YASSP
Beta15
First, as the web was updated and Beta#14 was pushed out as the default on it,
Special thanks to (In no special order :-):
Jack Smith <smith35@llnl.gov>
Reg Quinton <reggers@ist.uwaterloo.ca>
Doug.Hughes@Eng.Auburn.EDU (Doug Hughes)
"Sean Boran" <sean@boran.com>
For helping me debugging my English on the web site!
(I'm sure I forgot some people... Let me know I'll update the ref)
PARCdaily:
now that it can output the diff when comparing files, I have
add, in a variable, a list of file for which we shouldn't send
the diff, /etc/shadow is always added to this variable.
(we don't want to mail the passwd field!!!)
Thanks Nic Pang
Added tocsin to the yassp tarball, but do not put it yet part of the yassp install,
as its install cannot be non-interactive.
Added the html page in the yassp directory.
Beta14
PARCdaily:
Sometime, on Solaris 8 at least, starting the syslogd will failed due to the
port still in use. In this case, we sleep 5 and retry once.
All: preinstall
From "Sean Boran" <sean@boran.com> suggestion:
if we create /opt/local, then we also create a sym-link
/usr/local -> /opt/local
SECclean:
From "Sean Boran" <sean@boran.com> comment:
Grammar correction in the postinstall.
the md5 binary moved from sbin to bin
move the current syslog.conf as syslog.conf.server
and add a new syslog.conf
OPENssh:
From "Sean Boran" <sean@boran.com> comment:
Added a dependency on SUNWzlib.
Do not touch syslog.conf anymore.
Beta13
PRFtripw:
added the siggen binary
thanks to : rbf@lyra.rlg.org (Rich)
SECclean:
Added sooks (1080/tcp) in the list of services
thanks Sean
In the preinstall, we now test for the existance of any file
handle by a 'sed' class script as if they don't exist, SECclean
install will partially failled.
Thanks to :
"Lawson, Israel H." <Israel.Lawson@GMACInsurance.com>
the RPC startup script is no more handle by a sed class, but with
the postinstall//preremove/postremove, for the same reason.
it requested lot of testing as the cleanlib was touched.
PARCdaily: take off dependency on GNU package as they may exist under
others names.
Thanks to Rich Fuchs rbf@lyra.rlg.org (Research Libraries Group)
/SECclean: /etc/shells: Update to reflect Solaris 8 getusershell(3)
Thanks to Rich Fuchs rbf@lyra.rlg.org (Research Libraries Group)
Typo in the prototype file of PRFtripw
/secure/databases (missing ending 's')
Thanks Nic Pang <nic@groupfire.com>
Typo in sshd_config.Dist
should refer to /etc/hosts.deny not /etc/hosts.denied
Thanks Nic Pang <nic@groupfire.com>
Typo in the install script:
If existing (should be 'exists'), the crontab for the users:
Thanks Nic Pang <nic@groupfire.com>
Incorrect VENDOR string in both OpenSSH package
From Sean's feedback:
a) man page/Readme
- URL wrong, twice
- "/none etc/cron.d/cron.allow" -> /etc/cron.d/cron.allow
c) 'Whatsnew' file: Beta11 on first line, instead of Beta12?
g) URL wrong in end of install messages printed out.
h) daemon shells have change to /dev/null rather than 'nosuchshell', why?
The postinstall script of SECclean was corrected to handle architecture
dependent binaries to install correctly
Many thanks as usual Sean! :-)
Beta12
Support both i386 and sparc architecture
The components we wrote in SECclean and PARCdaily are now under BSD like license.
OPENssh 2.3.0p1 is now part of the package
Compiled with OpenSSL (non-optimized at all for sparc, to be compatible
with most of the sparc architecture). Full support of securID will be added
using the Generic Message Exchange Authentication For SSH, as describe in
draft-ietf-secsh-auth-kbdinteract-00.txt. It won't need client side modification.
SECclean:
- add an md5 binary
- On Solaris 8, syslogd is start by default without listening to the network
PARCdaily: (Thanks to Josh Hoblitt <Josh.Hoblitt@bbox.net> for his suggestions)
- don't kill syslogd if we didn't rotated any logs.
- pkgchk -n is optional and turn off by default
- edit yassp.conf to show varable available
- use rcsdiff instead of diff
- filemode of the log and the oldlogs is configurable
...
PRFtripw:
- adapt the config file for OpenSSH
Typo in yassp.conf(4): bi -> by
Thanks Huba Leidenfrost <huba@uidaho.edu>
Typo in yassp(1): contants -> contents
Beta11
Back-out the BSD style license: YASSP *will* be under BSD license, I am just
waiting for the paperwork to be signed.
Add a note in /etc/sshd_config and /etc/hosts.allow to cite sshdfwd-X11
and refer to sshd(8)
On Solaris 8, no priority_paging should be used in /etc/system
Corrected in nettune a typo on ip6_ignore_redirects (Missing 's')
Change the prototype to use sym-link and not hardlink on the startup
files we install (nettune and umask.sh)
Beta10
Add manual page for clean_passwd(1), yassp.conf(4)
change the order of some msg in the postinstall, so that the warning is last
corrected a problem reported by Paolo Pugliese <pugliese@si.deis.unical.it>
Installation of files registered in the *replaced files* class was
losing the package file-type. syslog.conf for example was registered
as 'f' (file) not 'e' (editable)
Update nettune to the last version just received from Jens, which
include ipv6 and better comments
Update SSH to V1.2.30, with SDI Patch. No more Open-BSD patch needed.
minor changes to PARCdaily
Beta9
Change the SSH config files to match Sean's one (Much better commented)
Change all the licenses to a BSD style license.
install.sh yassp's script was always installing *all* the packages
reported by Sweth Chandramouli <sweth@sweth.net>)
Lot of typo reported by Sweth Chandramouli <sweth@sweth.net>)
root crontab:
deleted comment about rtc deleted (sean.boran@swisscom.com)
postinstall:
typo in a msg (passw.Old -> passwd.Old) (sean.boran@swisscom.com)
it will do a makewhatis (if it exist)
Beta8
2000/06/26 04:22:50;
Still To Be Done:
* Manual pages: clean_passwd(1), yassp.conf(4)
* web internal.html page + update these changes.
