Sun Security Tool Kit - Finish Script Descriptions

Sun Security Tool Kit (SUNWjass) provides a Oracle Solaris OS Hardening driver (template). Behind this is a number of Finish scripts (.fin) which actually does the OS hardening. This a brief description of each one when the name isn't obvious..


disable-ab2.fin


Answer Book 2

disable-apache.fin

disable-apache2.fin

disable-appserv.fin


Java App Server

disable-asppp.fin


Async PPP

disable-autoinst.fin


Disables SYS-UNCONFIG

disable-automount.fin

NFS Automouter

disable-dhcpd.fin

Disables DHCP server

disable-directory.fin

Sun One Directory Server LDAP

disable-dmi.fin


Desktop Management Interface lrc:/etc/rc3_d/S77dmi

disable-dtlogin.fin


Disabled CDE from starting

disable-face-log.fin


Removed write permission on log for SUNWfac - rarely used

disable-ipv6.fin


Disables IPV6

disable-IIim.fin

Internet-Intranet Input Method - Asian input

disable-kdc.fin


Kerberos Key Server

disable-keyserv-uid-nobody.fin

disables User ID Nobody for secure RPC

disable-ldap-client.fin

Prevents LDAP Client from starting

disable-lp.fin


Stop Print Services

disable-mipagent.fin


Mobile IP

disable-named.fin


BIND DNS Server

disable-nfs-client.fin

disable-nfs-server.fin

disable-nscd-caching.fin


disable caching of passwords/groups & hosts

disable-ppp.fin


Sync PPP

disable-preserve.fin


Stops moving saved files - been edited

disable-power-mgmt.fin


disable-remote-root-login.fin

disable-rhosts.fin


Disable use of .rhosts changes PAM config

disable-routing.fin


Disables RDISC/RIP/Forwarding - routeadm

disable-rpc.fin


RPC - Also breaks NFS

disable-samba.fin


Disable from starting

disable-sendmail.fin


Disable sendmail accepting mail

disable-slp.fin


Disables Service Location Protocol RFC 2608

disable-sma.fin


System Management Agent - NET-SNMP

disable-smcwebserver.fin


Solaris Management Console

disable-snmp.fin


SNMP

disable-spc.fin


Sun Soft print Client svc:/application/print/cleanup:default

disable-ssh-root-login.fin


Disables ROOT login via SSH

disable-syslogd-listen.fin


Disable SYSLOGD from accepting logs

disable-system-accounts.fin


remove smtp listen nobody4


disable-uucp.fin


Disable Unix to Unix Copy

disable-vold.fin


VOLD = CDROM automount


disable-xfs.fin


X Font Server

disable-xserver-listen.fin


Disable X11 port 6000

enable-account-lockout.fin


Enabling account lockout to lock user accounts with repeated
failed entries

enable-coreadm.fin


Save cores

enable-ftpaccess.fin


Enable -a flag - FTPACCESS

enable-ftp-syslog.fin


Enable -l flag - SYSLOG

enable-inetd-syslog.fin


SYSLOG all connections to inetd services

enable-ipfilter.fin


Enable Firewall - rules /etc/ipf/ipf.conf

enable-password-history.fin


Remember previous passwords

enable-priv-nfs-ports.fin


Allow NFS access from port <1024


enable-process-accounting.fin


Enable process accounting SUNWaccr

enable-rfc1948.fin


TCP Sequence Number - TCP_STRONG_ISS=2

enable-stack-protection.fin


Kernel Level Stack Protection

enable-tcpwrappers.fin


create hosts.allow and hosts.deny SSHD may be too restrictive.

install-at-allow.fin


at.allow - restrict access to at command

install-ftpusers.fin


Add all users for ftpusers to denied access

install-loginlog.fin


Enable logging of failed login attempts - loginlog

install-md5.fin


Install MD5 on Solaris 8 and 9, Sol 10 use digest cmd

install-nddconfig.fin


Enable secure network settings

install-newaliases.fin


Creates correct aliases for Sendmail - minimal install

install-sadmind-options.fin


Sol 8 & 9 - Security level for sadmind service

install-security-mode.fin


Enable OBP Command security - need passwd

install-shells.fin


Add SHELLS

install-sulog.fin


Track SU use and attempted use

print-rhosts.fin


Finds .rhosts & hosts.equiv

remove-unneeded-accounts.fin


Removes unneeded accounts

set-banner-dtlogin.fin


adds banner to DTLOGIN

set-banner-ftpd.fin


set-banner-sendmail.fin

set-banner-sshd.fin

set-banner-telnetd.fin

set-flexible-crypt.fin


Enable stronger encryption of local passwords - md5

set-ftpd-umask.fin


set-login-retries.fin


Allow 3 attempts to login

set-power-restrictions.fin


Restrict access to power commands

set-rmmount-nosuid.fin


Disable mounting of SET-UID files of CDROMS

set-root-group.fin


Change root group to 0

set-strict-password-checks.fin


Complex passwords for local users

set-sys-suspend-restrictions.fin


Restrict suspend function

set-system-umask.fin


Create umask 022


set-tmpfs-limit.fin


Set to 512Mb

set-user-password-reqs.fin


Min Length, Expire etc..

set-user-umask.fin


Profile /etc/skel ..

update-at-deny.fin


update-cron-allow.fin

update-cron-deny.fin

update-cron-log-size.fin


CRON LOG set to 512K

update-inetd-conf.fin


JASS_SVCS_DISABLE Drivers/finish.init

enable-bart.fin


Sol10 only - Setup BART - basic audit reporting tool

Comments

Post a Comment

Popular posts from this blog

Solaris 11 Locale en_GB.UTF-8 / en_GB.ISO8859-1 / en_GB.ISO8859-15

When you install Solaris 11/11 from standard text installer cdrom, the en_GB-UTF-8 locales are not installed, even if you select British locales on install. EDIT 4th FEB 2018 - Still valid for Solaris 11.4 Beta.  To make sure packages are have the correct localisation, IPS uses facet as a localisation personality. $ pkg facet FACETS VALUE facet.locale.pt_BR True facet.locale.es_ES True facet.locale.en_US True facet.locale.zh_TW True facet.locale.zh_CN True facet.locale.de_DE True facet.locale.fr_FR True facet.locale.it_IT True facet.locale.ko_* True facet.locale.ja_* True facet.locale.es True facet.locale.de True facet.locale.zh True facet.locale.ko True facet.locale.it True facet.locale.pt True facet.locale.fr True facet.locale.en True facet.locale.ja True facet.locale.* False As you can see no en_GB is described and " facet.locale.* False " is a deny everything else rule. So let change this. I'm assuming you have a Solaris 11 repository already configured
Read more

Scheduled network capture on Windows using Wireshark (tshark.exe)

A customer had an iSCSI issue and was required to capture network packets at a specific time on a Windows 2008 server. I came up with simple method using Wireshark's tshark.exe and Windows scheduler "AT". at cmd /c c:\capture.bat type c:\capture.bat rem Capture WireShark example rem Andy Paton rem WTL rem use AT to run batch rem example at 01:50 cmd /c c:\capture.bat rem debug at issues rem example at 09:50 /interactive cmd /k c:\capture.bat rem -a duration:1200 in seconds rem -B Buffer Size - default is 1Mb rem -i Interface number - use "tshark.exe -D" to list interface numbers rem -n don't resolve IP addresses rem -q Quiet output rem -w output file rem capture filter "host " c:\"Program Files"\Wireshark\tshark -a duration:1200 -B 2 -i 4 -n -q -w c:\network.out host 192.168.1.1
Read more

[Linux] X-server ScreenShots from the CLI "ImageMagick"

Build some documentation for a customer and required some screenshots, KDE has Ksnaphot . But I wanted many screen shots and need a simple cli command to capture various screens. ImageMagik provides the " import " command which does just the job from the command line. To capture the whole desktop as a JPEG use the following. $ import -window root screen.jpg To save in a diffrent grapics format change the extention of the output file. (gif,pnm,pmm,tiff etc..) To capture single window ie firefox You need to find the window name, two methods of getting the "window name" 1. use xwininfo, which will then ask you to click target window and display information. 2. xlsclients -l display list of windows Note you can use a window title or the DECIMAL window ID, xwininfo and xlsclients output in HEX. $ import -window < WINDOW ID DECIMAL > screen1.jpg $ import -window "< WINDOWS TITLE >" screen2.jpg
Read more