sbin/jsh/bin/bash

/bin/pfcsh/bin/pfksh/bin/pfsh/bin/tcsh/bin/zsh/usr/bin/bash/usr/bin/pfcsh/usr/bin/pfksh/usr/bin/pfsh/usr/bin/tcsh/usr/bin/zsh

JASS_SHELL_DISABLE/sbin/noshell

JASS_STANDALONE1

JASS_SUFFIXJASS.20011010114906

JASS_SUID_FILE

JASS_SUSPEND_PERMS-

JASS_SVCS_DISABLEftptelnetnametalk




27/36



uucpsmtptftpfingersystatnetstatrquotadrusersdspraydwalld

rexdshellloginexeccomsattimeechodiscarddaytimechargen100087rwalldrstatd100068100083100221fsufsd100232

100235536870916kerbdprinter100234dtspcxaudio100146100147100150100134100229100230100242300326

JASS_TMPFS_SIZE512m

JASS_UMASK022

JASS_UNAME5.8

JASS_UNOWNED_FILE

JASS_USER_DIR/opt/SUNWjass/Drivers

JASS_WRITABLE_FILE

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: set-term-type.fin==============================================================================

Setting the default terminal type to 'vt100'.

Adding default terminal type (vt100) to //etc/profile.

Copying //etc/profile to //etc/profile.JASS.20011010114908

Adding default terminal type (vt100) to //etc/.login.

Copying //etc/.login to //etc/.login.JASS.20011010114908

==============================================================================sunfire_15k_domain-secure.driver.test: Driver finished.==============================================================================




28/36



==============================================================================sunfire_15k_domain-secure.driver.test: Driver started.==============================================================================

==============================================================================JASS Version: 0.3.2Node name: xcat-domain2Host ID: 82a84eaf

Host address: 129.148.202.158MAC address: 8:0:20:f6:42:30Date: Wed Oct 10 11:49:08 EDT 2001==============================================================================

==============================================================================sunfire_15k_domain-secure.driver.test: Copying personalized files.==============================================================================

Copying ///etc/dt/config/Xaccess from /opt/SUNWjass/Files//etc/dt/config/Xaccess.Copying ///etc/init.d/inetsvc.test from /opt/SUNWjass/Files//etc/init.d/inetsvc.test.Copying ///etc/init.d/nddconfig from /opt/SUNWjass/Files//etc/init.d/nddconfig.Copying ///etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files//etc/init.d/set-tmp-permissions.Copying ///etc/issue from /opt/SUNWjass/Files//etc/issue.Copying ///etc/motd to ///etc/motd.JASS.20011010114908

Copying ///etc/motd from /opt/SUNWjass/Files//etc/motd.Copying ///etc/notrouter from /opt/SUNWjass/Files//etc/notrouter.

Copying ///etc/nsswitch.conf to ///etc/nsswitch.conf.JASS.20011010114909

Copying ///etc/nsswitch.conf from /opt/SUNWjass/Files//etc/nsswitch.conf.Linking ///etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S00set-tmp-permissions.Linking ///etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S07set-tmp-permissions.Linking ///etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files//etc/rc2.d/S70nddconfig.Copying ///etc/syslog.conf to ///etc/syslog.conf.JASS.20011010114909

Copying ///etc/syslog.conf from /opt/SUNWjass/Files//etc/syslog.conf.==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-apache.fin==============================================================================

Disabling Apache startup and shutdown scriptsRenaming //etc/rc3.d/S50apache to //etc/rc3.d/_S50apache.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-asppp.fin

==============================================================================

Disabling ASPPP startup and shutdown scriptsRenaming //etc/rc2.d/S47asppp to //etc/rc2.d/_S47asppp.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-autoinst.fin==============================================================================

Disabling sysid/autoinstall startup and shutdown scriptsRenaming //etc/rc2.d/S30sysid.net to //etc/rc2.d/_S30sysid.net.JASS.20011010114910Renaming //etc/rc2.d/S71sysid.sys to //etc/rc2.d/_S71sysid.sys.JASS.20011010114910Renaming //etc/rc2.d/S72autoinstall to //etc/rc2.d/_S72autoinstall.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-automount.fin==============================================================================

Disabling Automount startup and shutdown scriptsRenaming //etc/rc2.d/S74autofs to //etc/rc2.d/_S74autofs.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dhcpd.fin==============================================================================

Disabling DHCP server startup and shutdown scriptsRenaming //etc/rc3.d/S34dhcp to //etc/rc3.d/_S34dhcp.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dmi.fin==============================================================================




29/36



Disabling DMI startup and shutdown scriptsRenaming //etc/rc3.d/S77dmi to //etc/rc3.d/_S77dmi.JASS.20011010114910

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dtlogin.fin==============================================================================

Disabling dtlogin startup and shutdown scriptsRenaming //etc/rc2.d/S99dtlogin to //etc/rc2.d/_S99dtlogin.JASS.20011010114911

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-keyserv-uid-nobody.fin==============================================================================