* the postinstall checkconfig script
preinstall:
- turn on debugging if /var/tmp/seccleandebug exist
- all the files classes (Replaced, deleted, init files yasppified)
are defined in the pre-install now, and pass to the postinstall
- define $CLEANUPDIR if not set. It's the directory used to copy
the clean-up tools (fix-modes + OS dependents package DB correction)
and execute them. It is now part of SECclean.
- Backup all the file the installation will touch under $SECBCK or
by default /yassp.bk
postinstall:
- copy in $CLEANUPDIR the OS clean-up (fix-modes + OS dependents
package DB correction) and execute them now that it is part of
SECclean
- treat /etc/shells as an exception: create and register it if it
does not exist, but do nothing if it was already present.
- corrected /etc/default/passwd (Reported by Susan Ng <ng@ucs.ubc.ca>)
- the files classes are defined now in the preinstall
prototype:
- reorganize to clarify it
- add the manual pages (yassp(1), and yassp.conf(4))
- add the clean-up tools to be installed under opt/local/bin/clean-up
and copy after
- corrected /etc/default/passwd
- Most of the *created* files were moved as being *replaced* so that
they will be saved if they exist instead of being overwritten
cleanlib.sh:
- noshel => noshell in a comment
(Reported by Richard Cove <Richard.Cove@alphawest.com.au>)
clean-up:
Integrate it to SECclean and change it to:
- accept to be downloaded and executed from any directory
- gather all the script and tools needed for the various OS / Arch
In the generation of the yassp.conf:
- add USERDELETED and ROOTALLOWED in the yassp.conf default file.
- Change typo on ROOTNAME definition example (USERDENIED was used
instead, Reported by Sweth Chandramouli <sweth@sweth.net>)
- Change USERSDENIED to be a list and not a regexp for nawk.
clean_passwd:
- rewritten to use /usr/sbin/passmgmt and /usr/bin/passwd to access the
passwd/shadow files
- Accept a two new class of users:
${DELUSERS} to be removed from the password file.
${ROOTALLOWED} allowed uid 0 user != root
- log its actions now to /var/sadm/system/logs/yassp_cleanup_passwd.log
inetd.conf.sed:
try to make /etc/inetd.conf more readable after SECclean install
/etc/motd:
to be less verbose
(Suggested by David Brumley <dbrumley@rtfm.stanford.edu>)
/etc/default/login:
removed /opt/local/etc from the PATH
/etc/default/su:
removed /opt/local/etc from the PATH
/etc/profile
removed /opt/local/etc from the PATH
/etc/skel/local.profile
corrected the path (Susan Ng <ng@ucs.ubc.ca>) to include /opt/local/bin
Beta6
i386 no more (or yet:-) supported :-(
Here is the (majors) changes from Beta#5:
SECclean:
- it supports Solaris 8
- it works as if /opt/local is a sym-link pointing where ever you
want
- /etc/yassp.conf and /etc/rc.conf merged in /etc/yassp.conf
- /usr/sbin/noshell (Arch dependent) was added, and is used by
default for locked account (noshell is a binary. When called, it
will syslog the try and exit.)
- clean_passwd was clearly broken, it works now :-)
- Root account description is change to 'root at MACHINENAME' by
default (configurable)
- turn off /usr/lib/saf/sac in /etc/inittab (sed)
- Add the /etc/syslog.conf (Sean's one)
- the sys crontab file is no more purge (it may have system
accounting (sar and friends))
-> but sys is by default not allow to use cron (only root is in
/etc/cron.d/cron.allow)
YASSP:
- it supports Solaris 8
- it includes tripwire (install under /secure/tripwire)
- it includes tcpd w/ the language extension, and rpcbind with
hosts control (option trough /etc/yassp.conf)
- it includes a de-install script
- user have the choice of the package to install.
- SSHsdi is back, we ask the user if he have check the license
and if he want to install it on the install script.
Beta#5
The major change introduced by this beta#5 touch the SECclean
package:
- PARCpkgu has been merged with SECclean
- Startup files: Instead of removing the files or the links to
them, they are edited at the install phase (sed) so that their
start is controlled by /etc/rc.conf.
See rc.conf (no more: merged after with yassp!) and yassp.conf for more details.
- More verbose.
- Start to include some Solaris 8 files.
For the non-SECclean changes:
May 17 2000 Add the FAQ
page.
May 15 2000 Start updating the internal page
documenting SECclean.
May 10 2000 WVtcpd: correct a prototype entry.
May 08 2000 PARCdaily: Added /etc/rc.conf
/etc/yassp.conf to the monitored files list.
Apr 27 2000 The cleanup scripts (Solaris 2.6 and 2.7)
has been updated to use the latest fixmode version available
(Version Id: fix-modes,v 2.6 2000/01/13 14:13:35 casper Exp )
Mar 22 2000 PARCdaily: Corrected typos => RCS was
not working
Home
$Id: new.html,v 1.17 2000/11/19 01:29:38 jean Exp jean
$; Jean Chouanard, Xerox PARC