Tuesday, July 12, 2011

Sun Security Tool Kit - Finish Script Descriptions

Sun Security Tool Kit (SUNWjass) provides a Oracle Solaris OS Hardening driver (template). Behind this is a number of Finish scripts (.fin) which actually does the OS hardening. This a brief description of each one when the name isn't obvious..


disable-ab2.fin


Answer Book 2


disable-apache.fin


disable-apache2.fin


disable-appserv.fin


Java App Server


disable-asppp.fin


Async PPP


disable-autoinst.fin


Disables SYS-UNCONFIG


disable-automount.fin


NFS Automouter


disable-dhcpd.fin


Disables DHCP server


disable-directory.fin


Sun One Directory Server LDAP


disable-dmi.fin


Desktop Management Interface lrc:/etc/rc3_d/S77dmi


disable-dtlogin.fin


Disabled CDE from starting


disable-face-log.fin


Removed write permission on log for SUNWfac - rarely used


disable-ipv6.fin


Disables IPV6


disable-IIim.fin


Internet-Intranet Input Method - Asian input


disable-kdc.fin


Kerberos Key Server


disable-keyserv-uid-nobody.fin


disables User ID Nobody for secure RPC


disable-ldap-client.fin


Prevents LDAP Client from starting


disable-lp.fin


Stop Print Services


disable-mipagent.fin


Mobile IP


disable-named.fin


BIND DNS Server


disable-nfs-client.fin


disable-nfs-server.fin


disable-nscd-caching.fin


disable caching of passwords/groups & hosts


disable-ppp.fin


Sync PPP


disable-preserve.fin


Stops moving saved files - been edited


disable-power-mgmt.fin


disable-remote-root-login.fin


disable-rhosts.fin


Disable use of .rhosts changes PAM config


disable-routing.fin


Disables RDISC/RIP/Forwarding - routeadm


disable-rpc.fin


RPC - Also breaks NFS


disable-samba.fin


Disable from starting


disable-sendmail.fin


Disable sendmail accepting mail


disable-slp.fin


Disables Service Location Protocol RFC 2608


disable-sma.fin


System Management Agent - NET-SNMP


disable-smcwebserver.fin


Solaris Management Console


disable-snmp.fin


SNMP


disable-spc.fin


Sun Soft print Client svc:/application/print/cleanup:default


disable-ssh-root-login.fin


Disables ROOT login via SSH


disable-syslogd-listen.fin


Disable SYSLOGD from accepting logs


disable-system-accounts.fin


remove smtp listen nobody4


disable-uucp.fin


Disable Unix to Unix Copy


disable-vold.fin


VOLD = CDROM automount


disable-xfs.fin


X Font Server


disable-xserver-listen.fin


Disable X11 port 6000


enable-account-lockout.fin


Enabling account lockout to lock user accounts with repeated
failed entries


enable-coreadm.fin


Save cores


enable-ftpaccess.fin


Enable -a flag - FTPACCESS


enable-ftp-syslog.fin


Enable -l flag - SYSLOG


enable-inetd-syslog.fin


SYSLOG all connections to inetd services


enable-ipfilter.fin


Enable Firewall - rules /etc/ipf/ipf.conf


enable-password-history.fin


Remember previous passwords


enable-priv-nfs-ports.fin


Allow NFS access from port <1024


enable-process-accounting.fin


Enable process accounting SUNWaccr


enable-rfc1948.fin


TCP Sequence Number - TCP_STRONG_ISS=2


enable-stack-protection.fin


Kernel Level Stack Protection


enable-tcpwrappers.fin


create hosts.allow and hosts.deny SSHD may be too restrictive.


install-at-allow.fin


at.allow - restrict access to at command


install-ftpusers.fin


Add all users for ftpusers to denied access


install-loginlog.fin


Enable logging of failed login attempts - loginlog


install-md5.fin


Install MD5 on Solaris 8 and 9, Sol 10 use digest cmd


install-nddconfig.fin


Enable secure network settings


install-newaliases.fin


Creates correct aliases for Sendmail - minimal install


install-sadmind-options.fin


Sol 8 & 9 - Security level for sadmind service


install-security-mode.fin


Enable OBP Command security - need passwd


install-shells.fin


Add SHELLS


install-sulog.fin


Track SU use and attempted use


print-rhosts.fin


Finds .rhosts & hosts.equiv


remove-unneeded-accounts.fin


Removes unneeded accounts


set-banner-dtlogin.fin


adds banner to DTLOGIN


set-banner-ftpd.fin


set-banner-sendmail.fin


set-banner-sshd.fin


set-banner-telnetd.fin


set-flexible-crypt.fin


Enable stronger encryption of local passwords - md5


set-ftpd-umask.fin


set-login-retries.fin


Allow 3 attempts to login


set-power-restrictions.fin


Restrict access to power commands


set-rmmount-nosuid.fin


Disable mounting of SET-UID files of CDROMS


set-root-group.fin


Change root group to 0


set-strict-password-checks.fin


Complex passwords for local users


set-sys-suspend-restrictions.fin


Restrict suspend function


set-system-umask.fin


Create umask 022


set-tmpfs-limit.fin


Set to 512Mb


set-user-password-reqs.fin


Min Length, Expire etc..


set-user-umask.fin


Profile /etc/skel ..


update-at-deny.fin


update-cron-allow.fin


update-cron-deny.fin


update-cron-log-size.fin


CRON LOG set to 512K


update-inetd-conf.fin


JASS_SVCS_DISABLE Drivers/finish.init


enable-bart.fin


Sol10 only - Setup BART - basic audit reporting tool

No comments: