svcadm disable svc:/network/rpc/cde-ttdbserver:tcp
svcadm disable svc:/network/rpc/cde-calendar-manager
svcadm disable svc:/network/smtp:sendmail
svcadm disable svc:/application/print/rfc1179:default
svcadm disable svc:/network/rpc/keyserv:default
svcadm disable svc:/network/nis/server:default
svcadm disable svc:/network/nis/passwd:default
svcadm disable svc:/network/nis/update:default
svcadm disable svc:/network/nis/xfr:default
svcadm disable svc:/network/nis/client:default
svcadm disable svc:/network/rpc/nisplus:default
svcadm disable svc:/network/ldap/client:default
svcadm disable svc:/network/security/ktkt_warn:default
svcadm disable svc:/network/rpc/gss:default
svcadm disable svc:/system/filesystem/autofs:default
if [ ! "`grep noexec_user_stack /etc/system`" ]; then
cat <
* Attempt to prevent and log stack-smashing attacks
set noexec_user_stack = 1
set noexec_user_stack_log = 1
END_CFG
fi
cd /etc/default
awk '/TCP_STRONG_ISS=/ { $1 = "TCP_STRONG_ISS=2" }; \
{ print }' inetinit > inetinit.new
mv inetinit.new inetinit
pkgchk -f -n -p /etc/default/inetinit
routeadm -d ipv4-forwarding -d ipv6-forwarding
routeadm -d ipv4-routing -d ipv6-routing
routeadm -u
inetadm -M tcp_trace=true
inetadm -m svc:/network/ftp \
exec="/usr/sbin/in.ftpd -a -l -d"
touch /var/adm/authlog
chmod 600 /var/adm/authlog
chgrp sys /var/adm/authlog
svcadm refresh system/system-log
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
logadm -w loginlog -C 13 /var/adm/loginlog
cd /etc/default
awk '/SYSLOG_FAILED_LOGINS=/ \
{ $1 = "SYSLOG_FAILED_LOGINS=0" }; \
{ print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login
cd /etc/default
awk '/CRONLOG=/ { $1 = "CRONLOG=YES" }; \
{ print }' cron > cron.new
mv cron.new cron
pkgchk -f -n -p /etc/default/cron
chown root:root /var/cron/log
chmod go-rwx /var/cron/log
cd /etc/default
awk '/^CMASK=/ { $1 = "CMASK=022" }
{ print }' init >init.new
mv init.new init
pkgchk -f -n -p /etc/default/init
pkgchk -n
pkgchk -n -p /etc/passwd
pkgchk -n -p /etc/shadow
cd /etc/default
awk '/ENABLE_NOBODY_KEYS=/ \
{ $1 = "ENABLE_NOBODY_KEYS=NO" }
{ print }' keyserv >keyserv.new
mv keyserv.new keyserv
pkgchk -f -n -p /etc/default/keyserv
cd /etc/default
awk '/CONSOLE=/ { print "CONSOLE=/dev/console"; next }; \
{ print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login
mkdir /root
passmgmt -m -h /root root
chmod 700 /root
logins -o | awk -F: '($2 == 0) { print $1 }'
passmgmt -m -g 0 root
for dir in `logins -ox | \
awk -F: '($8 == "PS" && $1 != "root") { print $6 }'`
do
dirperm=`ls -ld $dir | cut -f1 -d" "`
if [ `echo $dirperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c8 ` != "-" ]
then
echo "Other Read permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c9 ` != "-" ]
then
echo "Other Write permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c10 ` != "-" ]
then
echo "Other Execute permission set on directory $dir"
fi
done
for dir in `logins -ox | \
awk -F: '($8 == "PS") { print $6 }'`
do
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on file $file"
fi
if [ `echo $fileperm | cut -c9 ` != "-" ]
then
echo "Other Write permission set on file $file"
fi
fi
done
done
for dir in `logins -ox | \
awk -F: '($8 == "PS") { print $6 }'`
do
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c5 ` != "-" ]
then
echo "Group Read permission set on directory $file"
fi
if [ `echo $fileperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on directory $file"
fi
if [ `echo $fileperm | cut -c7 ` != "-" ]
then
echo "Group Execute permission set on directory $file"
fi
if [ `echo $fileperm | cut -c8 ` != "-" ]
then
echo "Other Read permission set on directory $file"
fi
if [ `echo $fileperm | cut -c9 ` != "-" ]
then
echo "Other Write permission set on directory $file"
fi
if [ `echo $fileperm | cut -c10 ` != "-" ]
then
echo "Other Execute permission set on directory $file"
fi
fi
done
done
cd /etc/ftpd
if [ "`grep '^defumask' ftpaccess`" ]; then
awk '/^defumask/ { $2 = "077" }
{ print }' ftpaccess >ftpaccess.new
mv ftpaccess.new ftpaccess
else
echo defumask 077 >>ftpaccess
fi
pkgchk -f -n -p /etc/ftpd/ftpaccess
echo "Authorized uses only. All activity may be \
monitored and reported." >/etc/motd
echo "Authorized uses only. All activity may be \
monitored and reported." >/etc/issue
pkgchk -f -n -p /etc/motd
chown root:root /etc/issue
chmod 644 /etc/issue
echo Authorized uses only. All activity may \
be monitored and reported. >/etc/ftpd/banner.msg
chown root:root /etc/ftpd/banner.msg
chmod 444 /etc/ftpd/banner.msg
eeprom oem-banner="Authorized uses only. All activity \
may be monitored and reported."
eeprom oem-banner\?=true
touch /etc/notrouter
chown root:sys /etc/notrouter
chmod 444 /etc/notrouter
eeprom local-mac-address?=true
svcadm disable telnet
svcadm disable ftp
No comments:
Post a Comment