Introduction
Files and directories created
New startup files
Startup files replaced, very OS dependent
Files modified
Files replaced after being saved (if they already exist)
Init files handled by yassp.conf
Exceptions
Binaries installed by SECclean
SECclean configures your system to use secure default settings.
You can find the list of files it will install on the prototype file, part of the package source directory. Files part of the sed class in the prototype file are sed script used to modify the existing file at the installation or removal of the package.
The postinstall script replaces and modifies init files. Files that SECclean replaces are first installed as /path/of/the/original/SECCLEAN_{filename}. The postinstall script goes through the list of files to replace, making a backup of the original, moving the new one over and update the package DB. All the SECclean script dealing with packages (postinstall, postremove, preremove) make intensive use of the cleanlib.sh shell library
Exceptions are /etc/init.d/inetsvc, /etc/init.d/inetinit and for Solaris 8 the file /etc/init.d/network. These files are very OS dependent. The postinstall script will backup them, and replace them with a file corresponding to the right OS version. The replacement file is based on the original file, part of the Solaris release, but edited manually.
/etc/system is also treated as an exception under Solaris 8: the priority_paging directive does not exist any more under Solaris 8.
For all the other init files which need to be controlled by /etc/yassp.conf, the postinstall script generates a sed script and sed's them after backing them up.
File Name | Explanation |
/var/SECclean_tmp | Used as a temp directory by various SECclean script. Access to it is restricted to root only. |
/etc/shells | Initialize the list of valid shells (From getusershell (3c)) if it doesn't exist. |
/usr/bin/openwin | shell wrapper to avoid starting openwin without rpcbind running and hanging the console. |
/etc/cron.d/at.allow | Initialize the list of users which are allow to use 'at' (only root) |
/etc/cron.d/cron.allow | Initialize the list of users which are allow to use 'cron' (only root) |
/etc/default/ftpd | Set the default UMASK to 077 and use an empty banner to hide the default one showing the OS version. |
/etc/default/telnetd | Use an empty banner to hide the default one showing the OS version. |
/etc/hosts.equiv | Empty. Be sure that the permissions are be set correctly and that the file is empty. |
/.rhosts | Empty. Be sure that the permissions are be set correctly and that the file is empty. |
/var/adm/loginlog | Empty. If /var/adm/loginlog exists, Solaris will log in it bad login attempt. |
/etc/notrouter | Empty. we don't want to act as a router by default, even if we have several interfaces. |
/etc/issue | Default issue file (pre-login banner). Please modify to fit your site policy. |
/etc/ftp-banner | Default ftp-banner file. Please modify to fit your site policy. |
/opt/local/sbin/cleanlib.sh | Shell library used by SECclean scripts to ease the packages operations. |
/etc/yassp.conf | Default yassp configuration file. |
File Name | Explanation |
/etc/init.d/umask.sh | SECclean will create some symbolic links pointing to it under /etc/rc[0123S].d/S00umask.sh . This script will be sourced at the boot time, at the startup of each run level, and will reset the value of the current UMASK to ${SEC_UMASK} if defined in /etc/yassp.conf, or to 077 by default. |
/etc/init.d/nettune | SECclean will create a symbolic link pointing to it under /etc/rcS.d/S31nettune . Tune the default IP parameters for Solaris (see Very good page on TCP tuning under Solaris by Jens-S. Vöckler) |
File Name | Explanation |
/etc/init.d/inetinit: 2.6 version, 2.7 version |
Will first source /etc/yassp.conf. If ${SUNSTARTUP} is set to "YES", no change from the original version. Otherwise, it will be reduce to its simplest form: Set TCP ISS generation, set the default route if /etc/defaultrouter exist and set the domainname. |
/etc/init.d/inetsvc: 2.6 version, 2.7 version |
- Will first source /etc/yassp.conf. If
${SUNSTARTUP} is set to "YES", no change from the original
version. Otherwise, it will be reduce to its simplest form:
Re-set the netmask and broadcast address for all IP
interfaces, if this machine is configured to be an Internet
Domain Name System (DNS) server, run the name daemon. - The multicast setup is done *ONLY* if ${MULTICAST} is set to YES in /etc/yassp.conf. - inetd is started *ONLY* if ${RUNINETD} is set to YES in /etc/yassp.conf. If inetd is started, the flag '-t' is added to forced logging |
File Name | Action | Explanation |
/etc/inet/services | modified by a sed script | Modify the original script to add some useful and common services not register by defaults (ssh, http, https, SecurID, securidprop, sdlog, sdserv, sdreport, sdxauthd, sdadmind, tacacs, tacacs, radius, radacct) |
/etc/system | modified by a sed script | Various system variable setup, including attempting to prevent and log stack-smashing attacks (On sparc architecture) which may break some of your applications/compiler! (Some lisp and Objective C compilers, Java w/ JIT, use trampolineing as part of their compiler/interpreter mechanism this relies on executing code sitting on the stack. gcc's trampolines might fail, it'll also break gcc's nested function passed as parameter support, since it's implemented with stack trampolines. In current gcc releases this has been fixed. The trampoline code now calls "mprotect()" after putting a trampoline on the stack. Also, gdb depends on an executable stack for some of the things it does. ). |
