YASSP

To-Do list : Beta#15

Changes for the next minor version

1. testing / correction / improvements, so that V1.0 can be released.
   
2. Tarball install script:
   • Solaris 8: if gzip is installed, don't install it again
   • Include (updated) doc in tarball
     
3. RPCBIND: By default, logging is to syslog MAIL.INFO, which is a little strange, so change it to AUTH.INFO in the Makefile before compiling.
   
4. Syslog: Adam would like a copy of logs to kept locally *by default*. At the moment it has to be uncommented in /etc/syslog.conf, the default is to log to "loghost" if available. The list didn't voice opinions one way or the other on this. Personally I [sean] am worried that logs would grow because most people are tow lazy to set up pruning scripts, but I don't really mind..
   
5. yassp.conf
   • remove NFS, use only NFSCLIENT or NFSSERVER
     
6. inetd.conf: use comments like "#SECclean#", rather than "#SEC                 #"
   
7. fix-modes:
   • By default fix-modes is very quiet. the output *is* in this file. So turn on the '-v' option.
   • Also, shouldn't it be re-run after patches have been installed?
     
8. PARCdaily
   • Modify "daily" to prune loginlog?
   • Rename "daily" to sys_maint or something?
   • Make log permissions configurable in yassp.conf
   • Add logsurfer or logcheck (monitoring tools) to yassp?
     
9. Empty unneeded comments in root crontab.
   
10. SSH
    • If ssh is already installed, warn the user and confirm that the Yassp SSH should be installed.
    • Remove SUID from 'ssh' and 'slogin'?
    • update to OpenSSH 2.9
    • add a /dev/random
    • add /usr/local/bin as path to scp in sshd.
    • create new package structure, with links in /opt/local
    • Provide binaries for Solaris 2.6 to 8
    • Clean up sshd_config:
      RandomSeed
      AllowSHosts
      DenySHosts
      AllowHosts [in /etc/hosts.allow]
      DenyHosts
      Only allow root login with no password (i.e. trust?)
      
11. /etc/hosts.allow bug:
    
    ALL: ALL : spawn ( /bin/logger -p auth.warn -t "tcpd" %s: connection attempt
    from %c") & /etc/banners : rfc931 : DENY
    In Solaris 8, it will problem because of the colon after %s. SSHD reads the
    colon as an option separation, instead of a string.
    
    This one may be a better sample:
    ALL: ALL : spawn ( /bin/logger -p auth.warn -t "tcpd" %s\: connection
    attempt from %c") & /etc/banners : rfc931 : DENY
    
    Nic Pang
    
12. Patches: should we include Reg's Patch script in the tarball. I [sean] think it would be a good idea.
    
13. nettune:
    - include new version from Jens (voeckler@rvs.uni-hannover.de). Called with "start", it will actually tweak variables, called w/o parameters, it will show contents.
    - Also: "I put in a new variable to be set in yassp.conf called YASSP_VERBOSE in order to list current contents before tweaking them. Please consider a more appropriate name for the YASSP_VERBOSE variable."
    
14. All packages: make sure they can be installed without input, and also from Jumpstart (to /a).
    a) E.g. in install.sh
    if [ "${ROOT}" = "" ] ; then > ROOT="/" ; export ROOT; fi
/usr/sbin/pkgadd -n -a ./admin -d ${PKGFI} -R ${ROOT} $i
    also every reference to the root file system needs to have ${ROOT} prepended to it.
    Hack: can also be installed by an /etc/rc?.d script without the need to install to /a.
    b) SECclean uses stdout, which produces the following when an automated install is produced:
    "pkgadd: ERROR: freopen(/dev/tty, "a", stdout) failed, errno=6"
    another suggestion (from Neil Brookins) is:
    at now <<EOF
cd /etc/rc3.d; ./InstallMyPackage.sh
EOF

Changes planned at a later stage / next major version

• a checking script which will, from the initial setup and the configuration defined using the configuration script, check that the current installation hasn't have been modified. i.e. Allow SECclean to be "reapplied" after naughty patches like sendmail!
• extend the configuration script to include SUID/SGID management: the sysadm should have the choice to turn off or on some of them.
• after.html:
  • providing a more detailed list of packages which can be removed
• Tripwire:
  • Recompile it to use /opt/local/sbin (it is current in /secure because that's where I like it:-)
  • Port new 2.3.0 from Linux to Solaris: Lawson, Israel H. [Israel.Lawson@GMACInsurance.com] has offered to have a go at this.
    Karl Vogel [vogelke@dnaco.net] has already had a go and says:

    I got it to compile on Solaris-7, gcc-2.95.2 but it was a miserable exercise. Someone decided to rewrite it in C++ for some godawful reason. I'm planning to use aide or something simpler from now on. The patch, my logfile, and an sstream header file needed by g++ can be found at http://www.dnaco.net/~vogelke/tripwire-local/

Changes not yet decided upon:

• Possibly include optional packages such as OpenSSL or lsof (difficult due to architecture dependencies)
• Add scripts for patch installation
• Add scripts for tightening of SUID files
• Use xinetd to augment (not replace) inetd. Better logging, access control, access control per interface.

Home

8.8.02: Tweaks to point 14 after feedback from Neil Brookins.