Cover V09, I13
Article
Listing 1
Listing 2
Sidebar 1

nov_sup2000.tar

Listing 2: phase2

#!/sbin/sh
#*******************************************************************************
#
#    Name:            phase2
#    SCCS Id:        @(#)phase2    1.4    05/15/00
#
#    Description:    This file is a script for system set up, phase 2.  Phase 2
#                    is immediately after the latest Recommended and Security
#                    patch clusters have been installed, and the system has
#                    been rebooted so they take effect.
#                    
#
#            Copyright (C) 2000 by Richard Teer.  All rights reserved.
#
#*******************************************************************************


OS_REL=`uname -r`
HOSTNAME=`uname -n`
IS_ROUTER=false
DEFAULT_ROUTER="207.194.2.8"
DEFAULT_MAILSERVER="zen"
LOGINLOG="/var/adm/loginlog"
INETD_CONF="/etc/inet/inetd.conf"
SYS_USER_SHELL="/opt/local/bin/noshell"
SYS_USERS=`awk -F: '{print $1}' /etc/passwd`
ACCESS_USER="access"
ACCESS_GROUP="staff"
ACCESS_UID=500
BACKUP_USER="backup"
BACKUP_GROUP="sys"
BACKUP_UID=501

echo "Starting system hardening for $HOSTNAME, Phase 2"

echo "Enter mail server [$DEFAULT_MAILSERVER]: \c"
read LINE
MAILSERVER=${LINE:-$DEFAULT_MAILSERVER}

echo "Enter default router [$DEFAULT_ROUTER]: \c"
read LINE
ROUTER=${LINE:-$DEFAULT_ROUTER}

echo "Adding access user...  \c"
useradd -c "Access user" -g $ACCESS_GROUP -u $ACCESS_UID -s /bin/ksh $ACCESS_USER
echo "Done."

echo "Adding backup user...  \c"
useradd -c "Tape backup user" -g $BACKUP_GROUP -u $BACKUP_UID -s /bin/ksh $BACKUP_USER
echo "Done."

echo "Setting TCP_STRONG_ISS...  \c"
ed /etc/default/inetinit << EOF > /dev/null
$s/=1/=2/
w
q
EOF
echo "Done."

if [ "$IS_ROUTER" = "false" ]; then
    echo "Disabling IP forwarding...  \c"
    touch /etc/notrouter
    echo "Done."
fi

echo "Setting up default router...  \c"
echo $ROUTER > /etc/defaultrouter
echo "Done."

#echo "Clearing crontabs...  \c"
#CWD=`pwd`
#cd /var/spool/cron/crontabs
#for i in *;do
#    if [ "$i" != "root" ]; then
#        rm $i
#    fi
#done
#cd $CWD
#echo "Done."

echo "Enabling loginlog... \c"
touch $LOGINLOG
chmod 600 $LOGINLOG
chgrp sys $LOGINLOG
echo "Done."

echo "Fixing /etc permissions...  \c"
chmod -R g-w /etc
echo "Done."

echo "Enabling auth.info in /etc/syslog.conf...  \c"
ed /etc/syslog.conf << EOF > /dev/null
g/^#auth.notice/s/#auth.notice/auth.info/
w
q
EOF
echo "Done."

echo "Building /opt/local directory tree:"
echo "    Making directories"
mkdir -m 755 /opt/local
mkdir -m 755 /opt/local/bin
mkdir -m 755 /opt/local/etc
mkdir -m 755 /opt/local/lib
mkdir -m 755 /opt/local/man
mkdir -m 755 /opt/local/sbin
FLAG=false
echo "    Copying files: \c"
cat phase2_files/INDEX | while read SRC DEST OWNER GROUP PERMS; do
    if [ $FLAG = "false" ]; then
        echo "$SRC\c"
        FLAG=true
    else
        echo ", $SRC\c"
    fi
    cp phase2_files/$SRC $DEST
    chown $OWNER:$GROUP $DEST
    chmod $PERMS $DEST
done
echo "."
ln /opt/local/bin/gunzip /opt/local/bin/gzip
echo "Done."

echo "Setting system users' shell to $SYS_USER_SHELL...  \c"
for i in $SYS_USERS; do
    if [ "$i" != "root" ]; then
        usermod -s $SYS_USER_SHELL $i
    fi
done
echo "Done."

echo "Configuring tcpwrapper...  \c"
cp $INETD_CONF /tmp
sed '/^[^#]/s/^/#/' /tmp/inetd.conf > $INETD_CONF
chgrp sys $INETD_CONF
chmod 111 $INETD_CONF
echo "Done."

echo "Configuring ssh...  \c"
echo "ssh        22/tcp" >> /etc/services
echo "ssh stream tcp nowait root /opt/local/sbin/tcpd /opt/local/sbin/sshd \

  -i -f /etc/sshd.conf" >> $INETD_CONF
echo "DenyUsers                    \b" $SYS_USERS >> /etc/sshd.conf
ssh-keygen -b 1024 -f /etc/ssh_host_key -N '' > /dev/null
echo "Done."

echo "Building null client sendmail.cf...  \c"
CWD=`pwd`
cd /usr/lib/mail/cf
echo "#" > nullclient.mc
echo "# This file directs all outgoing email" >> nullclient.mc
echo "# to the mail server \"$MAILSERVER\"." >> nullclient.mc
echo "#\n" >> nullclient.mc
echo "OSTYPE(solaris2.ml)dnl" >> nullclient.mc
echo "FEATURE(\`nullclient', \`$MAILSERVER')dnl" >> nullclient.mc
chown root:mail nullclient.mc
chmod 444 nullclient.mc
/usr/ccs/bin/m4 ../m4/cf.m4 nullclient.mc > nullclient.cf
chown root:mail nullclient.cf
chmod 444 nullclient.cf
cp -p nullclient.cf /etc/mail/sendmail.cf
cd $CWD
echo "Done."

sync

echo "\n"
echo "Phase 2 of the system hardening for $HOSTNAME is complete."
echo ""
echo "Use the passwd command to set the access user's password."
echo ""
echo "By default, all services in /etc/inet/inetd.conf, with"
echo "the exception of ssh, have been disabled.  You will have"
echo "to manually enable the services you want, not forgetting"
echo "to put them under the control of /opt/local/sbin/tcpd."
echo ""
echo "You should examine /etc/rc2.d and /etc/rc3.d, and make"
echo "sure that only those services you need are enabled."
echo "You should also check that /etc/defaultrouter contains"
echo "the right IP address for your router."
echo ""
echo "Make sure that /etc/nsswitch.conf contains dns on the hosts"
echo "line."
echo ""
echo "Finally, you should now install your server applications,"
echo "e.g., Apache, BIND, Sendmail, etc."
echo ""
echo "Now is probably a good time to reboot this machine,"
echo "to ensure that nothing has gone awry."

 

© 2002 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com