/etc/rmmount.conf | modified by a sed script | Disallow mounting suid. |
/etc/inetd.conf | modified by a sed script | Easy: just comment out everything! :-) |
/etc/pam.conf | modified by a sed script | Disallow the use of rhosts authentication |
/etc/password | modified by a shell script: /opt/local/sbin/clean_passwd calling an awk script: /opt/local/sbin/passwd.nawk | Disable some system default login, based
on the value of ${USERDENIED}. If ${USERDENIED} is not
defined in /etc/yassp.conf, it will use
'daemon|bin|sys|adm|lp|smtp|uucp|nuucp|listen|nobody|noaccess|nobody4'
as the default list. the script is run at the postinstall and may be rerun anytime after. |
File Name | Explanation |
/etc/ftpusers | Initialize the list of users which are not
allow to log through ftp. (Solaris 8 already has a list, it is extended.) |
/etc/profile | setup MANPATH and PATH to include /opt/local |
/etc/default/su | setup MANPATH and PATH to include /opt/local |
/etc/default/sys-suspend | allows no one except super-user to run sys-suspend |
/etc/default/login | change the default for PATH and SUPATH and setup the UMASK |
/etc/default/passwd | require password with 8 characters |
/etc/default/inetinit | Configure RFC 1948 TCP sequence number generation |
/usr/dt/config/Xaccess | Restrict XDMCP connection to localhost only |
/etc/dt/config/Xaccess | Restrict XDMCP connection to localhost only |
/etc/skel/local.profile | Minimum. |
etc/skel/local.cshrc | Minimum. |
/etc/motd | Default motd file. Please modify to fit your site policy. |
File Name | Explanation |
/etc/init.d/cacheos | Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4) |
/etc/init.d/cachefs.root | Cache File System, see: cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4) |
/etc/init.d/asppp | Asynchronous PPP , see: aspppd(1m) |
/etc/init.d/uucp | UUCP, see: uucp(1c) |
/etc/init.d/cachefs.daemon | Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4) |
/etc/init.d/xntpd | Network Time Protocol daemon, see xntpd(1M) |
/etc/init.d/spc | print? Not sure, still looking for some doc. |
/etc/init.d/rpc | remote procedure call, will start rpcbind and keyserv. See the after page for more info. |
/etc/init.d/autoinstall | Script executed during stub JumpStart or /AUTOINSTALL JumpStart. |
/etc/init.d/nfs.client | NFS and cachefs Client. Will start the daemons needed and mount the remote partitions. |
/etc/init.d/autofs | automount daemons, see: automount(1M) automountd(1M) |
/etc/init.d/nscd | name service cache daemon, see: nscd(1M) |
/etc/init.d/lp | LP print service, see lpsched(1M) |
/etc/init.d/nfs.server | NFS Server and boot server, will start nfsd, mountd, in.rarpd and rpc.bootparamd |
/etc/init.d/volmgt | volume management, see vold(1M) |
/etc/init.d/PRESERVE | Move editing files into /usr/preserve |
/etc/init.d/sendmail | send mail over the internet, see sendmail(1M) |
/etc/init.d/cacheos.finish | Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4) |
/etc/init.d/sysid.sys | Script to invoke sysidsys, sysidroot and sysidpm, which complete configuration of various system attributes. |
/etc/init.d/sysid.net | Script to invoke sysidnet, which completes configuration of basic network parameters. |
/etc/init.d/snmpdx or init.snmpdx |
Solstice Enterprise Master Agent, see snmpdx(1M) |
/etc/init.d/dmi or init.dmi |
Sun Solstice Enterprise DMI Service Provider, see: dmispd(1M) and snmpXdmid(1M) |
/etc/init.d/dtlogin | this script will automatically start the dtlogin window after the Solaris(TM) system boots to its multi-user level. |
/etc/init.d/power | Power Management system, see: pmconfig(1M) |
/etc/init.d/devfsadm | Configuring the /dev directory (compatibility devices), see: ucblinks(1B) and also devfsadmd(1M) |
/etc/init.d/utmpd | utmp and utmpx monitoring daemon,see: utmpd(1M) |
/etc/init.d/devlinks | Configuring the /dev directory,see: devlinks(1M) disks(1M) ports(1M) tapes(1M) and ucblinks(1M) |
/etc/init.d/apache | Apache hypertext transfer protocol, see apache(1M) |
/etc/init.d/dhcp | Dynamic Host Configuration Protocol server, see in.dhcpd(1M) |
/etc/init.d/dhcpagent | Dynamic Host Configuration Protocol (DHCP) client daemon, see dhcpagent(1M) |
/etc/init.d/ldap.client | Start LDAP daemon to cache client information for NIS lookups, see ldap_cachemgr(1M) |
/etc/init.d/llc2 | Class II logical link control driver, see ll2c(7D) |
/etc/init.d/ncakmod | Network Cache and Accelerator ("NCA") kernel module, see ncakmod(1) |
/etc/init.d/slpd | Service Location Protocol Daemon, see: slpd(1M) |
/etc/init.d/webstart | Multiple CD Install Reboot Script |
/etc/init.d/init.wbem | Common Information Model (CIM) Boot Manager, see init.wbem(1M) |
File Name | Explanation |
/etc/init.d/rpc |
Special case in the postinstall to:
|
/etc/init.d/syslog | On Solaris 8 only, special case in the postinstall to start syslogd with the -t option not to listen to the network. |
File Name | Explanation |
/opt/local/bin/md5 | md5 signer from OpenSSL |
/usr/sbin/noshell | noshell program from The Titan Project, to log through syslog access to locked account. |