YASSP
MANUAL PAGE
SECclean YASSP(1)
NAME
YASSP, SECclean, cleanup_passwd - Yet Another Secure Solaris
Package - a tool for improving Solaris security.
SYNOPSIS
Yassp is bundle of packages to secure Solaris.
The default behavior turns off most of the services, which
is suitable for an external (exposed) server like a
firewall, a web server or a ftp server. These services can
be easily turned back on via a configuration file
The OS security tuning is performed at various levels: turn-
ing off (networked) services, changing file owner/mode, ena-
bling logging, tuning the network stack, changing the system
parameters and also providing a coherent default environment
so that administrators know what they can expect and where.
Included in this Security package, is a set of common and
useful tools, pre-compiled and packaged, they are optional
and are available and ready to be installed. All the pack-
ages supplied can be uninstalled if required
For a complete description of how to install and configure
YASSP, please see http://www.yassp.org
PHILOSOPHY
o It must play SUN's rules and not fight SUN: we follow as
close as we can SUN standard and rules.
o It can be installed and de-installed cleanly and should
restore the same context than before.
o It should run on a minimal installation, like the core
choice of the Solaris installation.
o It should be tolerant about what it expects to find
installed, and accept the difference.
o Secure and closed by default...
o ... But can be opened up after the installation or modi-
fied to be localized.
o Using a three layers implementation: from the security
issue we are trying to solve, we generate a list of modifi-
cations that need to happen; this list is implemented by the
package installation (Replaced files replaced, edited files,
created files...)
DESCRIPTION
YASSP Last change: Nov 11 2000 1
SECclean YASSP(1)
YASSP is the name of the project, and the name of
tarball containing an install script. When
run, it proposes you to install a set of
recommended packages (SECclean, GNU diff, RCS
and zip, TCP_wrappers, tripwire, a set of
daily scripts for backup and logs rotations,
and SSH) and then proceed with the installa-
tion.
SECclean is the core package, implementing the changes
done to secure your Solaris workstation. See
http://www.yassp.org/internal.html for a
detailed explanations of the changes done.
cleanup_passwd is a script installed and used by SECclean,
to cleanup your /etc/passwd file by locking
used systems accounts and account using UID
0. See the CONFIGURATION FILES AND VARIABLES
section for more options.
daily is a daily crontab script installed by
PARCdaily (optional package included in
YASSP). It replace the default SUN's newsys-
log. It rotates various logs files and backup
various systems files, using RCS. See
PARCdaily(1) for more info.
INSTALLATION OPTIONS
The default installation directory for YASSP's package is
calculated at the installation time based on the following:
o If /opt/local exists and if we could 'cd' to it, them
it will use it.
o If not, then if /usr/local exists and if we could
'cd' to it, them it will use it and create a symbolic
link from /opt/local to /usr/local.
o Else, it will create the directory /opt/local and use
it.
When installing YASSP, and before running its install.sh
script, you may want to setup the following variables:
${PKGLIST} is the list of the packages to be installed.
By default, install.sh will set it to
"SECclean GNUrcs GNUgzip PARCdaily WVtcpd
PRFtripw", ask for your confirmation, specif-
ically ask if you want to install the SSH
package (named SSHsdi) as it is under
license, and proceed with the installation.
Defining this variable before the installa-
tion will make install.sh non-interactive as
it will use the list provided. For example,
setting PKGLIST to
YASSP Last change: Nov 11 2000 2
SECclean YASSP(1)
"SECclean GNUrcs GNUgzip PARCdaily WVtcpd
PRFtripw SSHsdi", will install all the pack-
ages, including SSH, without asking you any
confirmation.
${SECBCK} This variable is used by the SECclean instal-
lation, to specify the backup directory where
all files touched by SECclean are copied. By
default SECclean will use /yassp.bk as its
backup directory.
${CLEANUPDIR} This variable is used by SECclean installa-
tion, for the directory where the OS clean-up
tools will be copied and executed. It include
fix-modes (maintained by Casper Dik
<casper@holland.Sun.COM>, ftp.wins.uva.nl
/pub/solaris/fix-modes.tar.gz, which will
make system file permissions more sane
(secure)) and a shell script per supported OS
version to cleanup the package database from
the incoherences left over after Solaris ins-
tallation.
The default choice for this directory is
/var/sadm/clean-up.
Note that creating the file /var/tmp/seccleandebug will turn
on a very verbose installation of SECclean as it will do a
'set -x' at the begining of its [pre|post]install scripts.
CONFIGURATION FILES AND VARIABLES
YASSP uses /etc/yassp.conf as its configuration file. It is
created during the SECclean installation, and will be used
after at various step of the system life (boot time, user
login) or by the various script installed by SECclean or
PARCdaily. yassp.conf is a shell (sh) script, which is
either sourced by some script or grep-ed to look for some
specific value.
/etc/yassp.conf has two parts:
The first was dynamically generated at the SECclean instal-
lation phase. It is a succession of shell variables control-
ling the startup files, and set to 'NO' by default. The name
of each of these variables correspond to a startup file
(located under /etc/init.d/ ) that SECclean had modified to
control. See the section FILES TOUCHED BY SECCLEAN for more
details about it.
The second part of /etc/yassp.conf explains all the vari-
ables used after SECclean installation, show their default
and an example of use. See yassp.conf(4) for more details.
FILES TOUCHED BY SECclean
All these files are backed-up under /yassp.bk at the
YASSP Last change: Nov 11 2000 3
SECclean YASSP(1)
installation of SECclean. This backup directory is not the
package save directory, used when removing the package to
restore the originals files. It's provided as a convenience
for the system administrator to see what differences SEC-
clean have done to your system.
Deleted files: SECclean installation will back-up and
delete the following files:
/etc/auto_home
/etc/auto_master
/etc/dfs/dfstab
/var/spool/cron/crontabs/adm
/var/spool/cron/crontabs/lp
/var/spool/cron/crontabs/uucp
Replaced files: SECclean installation will back-up and
replace (or create) the following files:
/etc/profile
/etc/default/login
/etc/default/su
/etc/default/inetinit
/var/spool/cron/crontabs/root
/etc/motd /etc/default/passwd
/etc/default/sys-suspend
/etc/skel/local.cshrc
/etc/skel/local.profile
/usr/dt/config/Xaccess
/etc/dt/config/Xaccess
/etc/ftpusers
/etc/syslog.conf
/etc/.login
/etc/cron.d/at.allow
/etc/cron.d/cron.allow
/etc/default/ftpd
/etc/default/telnetd
/etc/hosts.equiv
/.rhosts
/etc/notrouter
/etc/issue /etc/ftp-banner
Edited files: Using the sed class, SECclean installation
modified the following files:
/etc/inet/inetd.conf
/etc/inet/services
/etc/system
/etc/rmmount.conf
/etc/inittab
/etc/pam.conf
Created files: SECclean installation will install the fol-
lowing files:
/etc/init.d/umask.sh
YASSP Last change: Nov 11 2000 4
SECclean YASSP(1)
/etc/init.d/nettune
/usr/bin/openwin
/usr/sbin/noshell
/opt/local/sbin/clean_passwd
/opt/local/sbin/passwd.nawk
/etc/yassp.conf
/opt/local/sbin/cleanlib.sh
Init files: SECclean, during the installation phase,
modifies the startup script (see list below)
so that it will exit if a shell variable is
not set to 'YES'. The name of the variable
is based on the startup script file name,
stripped of any non-alphabetic character and
capitalized. This modification is done only
if the startup script existed at the instal-
lation of SECclean.
The list of startup files SECclean modifies
is:
rpc inetsvc inetinit networks xntpd
nfs.client autofs nscd nfs.server volmgt
sendmail dtlogin cacheos cachefs.root asppp
uucp cachefs.daemon spc autoinstall lp
PRESERVE cacheos.finish sysid.sys sysid.net
snmpdx dmi power init.dmi init.snmpdx utmpd
devfsadm devlinks apache dhcp dhcpagent
ldap.client llc2 ncakmod ncalogd slpd
webstart init.wbem
The internal.html page on the yassp main site explains the
function of these files.
AFTER YASSP INSTALLATION
The state of your OS after installing SECclean package is
mostly closed. The minimum processes are running and minimum
network ports are open. Please, read
http://www.yassp.org/after.html to understand what you have
to do after YASSP's installation.
If needed, YASSP and SECclean can be de-installed as
explained in the next section.
DE-INSTALLATION
To de-install YASSP, type as root, in this order:
pkgrm OPENssh PRFtripw WVtcpd PARCdaily GNUgzip GNUrcs
The list of packages "OPENssh PRFtripw WVtcpd PARCdaily
GNUgzip GNUrcs" depends of the choice you made at the ins-
tallation phase. In this example, all packages were
installed.
YASSP Last change: Nov 11 2000 5
SECclean YASSP(1)
Then, de-install SECclean:
pkgrm SECclean
The /var/sadm/clean-up (Or ${CLEANUPDIR} if you had defined
it at the installation) is left behind. It contains the
Fix-modes directory, and the old package contents file
/var/sadm/clean-up/contents.`uname -n` .
Fix-modes can be un-done, see:
/var/sadm/clean-up/Fix-modes/README.fix-modes for more info
about un-applying it.
NOTE:
o When de-installed, SECclean will restore files as
they where at the installation time.
o If a file replaced by SECclean was modified by the
sys-admin since SECclean was installed, it will be
backed-up under /var/tmp/SECclean.Backup_${pid} before
the original copy will be restored.
BUGS
Please send bugs report, suggestions, feedbacks or just com-
ments to <chouanard@parc.xerox.com>. Be sure, when reporting
a bug, to indicate your OS (Output of 'uname -a' ) and the
version of YASSP you are using (Output of
'pkginfo -l SECclean' ).
FILES
/etc/yassp.conf
SEE ALSO
yassp.conf(4), clean_passwd(1), parcdaily(1) (if PARCdaily
was installed).
AUTHORS
Jean Chouanard <chouanard@parc.xerox.com>, the YASSP's team
and the SANS institute (http://www.sans.org)
Information about new releases, mailing lists, and other
related issues can be found from the YASSP WWW home page at
http://www.yassp.org/
YASSP Last change: Nov 11 2000 6
Home
Jean
Chouanard, Xerox PARC