Hardening Procedure for Solaris Systems

DOWNLOAD – Hardening Procedure for Solaris Systems

 

 

Procedure Statement

The hardening policies are defined as follows:

  • Database server hardening procedure.

  • Web server hardening procedure

  • Application server hardening procedure

  • Utility server hardening procedure

    On every case, 4 security components are involved:

  • JASS

  • BSM

  • RSA

  • Tripwire

In those cases where Solaris Containers are implemented, the same security mechanisms are utilized with the virtualized instances of the operating system.

 

 

Table of Contents

Procedure Statement………………………………………………………1

Table of Contents………………………………………………………….1

JASS Implementation……………………………………………………..2

Driver………………………………………………………………………2

BSM Implementation………………………………………………………5

Audit Configuration……………………………………………………….5

RSA Implementation………………………………………………………6

Tripwire Implementation………………………………………………….6

Solaris Containers (Virtualization)………………………………………..7

Bibliography………………………………………………………………11

Revision References……………………………………………………….11

Appendix A: Examples……………………………………………………12

Scripts..………………………………………..………………..12

Password……………………………………………………..…17

Audit…………….…………………………………………..….21

JASS Implementation:

The Solaris Security Toolkit, formerly known as the JumpStart Architecture and Security Scripts (JASS) toolkit, provides a flexible and extensible mechanism to harden and audit Solaris Operating Systems (OSs). The Solaris Security Toolkit simplifies and automates the process of securing Solaris Operating Systems and is based on proven security best practices and practical customer site experience gathered over many years. This toolkit can be used to secure SPARC-based and x86/x64-based systems.

 

 

Driver

JASS provides a set of templates to customize the security profiles. The one utilized is secure.driver.

No scripts are customized (user.init) but some of the scripts in the hardening.driver file, are disabled or enabled to fit the requirements in the environment.

Below are the template being used and a brief description of which scripts are intentionally disabled/enabled.

 

JASS_SCRIPTS=”

 

disable-ab2.fin

 

disable-apache.fin

 

disable-apache2.fin

 

disable-appserv.fin

 

disable-asppp.fin

 

disable-autoinst.fin

 

disable-automount.fin

 

disable-dhcpd.fin

 

disable-directory.fin

 

disable-dmi.fin

 

disable-dtlogin.fin

 

disable-face-log.fin

 

disable-ipv6.fin

 

disable-IIim.fin

 

disable-kdc.fin

 

disable-keyboard-abort.fin ### This script was intentionally enabled.

 

disable-keyserv-uid-nobody.fin

 

disable-ldap-client.fin

 

disable-lp.fin

 

disable-mipagent.fin

 

disable-named.fin

 

disable-nfs-client.fin

 

disable-nfs-server.fin

 

disable-nscd-caching.fin

 

# disable-picld.fin

 

disable-ppp.fin

 

disable-preserve.fin

 

disable-power-mgmt.fin

 

disable-remote-root-login.fin

 

disable-rhosts.fin

 

disable-routing.fin

 

disable-rpc.fin

 

disable-samba.fin

 

disable-sendmail.fin

 

disable-slp.fin

 

disable-sma.fin

 

disable-smcwebserver.fin

 

disable-snmp.fin

 

disable-spc.fin

 

disable-ssh-root-login.fin

 

disable-syslogd-listen.fin

 

disable-system-accounts.fin

 

disable-uucp.fin

 

disable-vold.fin

 

disable-wbem.fin

 

disable-xfs.fin

 

disable-xserver-listen.fin

 

enable-account-lockout.fin

 

enable-coreadm.fin

 

# enable-ftpaccess.fin ### This script was intentionally disabled.

 

enable-ftp-syslog.fin

 

enable-inetd-syslog.fin

 

# enable-ipfilter.fin ### This script was intentionally disabled.

 

enable-password-history.fin

 

enable-priv-nfs-ports.fin

 

# enable-process-accounting.fin ### This script was intentionally disabled.

 

enable-rfc1948.fin

 

enable-stack-protection.fin

 

enable-tcpwrappers.fin

 

install-at-allow.fin

 

install-ftpusers.fin

 

install-loginlog.fin

 

install-md5.fin

 

install-nddconfig.fin

 

install-newaliases.fin

 

install-sadmind-options.fin

 

install-security-mode.fin

 

install-shells.fin

 

install-sulog.fin

 

print-rhosts.fin ### This script was intentionally enabled.

 

remove-unneeded-accounts.fin

 

set-banner-dtlogin.fin

 

set-banner-ftpd.fin

 

set-banner-sendmail.fin

 

set-banner-sshd.fin

 

set-banner-telnetd.fin

 

set-flexible-crypt.fin

 

set-ftpd-umask.fin

 

set-login-retries.fin

 

set-power-restrictions.fin

 

set-rmmount-nosuid.fin

 

set-root-group.fin

 

set-strict-password-checks.fin

 

set-sys-suspend-restrictions.fin

 

set-system-umask.fin

 

set-tmpfs-limit.fin

 

set-user-password-reqs.fin

 

set-user-umask.fin

 

update-at-deny.fin

 

update-cron-allow.fin

 

update-cron-deny.fin

 

update-cron-log-size.fin

 

update-inetd-conf.fin

 

enable-bsm.fin ### This script was intentionally enabled.

 

install-fix-modes.fin

 

install-strong-permissions.fin ### This script was intentionally enabled.

 

# enable-bart.fin ### This script was intentionally disabled.

 

# print-sgid-files

 

# print-suid-files

 

# print-unowned-objects

 

# print-world-writable-objects

 

 

The scripts which are commented out won’t be executed.

 

Brief description of some outstanding scripts:

 

enable-account-lockout.fin: This is to enable lock accounting.

 

enable-coreadm.fin: This enable the core environment.

 

enable-ftpaccess.fin: We set the ftp access disabled, also blocked on IPFilters.

 

enable-ftp-syslog.fin: Also trace ftp activity in syslog.

 

enable-inetd-syslog.fin: This script configures the Internet Services Daemon (INETD) to log all incoming connections.

 

enable-ipfilter.fin: This enable IPFilters environment (with no active rules by default).

 

enable-password-history.fin: Enable password history.

 

enable-priv-nfs-ports.fin: This is to allow NFS to accept connections from privileged ports only (below port 1024).

 

enable-process-accounting.fin: We don’t enable process accounting as it is not useful in our environment.

 

enable-rfc1948.fin: This script will create/modify the /etc/default/inetinit file to enable support of RFC 1948. This RFC defines unique-per-connection ID sequence number generation. For more information, refer to # http://RF.Cx/rfc1948.html.

 

enable-stack-protection.fin: Enable stack and logging protection.

 

enable-tcpwrappers.fin: Create hosts.allow and hosts.deny files to wrap all TCP connections.

 

BSM Implementation

Audit Configuration

The Basic Security Module (BSM) provides two security features. The first feature is an auditing mechanism, which includes tools to assist with the analysis of the auditing data. The second feature is a device-allocation mechanism, which provides the required object-reuse characteristics for removable devices or assignable devices.

The auditing mechanism helps you detect potential security breaches by revealing suspicious or abnormal patterns of system usage. The auditing mechanism also provides a means to trace suspect actions back to a particular user, thus serving as a deterrent. If users know that their activities are likely to be audited, they might be less likely to attempt malicious activities.

The audit subsystem is configured to log the audit activity locally and in a remote Syslog server.

Audit Control file:

dir:/var/audit

flags:lo,ex

minfree:20

naflags:lo,ex

plugin: name=audit_syslog.so;p_flags=lo,ex

Audit Startup file:

/usr/sbin/auditconfig -setpolicy +cnt

/usr/sbin/auditconfig -setpolicy +zonename

/usr/sbin/auditconfig -setpolicy +argv

/usr/sbin/auditconfig -conf

/usr/sbin/auditconfig -aconf

Entry on the /etc/syslog.conf

audit.notice;auth.debug @dc5sfsecsyslog01

RSA Implementation

Authentication is only provided in the Solaris box is by using RSA. Steps to be followed for implementing RSA is as following:

  • Get latest sdconf.rec file

  • Download the latest RSA Agent software

  • Copy sdconf.rec file under /var/ace

  • Unzip RSA Agent software

  • Run the script install.sh (from the tar file) > Accept > Enter

 

 

Tripwire Implementation

Tripwire is a browser-based configuration audit and control tool which monitors file servers. It baseline’s the files using a set of rules that specify what directories, files should be monitored. The data collected as a result of running the rules becomes the benchmark against which future checks are measured.

Steps to install TWeagent  (Tripwire Enterprise Agent   (INTEL) 7.1.0) in Solaris box are as following:

  • Copy the files from tomcat:/backup (SPARC or x86) to the proper servers

  • Log into the server and uncompress the file

  • Install the package

  • Start the agent

 

 

 

Solaris Containers

A zone is a single instance of the Solaris Operating System, in which processes are isolated from the rest of the system.

There are two types of zones: global zone and non-global zone. Every Solaris system contains a global zone. The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware.

A non-global zone can be thought of as a box. To enforce basic process isolation, a process can see only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone at least one logical network interface. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.

Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.

There are two types of non-global zone root file system models: sparse and whole root. The whole root zone model provides the maximum configurability. All of the required and any selected optional Solaris packages are installed into the private file systems of the zone. The sparse root zone model has only a subset of the root packages are installed

We run most applications in non-global zones except the databases. Zones are hardened to ensure high-level security. The practices are:

  1. Whole root zones(Non-global) with shared network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Whole root zones(Non-global) with exclusive network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Sparse root zones(Non-global) with shared network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  1. Sparse root zones(Non-global) with exclusive network interface

We will apply the hardening methods to the zones accordingly

  1. JASS: global zone 0, zone1, zone2

  2. RSA: global zone 0, zone1, zone2

  3. BSM: global zone 0

  • Example of a zone configuration file from a sparse zone with shared network.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfapp01a” zonepath=”/zones/dc5sfapp01a” autoboot=”true”>

<inherited-pkg-dir directory=”/lib”/>

<inherited-pkg-dir directory=”/platform”/>

<inherited-pkg-dir directory=”/sbin”/>

<inherited-pkg-dir directory=”/usr”/>

<inherited-pkg-dir directory=”/usr/sfw”/>

<inherited-pkg-dir directory=”/export/home/apache-ant-1.6.1″/>

<inherited-pkg-dir directory=”/export/home/jdk1.6.0_13″/>

<network address=”10.5.30.14″ physical=”nge0″/>

</zone>

  • Example of a zone configuration file from a root zone with shared network.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfsmnsageapp01″ zonepath=”/zones/dc5sfsmnsageapp01″ autoboot=”true”>

<network address=”10.5.35.14″ physical=”nge0″/>

</zone>

  • Example of a zone configuration file from a root zone with a dedicated network interface.

<?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”>

<!–

DO NOT EDIT THIS FILE. Use zonecfg(1M) instead.

–>

<zone name=”dc5sfsmnsageweb01″ zonepath=”/zones/dc5sfsmnsageweb01″ autoboot=”true” ip-type=”exclusive”>

<network address=”” physical=”nge2″/>

</zone>

Bibliography

International Standard ISO/IEC 17799

Information Technology – Security Techniques – Code Of Practice For Information Security Management

 

 

Appendix A: Examples

 

 

Scripts

 

/opt/SUNWjass/Finish # ls -lrt

 

total 834

 

-r–r–r– 1 root root 697 Jul 26 2005 disable-ab2.fin

 

-r–r–r– 1 root root 892 Jul 26 2005 disable-IIim.fin

 

-r–r–r– 1 root root 1103 Jul 26 2005 disable-directory.fin

 

-r–r–r– 1 root root 1560 Jul 26 2005 disable-dhcpd.fin

 

-r–r–r– 1 root root 888 Jul 26 2005 disable-automount.fin

 

-r–r–r– 1 root root 1023 Jul 26 2005 disable-asppp.fin

 

-r–r–r– 1 root root 566 Jul 26 2005 disable-appserv.fin

 

-r–r–r– 1 root root 532 Jul 26 2005 disable-apache2.fin

 

-r–r–r– 1 root root 1159 Jul 26 2005 disable-apache.fin

 

-r–r–r– 1 root root 644 Jul 26 2005 disable-named.fin

 

-r–r–r– 1 root root 1013 Jul 26 2005 disable-mipagent.fin

 

-r–r–r– 1 root root 999 Jul 26 2005 disable-ldap-client.fin

 

-r–r–r– 1 root root 2460 Jul 26 2005 disable-keyserv-uid-nobody.fin

 

-r–r–r– 1 root root 1850 Jul 26 2005 disable-kdc.fin

 

-r–r–r– 1 root root 797 Jul 26 2005 disable-ipv6.fin

 

-r–r–r– 1 root root 935 Jul 26 2005 disable-face-log.fin

 

-r–r–r– 1 root root 1869 Jul 26 2005 disable-routing.fin

 

-r–r–r– 1 root root 1454 Jul 26 2005 disable-rhosts.fin

 

-r–r–r– 1 root root 1361 Jul 26 2005 disable-preserve.fin

 

-r–r–r– 1 root root 1070 Jul 26 2005 disable-ppp.fin

 

-r–r–r– 1 root root 2229 Jul 26 2005 disable-power-mgmt.fin

 

-r–r–r– 1 root root 847 Jul 26 2005 disable-picld.fin

 

-r–r–r– 1 root root 1865 Jul 26 2005 disable-nscd-caching.fin

 

-r–r–r– 1 root root 984 Jul 26 2005 disable-nfs-server.fin

 

-r–r–r– 1 root root 825 Jul 26 2005 disable-spc.fin

 

-r–r–r– 1 root root 949 Jul 26 2005 disable-slp.fin

 

-r–r–r– 1 root root 1854 Jul 26 2005 enable-password-history.fin

 

-r–r–r– 1 root root 2823 Jul 26 2005 enable-inetd-syslog.fin

 

-r–r–r– 1 root root 1352 Jul 26 2005 enable-ftpaccess.fin

 

-r–r–r– 1 root root 1124 Jul 26 2005 enable-ftp-syslog.fin

 

-r–r–r– 1 root root 2166 Jul 26 2005 enable-bart.fin

 

-r–r–r– 1 root root 2639 Jul 26 2005 enable-account-lockout.fin

 

-r–r–r– 1 root root 1165 Jul 26 2005 enable-32bit-kernel.fin

 

-r–r–r– 1 root root 434 Jul 26 2005 disable-xfs.fin

 

-r–r–r– 1 root root 2253 Jul 26 2005 install-ftpusers.fin

 

-r–r–r– 1 root root 4418 Jul 26 2005 install-fix-modes.fin

 

-r–r–r– 1 root root 1570 Jul 26 2005 install-at-allow.fin

 

-r–r–r– 1 root root 1290 Jul 26 2005 install-Sun_ONE-WS.fin

 

-r–r–r– 1 root root 2104 Jul 26 2005 enable-tcpwrappers.fin

 

-r–r–r– 1 root root 1572 Jul 26 2005 enable-priv-nfs-ports.fin

 

-r–r–r– 1 root root 1374 Jul 26 2005 install-shells.fin

 

-r–r–r– 1 root root 1965 Jul 26 2005 install-sadmind-options.fin

 

-r–r–r– 1 root root 1959 Jul 26 2005 install-recommended-patches.fin

 

-r–r–r– 1 root root 1911 Jul 26 2005 install-openssh.fin

 

-r–r–r– 1 root root 1040 Jul 26 2005 install-newaliases.fin

 

-r–r–r– 1 root root 3073 Jul 26 2005 install-md5.fin

 

-r–r–r– 1 root root 1330 Jul 26 2005 print-unowned-objects.fin

 

-r–r–r– 1 root root 1188 Jul 26 2005 print-suid-files.fin

 

-r–r–r– 1 root root 1188 Jul 26 2005 print-sgid-files.fin

 

-r–r–r– 1 root root 3942 Jul 26 2005 minimize-Sun_ONE-WS.fin

 

-r–r–r– 1 root root 570 Jul 26 2005 install-templates.fin

 

-r–r–r– 1 root root 2329 Jul 26 2005 set-banner-dtlogin.fin

 

-r–r–r– 1 root root 1122 Jul 26 2005 remove-unneeded-accounts.fin

 

-r–r–r– 1 root root 1564 Jul 26 2005 print-world-writable-objects.fin

 

-r–r–r– 1 root root 1877 Jul 26 2005 set-term-type.fin

 

-r–r–r– 1 root root 1699 Jul 26 2005 set-system-umask.fin

 

-r–r–r– 1 root root 4421 Jul 26 2005 set-strict-password-checks.fin

 

-r–r–r– 1 root root 1086 Jul 26 2005 set-root-group.fin

 

-r–r–r– 1 root root 2266 Jul 26 2005 set-rmmount-nosuid.fin

 

-r–r–r– 1 root root 1380 Jul 26 2005 set-login-retries.fin

 

-r–r–r– 1 root root 2087 Jul 26 2005 update-cron-deny.fin

 

-r–r–r– 1 root root 1740 Jul 26 2005 update-cron-allow.fin

 

-r–r–r– 1 root root 1225 Jul 26 2005 suncluster3x-set-nsswitch-conf.fin

 

-r–r–r– 1 root root 2084 Jul 26 2005 set-tmpfs-limit.fin

 

-r–r–r– 1 root root 2048 Aug 22 2008 disable-dtlogin.fin

 

-r–r–r– 1 root root 1286 Aug 22 2008 disable-dmi.fin

 

-r–r–r– 1 root root 1155 Aug 22 2008 disable-autoinst.fin

 

-r–r–r– 1 root root 678 Aug 22 2008 disable-serial-login.fin

 

-r–r–r– 1 root root 6428 Aug 22 2008 disable-sendmail.fin

 

-r–r–r– 1 root root 1102 Aug 22 2008 disable-samba.fin

 

-r–r–r– 1 root root 1636 Aug 22 2008 disable-rpc.fin

 

-r–r–r– 1 root root 1174 Aug 22 2008 disable-remote-root-login.fin

 

-r–r–r– 1 root root 451 Aug 22 2008 disable-nis-client.fin

 

-r–r–r– 1 root root 1369 Aug 22 2008 disable-nfs-client.fin

 

-r–r–r– 1 root root 1018 Aug 22 2008 disable-mesg.fin

 

-r–r–r– 1 root root 2149 Aug 22 2008 disable-lp.fin

 

-r–r–r– 1 root root 1400 Aug 22 2008 disable-keyboard-abort.fin

 

-r–r–r– 1 root root 1948 Aug 22 2008 enable-ssh-root-login.fin

 

-r–r–r– 1 root root 1774 Aug 22 2008 enable-sar.fin

 

-r–r–r– 1 root root 1555 Aug 22 2008 enable-rfc1948.fin

 

-r–r–r– 1 root root 3804 Aug 22 2008 enable-process-accounting.fin

 

-r–r–r– 1 root root 2031 Aug 22 2008 enable-password-changes.fin

 

-r–r–r– 1 root root 690 Aug 22 2008 enable-ldmd.fin

 

-r–r–r– 1 root root 3805 Aug 22 2008 enable-ipfilter.fin

 

-r–r–r– 1 root root 1122 Aug 22 2008 enable-ftp-debuglog.fin

 

-r–r–r– 1 root root 1217 Aug 22 2008 enable-cronlog.fin

 

-r–r–r– 1 root root 3368 Aug 22 2008 enable-coreadm.fin

 

-r–r–r– 1 root root 6862 Aug 22 2008 enable-bsm.fin

 

-r–r–r– 1 root root 2118 Aug 22 2008 disable-xserver-listen.fin

 

-r–r–r– 1 root root 4306 Aug 22 2008 disable-xdmcp.fin

 

-r–r–r– 1 root root 997 Aug 22 2008 disable-wbem.fin

 

-r–r–r– 1 root root 1461 Aug 22 2008 disable-vold.fin

 

-r–r–r– 1 root root 1608 Aug 22 2008 disable-uucp.fin

 

-r–r–r– 1 root root 3851 Aug 22 2008 disable-system-accounts.fin

 

-r–r–r– 1 root root 2986 Aug 22 2008 disable-syslogd-listen.fin

 

-r–r–r– 1 root root 1938 Aug 22 2008 disable-ssh-root-login.fin

 

-r–r–r– 1 root root 1324 Aug 22 2008 disable-snmp.fin

 

-r–r–r– 1 root root 535 Aug 22 2008 disable-smcwebserver.fin

 

-r–r–r– 1 root root 1237 Aug 22 2008 disable-sma.fin

 

-r–r–r– 1 root root 1292 Aug 22 2008 install-loginlog.fin

 

-r–r–r– 1 root root 2084 Aug 22 2008 install-local-syslog.fin

 

-r–r–r– 1 root root 2563 Aug 22 2008 install-ldm.fin

 

-r–r–r– 1 root root 2904 Aug 22 2008 install-jass.fin

 

-r–r–r– 1 root root 1527 Aug 22 2008 install-connlog.fin

 

-r–r–r– 1 root root 1573 Aug 22 2008 install-authlog.fin

 

-r–r–r– 1 root root 3095 Aug 22 2008 enable-xscreensaver.fin

 

-r–r–r– 1 root root 3773 Aug 22 2008 enable-stack-protection.fin

 

-r–r–r– 1 root root 1080 Aug 22 2008 print-rhosts.fin

 

-r–r–r– 1 root root 765 Aug 22 2008 print-package-files.fin

 

-r–r–r– 1 root root 2281 Aug 22 2008 print-jumpstart-environment.fin

 

-r–r–r– 1 root root 3758 Aug 22 2008 print-jass-environment.fin

 

-r–r–r– 1 root root 1151 Aug 22 2008 install-sulog.fin

 

-r–r–r– 1 root root 1384 Aug 22 2008 install-strong-permissions.fin

 

-r–r–r– 1 root root 1897 Aug 22 2008 install-security-mode.fin

 

-r–r–r– 1 root root 1347 Aug 22 2008 install-nddconfig.fin

 

-r–r–r– 1 root root 2089 Aug 22 2008 set-power-restrictions.fin

 

-r–r–r– 1 root root 1642 Aug 22 2008 set-oem-banner.fin

 

-r–r–r– 1 root root 768 Aug 22 2008 set-lp-open.fin

 

-r–r–r– 1 root root 2774 Aug 22 2008 set-lp-localonly.fin

 

-r–r–r– 1 root root 1202 Aug 22 2008 set-log-file-permissions.fin

 

-r–r–r– 1 root root 3144 Aug 22 2008 set-grub-password.fin

 

-r–r–r– 1 root root 4738 Aug 22 2008 set-greeter-warning.fin

 

-r–r–r– 1 root root 2803 Aug 22 2008 set-ftpd-umask.fin

 

-r–r–r– 1 root root 4147 Aug 22 2008 set-flexible-crypt.fin

 

-r–r–r– 1 root root 3437 Aug 22 2008 set-failed-logins.fin

 

-r–r–r– 1 root root 1664 Aug 22 2008 set-dtlogin-open.fin

 

-r–r–r– 1 root root 2642 Aug 22 2008 set-dtlogin-localonly.fin

 

-r–r–r– 1 root root 961 Aug 22 2008 set-calendar-open.fin

 

-r–r–r– 1 root root 1810 Aug 22 2008 set-calendar-localonly.fin

 

-r–r–r– 1 root root 1307 Aug 22 2008 set-banner-telnetd.fin

 

-r–r–r– 1 root root 1829 Aug 22 2008 set-banner-sshd.fin

 

-r–r–r– 1 root root 2027 Aug 22 2008 set-banner-sendmail.fin

 

-r–r–r– 1 root root 4350 Aug 22 2008 set-banner-ftpd.fin

 

-r–r–r– 1 root root 6560 Aug 22 2008 s15k-static-arp.fin

 

-r–r–r– 1 root root 3460 Aug 22 2008 s15k-sms-secure-failover.fin

 

-r–r–r– 1 root root 1329 Aug 22 2008 s15k-sms-override.fin

 

-r–r–r– 1 root root 2010 Aug 22 2008 s15k-exclude-domains.fin

 

-r–r–r– 1 root root 10195 Aug 22 2008 update-inetd-conf.fin

 

-r–r–r– 1 root root 4944 Aug 22 2008 update-cron-log-size.fin

 

-r–r–r– 1 root root 1909 Aug 22 2008 update-at-deny.fin

 

-r–r–r– 1 root root 663 Aug 22 2008 set-wbem-open.fin

 

-r–r–r– 1 root root 1323 Aug 22 2008 set-wbem-localonly.fin

 

-r–r–r– 1 root root 3352 Aug 22 2008 set-user-umask.fin

 

-r–r–r– 1 root root 3049 Aug 22 2008 set-user-password-reqs.fin

 

-r–r–r– 1 root root 974 Aug 22 2008 set-ttdb-open.fin

 

-r–r–r– 1 root root 1635 Aug 22 2008 set-ttdb-localonly.fin

 

-r–r–r– 1 root root 1558 Aug 22 2008 set-sys-suspend-restrictions.fin

 

-r–r–r– 1 root root 2584 Aug 22 2008 set-ssh-config.fin

 

-r–r–r– 1 root root 672 Aug 22 2008 set-smcwebserver-open.fin

 

-r–r–r– 1 root root 910 Aug 22 2008 set-smcwebserver-localonly.fin

 

-r–r–r– 1 root root 909 Aug 22 2008 set-rpc-open.fin

 

