YASSP

SECclean internals


Introduction
Files and directories created
New startup files
Startup files replaced, very OS dependent
Files modified
Files replaced after being saved (if they already exist)
Init files handled by yassp.conf
Exceptions
Binaries installed by SECclean


Introduction

SECclean configures your system to use secure default settings.

You can find the list of files it will install on the prototype file, part of the package source directory. Files part of the sed class in the prototype file are sed script used to modify the existing file at the installation or removal of the package.

The postinstall script replaces and modifies init files. Files that SECclean replaces are first installed as /path/of/the/original/SECCLEAN_{filename}. The postinstall script goes through the list of files to replace, making a backup of the original, moving the new one over and update the package DB. All the SECclean script dealing with packages (postinstall, postremove, preremove) make intensive use of the cleanlib.sh shell library

Exceptions are  /etc/init.d/inetsvc, /etc/init.d/inetinit and for Solaris 8 the file /etc/init.d/network. These files are very OS dependent. The postinstall script will backup them, and replace them with a file corresponding to the right OS version. The replacement file is based on the original file, part of the Solaris release, but edited manually.

/etc/system is also treated as an exception under Solaris 8: the priority_paging directive does not exist any more under Solaris 8.

For all the other init files which need to be controlled by /etc/yassp.conf, the postinstall script generates a sed script and sed's them after backing them up.


Files and directories created

File Name Explanation
/var/SECclean_tmp Used as a temp directory by various SECclean script. Access to it is restricted to root only.
/etc/shells Initialize the list of valid shells (From getusershell (3c)) if it doesn't exist.
/usr/bin/openwin shell wrapper to avoid starting openwin without rpcbind running and hanging the console.
/etc/cron.d/at.allow Initialize the list of users which are allow to use 'at' (only root)
/etc/cron.d/cron.allow Initialize the list of users which are allow to use 'cron' (only root)
/etc/default/ftpd Set the default UMASK to 077 and use an empty banner to hide the default one showing the OS version.
/etc/default/telnetd Use an empty banner to hide the default one showing the OS version.
/etc/hosts.equiv Empty. Be sure that the permissions are be set correctly and that the file is empty.
/.rhosts Empty. Be sure that the permissions are be set correctly and that the file is empty.
/var/adm/loginlog Empty. If /var/adm/loginlog exists, Solaris will log in it bad login attempt.
/etc/notrouter Empty. we don't want to act as a router by default, even if we have several interfaces.
/etc/issue Default issue file (pre-login banner). Please modify to fit your site policy.
/etc/ftp-banner Default ftp-banner file. Please modify to fit your site policy.
/opt/local/sbin/cleanlib.sh Shell library used by SECclean scripts to ease the packages operations.
/etc/yassp.conf Default yassp configuration file.

New startup files

File Name Explanation
/etc/init.d/umask.sh SECclean will create some symbolic links pointing to it under /etc/rc[0123S].d/S00umask.sh . This script will be sourced at the boot time, at the startup of each run level, and will reset the value of the current UMASK to ${SEC_UMASK} if defined in /etc/yassp.conf, or to 077 by default.
/etc/init.d/nettune SECclean will create a symbolic link pointing to it under /etc/rcS.d/S31nettune . Tune the default IP parameters for Solaris (see Very good page on TCP tuning under Solaris by Jens-S. Vöckler)

Startup files replaced, very OS dependent

File Name Explanation
/etc/init.d/inetinit:
2.6 version, 2.7 version
Will first source /etc/yassp.conf. If ${SUNSTARTUP} is set to "YES", no change from the original version. Otherwise, it will be reduce to its simplest form: Set TCP ISS generation, set the default route if /etc/defaultrouter exist and set the domainname.
/etc/init.d/inetsvc:
2.6 version, 2.7 version
- Will first source /etc/yassp.conf. If ${SUNSTARTUP} is set to "YES", no change from the original version. Otherwise, it will be reduce to its simplest form: Re-set the netmask and broadcast address for all IP interfaces, if this machine is configured to be an Internet Domain Name System (DNS) server, run the name daemon.
- The multicast setup is done *ONLY* if ${MULTICAST} is set to YES in /etc/yassp.conf.
- inetd is started *ONLY* if ${RUNINETD} is set to YES in /etc/yassp.conf. If inetd is started, the flag '-t' is added to forced logging

Files modified

File Name Action Explanation
/etc/inet/services modified by a sed script Modify the original script to add some useful and common services not register by defaults (ssh, http, https, SecurID, securidprop, sdlog, sdserv, sdreport, sdxauthd, sdadmind, tacacs, tacacs, radius, radacct)
/etc/system modified by a sed script Various system variable setup, including attempting to prevent and log stack-smashing attacks (On sparc architecture) which may break some of your applications/compiler! (Some lisp and Objective C compilers, Java w/ JIT, use trampolineing as part of their compiler/interpreter mechanism this relies on executing code sitting on the stack. gcc's trampolines might fail, it'll also break gcc's nested function passed as parameter support, since it's implemented with stack trampolines. In current gcc releases this has been fixed. The trampoline code now calls "mprotect()" after putting a trampoline on the stack. Also, gdb depends on an executable stack for some of the things it does. ).
/etc/rmmount.conf modified by a sed script Disallow mounting suid.
/etc/inetd.conf modified by a sed script Easy: just comment out everything! :-)
/etc/pam.conf modified by a sed script Disallow the use of rhosts authentication
/etc/password modified by a shell script: /opt/local/sbin/clean_passwd calling an awk script: /opt/local/sbin/passwd.nawk Disable some system default login, based on the value of ${USERDENIED}. If ${USERDENIED} is not defined in /etc/yassp.conf, it will use 'daemon|bin|sys|adm|lp|smtp|uucp|nuucp|listen|nobody|noaccess|nobody4' as the default list.
the script is run at the postinstall and may be rerun anytime after.