Disabling 'nobody' access to SecureRPC informationCopying //etc/init.d/rpc to //etc/init.d/rpc.JASS.20011010114911Adding the '-d' option to '/usr/sbin/keyserv' in //etc/init.d/rpc.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-ldap-client.fin==============================================================================

Disabling LDAP client startup and shutdown scriptsRenaming //etc/rc2.d/S71ldap.client to //etc/rc2.d/_S71ldap.client.JASS.20011010114911

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-lp.fin==============================================================================

Disabling LP startup and shutdown scriptsRenaming //etc/rc2.d/S80lp to //etc/rc2.d/_S80lp.JASS.20011010114911Copying //etc/cron.d/cron.deny to //etc/cron.d/cron.deny.JASS.20011010114911

Adding the 'lp' account to the 'cron.deny' file.Disabling the LP cron entryCreating backup directory, //var/spool/cron/crontabs.JASSMoving //var/spool/cron/crontabs/lp to //var/spool/cron/crontabs.JASS/lp.JASS.20011010114911

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-mipagent.fin==============================================================================

Disabling Mobile IP agent startup and shutdown scripts

Renaming //etc/rc3.d/S80mipagent to //etc/rc3.d/_S80mipagent.JASS.20011010114911

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-client.fin==============================================================================

Disabling NFS client startup and shutdown scriptsRenaming //etc/rc2.d/S73nfs.client to //etc/rc2.d/_S73nfs.client.JASS.20011010114911

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-server.fin==============================================================================

Disabling NFS server startup and shutdown scriptsRenaming //etc/rc3.d/S15nfs.server to //etc/rc3.d/_S15nfs.server.JASS.20011010114912

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nscd-caching.fin==============================================================================

Disabling caching of information in //etc/nscd.conf.Copying //etc/nscd.conf to //etc/nscd.conf.JASS.20011010114912Adding 'enable-cache no' for the passwd, group and hosts entries.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-preserve.fin==============================================================================

Disabling PRESERVE startup and shutdown scripts




30/36



Renaming //etc/rc2.d/S80PRESERVE to //etc/rc2.d/_S80PRESERVE.JASS.20011010114912

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-picld.fin==============================================================================

Disabling PICL daemon startup and shutdown scriptsRenaming //etc/rcS.d/S95picld to //etc/rcS.d/_S95picld.JASS.20011010114912

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-power-mgmt.fin==============================================================================

Disabling power management startup and shutdown scriptsRenaming //etc/rc2.d/S85power to //etc/rc2.d/_S85power.JASS.20011010114912Creating /noautoshutdown file to disable power management

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-remote-root-login.fin==============================================================================

Disabling direct remote root login to the system.Copying //etc/default/login to //etc/default/login.JASS.20011010114912Setting the 'CONSOLE' parameter in //etc/default/login.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-rhosts.fin==============================================================================

Disabling the ability to use rhosts authentication.Copying //etc/pam.conf to //etc/pam.conf.JASS.20011010114912Commenting the 'rsh' and 'rlogin' entries in //etc/pam.confthat use the 'pam_rhosts_auth' module.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-sendmail.fin==============================================================================

Disabling the ability to accept connections for /usr/lib/sendmail.Copying ///etc/default/sendmail from /opt/SUNWjass/Files//etc/default/sendmail.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-slp.fin==============================================================================

Disabling SLP startup and shutdown scriptsRenaming //etc/rc2.d/S72slpd to //etc/rc2.d/_S72slpd.JASS.20011010114913

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-snmp.fin==============================================================================

Disabling SNMP startup and shutdown scriptsRenaming //etc/rc3.d/S76snmpdx to //etc/rc3.d/_S76snmpdx.JASS.20011010114913

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-spc.fin==============================================================================

Disabling SPC startup and shutdown scriptsRenaming //etc/rc2.d/S80spc to //etc/rc2.d/_S80spc.JASS.20011010114913

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-syslogd-listen.fin==============================================================================

Preventing syslogd from listening for remote connections.syslogd will not accept connections from other systems.Copying //etc/init.d/syslog to //etc/init.d/syslog.JASS.20011010114913Adding the '-t' option to /usr/sbin/syslogd in //etc/init.d/syslog.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-system-accounts.fin==============================================================================




31/36



Disabling accounts by changing their shell to /sbin/noshell.Installing the /sbin/noshell shell script as //sbin/noshell.

Copying ///sbin/noshell from /opt/SUNWjass/Files//sbin/noshell.Copying //etc/passwd to //etc/passwd.JASS.20011010114913

Disabling account, daemon.Disabling account, bin.Disabling account, adm.

Disabling account, lp.Disabling account, uucp.Disabling account, nuucp.Disabling account, nobody.Disabling account, listen.Disabling account, noaccess.Disabling account, nobody4.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-uucp.fin==============================================================================

Disabling UUCP startup and shutdown scripts

Renaming //etc/rc2.d/S70uucp to //etc/rc2.d/_S70uucp.JASS.20011010114916Removing the nuucp system account

Copying //etc/passwd to //etc/passwd.JASS.20011010114916

Copying //etc/shadow to //etc/shadow.JASS.20011010114916

Removing the UUCP cron entryMoving //var/spool/cron/crontabs/uucp to //var/spool/cron/crontabs.JASS/uucp.JASS.20011010114918

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-vold.fin==============================================================================

Disabling Volume Management startup and shutdown scriptsRenaming //etc/rc2.d/S92volmgt to //etc/rc2.d/_S92volmgt.JASS.20011010114919

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-wbem.fin==============================================================================

Disabling WBEM startup and shutdown scripts

Renaming //etc/rc2.d/S90wbem to //etc/rc2.d/_S90wbem.JASS.20011010114919

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-ftp-syslog.fin==============================================================================

Enabling enhanced logging for the FTP daemon.Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114919Adding the '-l' option to /usr/sbin/in.ftpd in //etc/inet/inetd.conf.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-inetd-syslog.fin==============================================================================

Configuring the Intenet services daemon to log all incoming connections.Copying //etc/init.d/inetsvc to //etc/init.d/inetsvc.JASS.20011010114919Adding the '-t' option to /usr/sbin/inetd in //etc/init.d/inetsvc.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-priv-nfs-ports.fin==============================================================================

Configure NFS server daemon to accept connections/requestsfrom privileged ports only.

Copying //etc/system to //etc/system.JASS.20011010114919Adding 'set nfssrv:nfs_portmon=1' to //etc/system.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-rfc1948.fin==============================================================================




32/36



Enabling RFC 1948 sequence number generation.Copying //etc/default/inetinit to //etc/default/inetinit.JASS.20011010114919Setting 'TCP_STRONG_ISS' to '2' in //etc/default/inetinit.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-stack-protection.fin==============================================================================

Enabling kernel-level stack protections and logging.Copying //etc/system to //etc/system.JASS.20011010114920Adding 'set noexec_user_stack=1' to //etc/system.Adding 'set noexec_user_stack_log=1' to //etc/system.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-at-allow.fin==============================================================================

Updating 'at' facility access controls (at.allow)

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-ftpusers.fin==============================================================================

Restricting access to the 'FTP' service.Copying //etc/ftpusers to //etc/ftpusers.JASS.20011010114920Adding root to //etc/ftpusers.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-loginlog.fin==============================================================================

Creating log file to track failed login attempts.Creating the //var/adm/loginlog file.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-newaliases.fin==============================================================================

sunfire_15k_domain-secure.driver.test: NOTE : The 'newaliases' link for 'sendmail' is already installed.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-sadmind-options.fin==============================================================================

Configuring the system administration daemon.Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114920Adding the '-S 2' to /usr/sbin/sadmind in //etc/inet/inetd.conf.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-security-mode.fin==============================================================================

The EEPROM security-mode parameter is set as: none.

To improve the security of the system, the following commandshould be executed manually from the operating system.For more information on this command and its possible values,refer to the eeprom(1M) manual entry.

eeprom "security-mode=command"

The current number of EEPROM 'badlogins' is 0.Setting the number of badlogins to 0.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-shells.fin==============================================================================

Defining valid shells for this system.Copying //etc/shells to //etc/shells.JASS.20011010114922

Adding /usr/bin/sh to //etc/shells.Adding /usr/bin/csh to //etc/shells.




33/36



Adding /usr/bin/ksh to //etc/shells.Adding /usr/bin/jsh to //etc/shells.Adding /bin/sh to //etc/shells.Adding /bin/csh to //etc/shells.Adding /bin/ksh to //etc/shells.Adding /bin/jsh to //etc/shells.Adding /sbin/sh to //etc/shells.Adding /sbin/jsh to //etc/shells.Adding /bin/bash to //etc/shells.Adding /bin/pfcsh to //etc/shells.

Adding /bin/pfksh to //etc/shells.Adding /bin/pfsh to //etc/shells.Adding /bin/tcsh to //etc/shells.Adding /bin/zsh to //etc/shells.Adding /usr/bin/bash to //etc/shells.Adding /usr/bin/pfcsh to //etc/shells.Adding /usr/bin/pfksh to //etc/shells.Adding /usr/bin/pfsh to //etc/shells.Adding /usr/bin/tcsh to //etc/shells.Adding /usr/bin/zsh to //etc/shells.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-sulog.fin==============================================================================

Creating log file to track attempts to use 'su'.sunfire_15k_domain-secure.driver.test: NOTE : //var/adm/sulog already exists.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: remove-unneeded-accounts.fin==============================================================================

Removing non-essential accounts.Copying //etc/passwd to //etc/passwd.JASS.20011010114922Copying //etc/shadow to //etc/shadow.JASS.20011010114922Removing the account, listen, from the system.Removing the account, nobody4, from the system.

==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: set-banner-ftpd.fin==============================================================================

Setting the banner for the FTP daemon.Copying //etc/default/ftpd to //etc/defau

Date post:	03-Apr-2018
Category:	Documents
Upload:	majumdersubhrajit
View:	222 times
Download:	0 times

15k OS Security Suite

Documents