-r–r–r– 1 root root 2060 Aug 22 2008 set-rpc-localonly.fin

 

-r–r–r– 1 root root 1673 Aug 22 2008 set-root-password.fin

 

-r–r–r– 1 root root 4734 Aug 22 2008 set-root-home-dir.fin

 

 

Password

 

opt/SUNWjass/Finish # pwd

 

[/opt/SUNWjass/Finish # cat set-user-password-reqs.fin

 

#!/bin/sh

 

#

 

# Copyright 2006 Sun Microsystems, Inc. All rights reserved.

 

# Use is subject to license terms.

 

#

 

# ident “@(#)set-user-password-reqs.fin 3.10 06/10/30 SMI”

 

#

 

# This script installs some basic password requirements for users. Note

 

# that this effects local password policy only.

 

 

logMessage “Installing user password requirements.”

 

echo “”

 

 

PASSWD=${JASS_ROOT_DIR}etc/default/passwd

 

 

if [ ! -f ${PASSWD} ]; then

 

create_a_file -m 0444 -o root:sys ${PASSWD}

 

echo “”

 

fi

 

 

changeToBeMade=”0″

 

 

# Determine the values to be used. If values are

 

# already in place, then use them. Otherwise, use the

 

# defaults that are included below.

 

 

minWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MINWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then

 

if [ “${JASS_AGING_MINWEEKS}” != “${minWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${minWeeks}” ]; then

 

minWeeks=”NONE”

 

fi

 

logMessage ‘Changing MINWEEKS setting from ${minWeeks} to ${JASS_AGING_MINWEEKS}.’

 

fi

 

 

minWeeks=”${JASS_AGING_MINWEEKS}”

 

fi

 

 

maxWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MAXWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then

 

 

if [ “${JASS_AGING_MAXWEEKS}” != “${maxWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${maxWeeks}” ]; then

 

maxWeeks=”NONE”

 

fi

 

logMessage ‘Changing MAXWEEKS setting from ${maxWeeks} to ${JASS_AGING_MAXWEEKS}.’

 

fi

 

 

maxWeeks=”${JASS_AGING_MAXWEEKS}”

 

fi

 

 

warnWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”WARNWEEKS” ${PASSWD}`

 

 

if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then

 

 

if [ “${JASS_AGING_WARNWEEKS}” != “${warnWeeks}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${warnWeeks}” ]; then

 

warnWeeks=”NONE”

 

fi

 

logMessage ‘Changing WARNWEEKS setting from ${warnWeeks} to ${JASS_AGING_WARNWEEKS}.’

 

fi

 

 

warnWeeks=”${JASS_AGING_WARNWEEKS}”

 

fi

 

 

passLength=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”PASSLENGTH” ${PASSWD}`

 

 

if [ ! -z “${JASS_PASS_LENGTH}” ]; then

 

 

if [ “${JASS_PASS_LENGTH}” != “${passLength}” ]; then

 

changeToBeMade=”1″

 

if [ -z “${passLength}” ]; then

 

passLength=”NONE”

 

fi

 

logMessage ‘Changing PASSLENGTH setting from ${passLength} to ${JASS_PASS_LENGTH}.’

 

fi

 

 

passLength=”${JASS_PASS_LENGTH}”

 

fi

 

 

if [ “${changeToBeMade}” = “1” ]; then

 

 

echo “”

 

backup_file ${PASSWD}

 

 

# Remove the old entries and insert the new ones.

 

 

cat ${PASSWD}.${JASS_SUFFIX} |\

 

egrep -v ‘^MINWEEKS=|^MAXWEEKS=|^WARNWEEKS=|^PASSLENGTH=’ > ${PASSWD}

 

 

if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then

 

echo “MINWEEKS=${minWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then

 

echo “MAXWEEKS=${maxWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then

 

echo “WARNWEEKS=${warnWeeks}” >> ${PASSWD}

 

fi

 

 

if [ ! -z “${JASS_PASS_LENGTH}” ]; then

 

echo “PASSLENGTH=${passLength}” >> ${PASSWD}

 

fi

 

 

change_owner root:sys ${PASSWD}

 

change_default_perms ${PASSWD}

 

 

fi

 

[ ?0 dc5sfshrapp01 root 1 !542 0 22:47:39 ]

 

/opt/SUNWjass/Finish #

 

Advertisements

Published by

Shafiq Alibhai

http://shafiq.in

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s