Files replaced after being saved (if they already exist)

File Name Explanation
/etc/ftpusers Initialize the list of users which are not allow to log through ftp.
(Solaris 8 already has a list, it is extended.)
/etc/profile setup MANPATH and PATH to include /opt/local
/etc/default/su setup MANPATH and PATH to include /opt/local
/etc/default/sys-suspend allows no one except super-user to run sys-suspend
/etc/default/login change the default for PATH and SUPATH and setup the UMASK
/etc/default/passwd require password with 8 characters
/etc/default/inetinit Configure RFC 1948 TCP sequence number generation
/usr/dt/config/Xaccess Restrict XDMCP connection to localhost only
/etc/dt/config/Xaccess Restrict XDMCP connection to localhost only
/etc/skel/local.profile Minimum.
etc/skel/local.cshrc Minimum.
/etc/motd Default motd file. Please modify to fit your site policy.

Init files handled by yassp.conf

File Name Explanation
/etc/init.d/cacheos Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4)
/etc/init.d/cachefs.root Cache File System, see: cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4)
/etc/init.d/asppp Asynchronous PPP , see: aspppd(1m)
/etc/init.d/uucp UUCP, see: uucp(1c)
/etc/init.d/cachefs.daemon Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4)
/etc/init.d/xntpd Network Time Protocol daemon, see xntpd(1M)
/etc/init.d/spc print? Not sure, still looking for some doc.
/etc/init.d/rpc remote procedure call, will start rpcbind and keyserv. See the after page for more info.
/etc/init.d/autoinstall Script executed during stub JumpStart or /AUTOINSTALL JumpStart.
/etc/init.d/nfs.client NFS and cachefs Client. Will start the daemons needed and mount the remote partitions.
/etc/init.d/autofs automount daemons, see: automount(1M) automountd(1M)
/etc/init.d/nscd name service cache daemon, see: nscd(1M)
/etc/init.d/lp LP print service, see lpsched(1M)
/etc/init.d/nfs.server NFS Server and boot server, will start nfsd, mountd, in.rarpd and rpc.bootparamd
/etc/init.d/volmgt volume management, see vold(1M)
/etc/init.d/PRESERVE Move editing files into /usr/preserve
/etc/init.d/sendmail send mail over the internet, see sendmail(1M)
/etc/init.d/cacheos.finish Cache File System, see : cachefslog(1m) cachefspack(1m) cachefsstat(1m) cachefswssize(1m) cfsadmin(1m) fsck_cachefs(1m) mount_cachefs(1m) packingrules(4)
/etc/init.d/sysid.sys Script to invoke sysidsys, sysidroot and sysidpm, which complete configuration of various system attributes.
/etc/init.d/sysid.net Script to invoke sysidnet, which completes configuration of basic network parameters.
/etc/init.d/snmpdx
or init.snmpdx
Solstice Enterprise Master Agent, see snmpdx(1M)
/etc/init.d/dmi
or init.dmi
Sun Solstice Enterprise DMI Service Provider, see: dmispd(1M) and snmpXdmid(1M)
/etc/init.d/dtlogin this script will automatically start the dtlogin window after the Solaris(TM) system boots to its multi-user level.
/etc/init.d/power Power Management system, see: pmconfig(1M)
/etc/init.d/devfsadm Configuring the /dev directory (compatibility devices), see: ucblinks(1B) and also devfsadmd(1M)
/etc/init.d/utmpd utmp and utmpx monitoring daemon,see: utmpd(1M)
/etc/init.d/devlinks Configuring the /dev directory,see: devlinks(1M) disks(1M) ports(1M) tapes(1M) and ucblinks(1M)
/etc/init.d/apache Apache hypertext transfer protocol, see apache(1M)
/etc/init.d/dhcp Dynamic Host Configuration Protocol server, see in.dhcpd(1M)
/etc/init.d/dhcpagent Dynamic Host Configuration Protocol (DHCP) client daemon, see dhcpagent(1M)
/etc/init.d/ldap.client Start LDAP daemon to cache client information for NIS lookups, see ldap_cachemgr(1M)
/etc/init.d/llc2 Class II logical link control driver, see ll2c(7D)
/etc/init.d/ncakmod Network Cache and Accelerator ("NCA") kernel module, see ncakmod(1)
/etc/init.d/slpd Service Location Protocol Daemon, see: slpd(1M)
/etc/init.d/webstart Multiple CD Install Reboot Script
/etc/init.d/init.wbem Common Information Model (CIM) Boot Manager, see init.wbem(1M)

Exceptions

File Name Explanation
/etc/init.d/rpc Special case in the postinstall to:
  • Be controlled by /etc/yassp.conf
  • Start Wietse Venema's rpcbind if requested.
  • keyserv is started with the "-d" option to disable the use of default keys for nobody.
/etc/init.d/syslog On Solaris 8 only, special case in the postinstall to start syslogd with the -t option not to listen to the network.

Binaries installed by SECclean, on both architecture (i386 and sparc)

File Name Explanation
/opt/local/bin/md5 md5 signer from OpenSSL
/usr/sbin/noshell noshell program from The Titan Project, to log through syslog access to locked account.

Home


$Id: internal.html,v 1.18 2000/07/21 16:36:41 chouanar Exp jean $; Jean Chouanard, Xerox PARC
(with formatting/spelling/english & minor content corrections by Sean Boran, 16.5.00)