Wednesday, October 22, 2008

Solaris Hardening Scripts

Solaris Hardening Scripts

svcadm disable svc:/network/rpc/cde-ttdbserver:tcp

svcadm disable svc:/network/rpc/cde-calendar-manager

svcadm disable svc:/network/smtp:sendmail

svcadm disable svc:/application/print/rfc1179:default

svcadm disable svc:/network/rpc/keyserv:default

svcadm disable svc:/network/nis/server:default
svcadm disable svc:/network/nis/passwd:default
svcadm disable svc:/network/nis/update:default
svcadm disable svc:/network/nis/xfr:default

svcadm disable svc:/network/nis/client:default

svcadm disable svc:/network/rpc/nisplus:default

svcadm disable svc:/network/ldap/client:default

svcadm disable svc:/network/security/ktkt_warn:default

svcadm disable svc:/network/rpc/gss:default

svcadm disable svc:/system/filesystem/autofs:default


if [ ! "`grep noexec_user_stack /etc/system`" ]; then
cat <>/etc/system
* Attempt to prevent and log stack-smashing attacks
set noexec_user_stack = 1
set noexec_user_stack_log = 1
END_CFG
fi

cd /etc/default
awk '/TCP_STRONG_ISS=/ { $1 = "TCP_STRONG_ISS=2" }; \
{ print }' inetinit > inetinit.new
mv inetinit.new inetinit
pkgchk -f -n -p /etc/default/inetinit


routeadm -d ipv4-forwarding -d ipv6-forwarding
routeadm -d ipv4-routing -d ipv6-routing
routeadm -u


inetadm -M tcp_trace=true

inetadm -m svc:/network/ftp \
exec="/usr/sbin/in.ftpd -a -l -d"

touch /var/adm/authlog
chmod 600 /var/adm/authlog
chgrp sys /var/adm/authlog
svcadm refresh system/system-log


touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
logadm -w loginlog -C 13 /var/adm/loginlog


cd /etc/default
awk '/SYSLOG_FAILED_LOGINS=/ \
{ $1 = "SYSLOG_FAILED_LOGINS=0" }; \
{ print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login


cd /etc/default

awk '/CRONLOG=/ { $1 = "CRONLOG=YES" }; \
{ print }' cron > cron.new

mv cron.new cron

pkgchk -f -n -p /etc/default/cron

chown root:root /var/cron/log

chmod go-rwx /var/cron/log


cd /etc/default
awk '/^CMASK=/ { $1 = "CMASK=022" }
{ print }' init >init.new
mv init.new init
pkgchk -f -n -p /etc/default/init


pkgchk -n

pkgchk -n -p /etc/passwd
pkgchk -n -p /etc/shadow


cd /etc/default
awk '/ENABLE_NOBODY_KEYS=/ \
{ $1 = "ENABLE_NOBODY_KEYS=NO" }

{ print }' keyserv >keyserv.new
mv keyserv.new keyserv
pkgchk -f -n -p /etc/default/keyserv

cd /etc/default
awk '/CONSOLE=/ { print "CONSOLE=/dev/console"; next }; \
{ print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login



mkdir /root

passmgmt -m -h /root root
chmod 700 /root

logins -o | awk -F: '($2 == 0) { print $1 }'

passmgmt -m -g 0 root


for dir in `logins -ox | \
awk -F: '($8 == "PS" && $1 != "root") { print $6 }'`
do
dirperm=`ls -ld $dir | cut -f1 -d" "`
if [ `echo $dirperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c8 ` != "-" ]
then
echo "Other Read permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c9 ` != "-" ]


then
echo "Other Write permission set on directory $dir"
fi
if [ `echo $dirperm | cut -c10 ` != "-" ]
then
echo "Other Execute permission set on directory $dir"
fi
done


for dir in `logins -ox | \
awk -F: '($8 == "PS") { print $6 }'`
do
for file in $dir/.[A-Za-z0-9]*; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on file $file"
fi
if [ `echo $fileperm | cut -c9 ` != "-" ]
then
echo "Other Write permission set on file $file"
fi
fi
done
done



for dir in `logins -ox | \
awk -F: '($8 == "PS") { print $6 }'`
do
for file in $dir/.netrc; do
if [ ! -h "$file" -a -f "$file" ]; then
fileperm=`ls -ld $file | cut -f1 -d" "`
if [ `echo $fileperm | cut -c5 ` != "-" ]
then
echo "Group Read permission set on directory $file"
fi
if [ `echo $fileperm | cut -c6 ` != "-" ]
then
echo "Group Write permission set on directory $file"
fi
if [ `echo $fileperm | cut -c7 ` != "-" ]
then
echo "Group Execute permission set on directory $file"
fi
if [ `echo $fileperm | cut -c8 ` != "-" ]
then
echo "Other Read permission set on directory $file"
fi
if [ `echo $fileperm | cut -c9 ` != "-" ]
then
echo "Other Write permission set on directory $file"
fi
if [ `echo $fileperm | cut -c10 ` != "-" ]
then
echo "Other Execute permission set on directory $file"
fi
fi
done
done


cd /etc/ftpd
if [ "`grep '^defumask' ftpaccess`" ]; then
awk '/^defumask/ { $2 = "077" }
{ print }' ftpaccess >ftpaccess.new
mv ftpaccess.new ftpaccess
else
echo defumask 077 >>ftpaccess
fi
pkgchk -f -n -p /etc/ftpd/ftpaccess


echo "Authorized uses only. All activity may be \
monitored and reported." >/etc/motd
echo "Authorized uses only. All activity may be \
monitored and reported." >/etc/issue
pkgchk -f -n -p /etc/motd
chown root:root /etc/issue
chmod 644 /etc/issue


echo Authorized uses only. All activity may \
be monitored and reported. >/etc/ftpd/banner.msg
chown root:root /etc/ftpd/banner.msg
chmod 444 /etc/ftpd/banner.msg

eeprom oem-banner="Authorized uses only. All activity \
may be monitored and reported."
eeprom oem-banner\?=true


touch /etc/notrouter
chown root:sys /etc/notrouter
chmod 444 /etc/notrouter

eeprom local-mac-address?=true



svcadm disable telnet

svcadm disable ftp

No comments: