YASSP
To-Do list : Beta#15
Changes for the next minor version
- testing / correction / improvements, so that V1.0 can be released.
- Tarball install script:
- Solaris 8: if gzip is installed, don't install it again
- Include (updated) doc in tarball
- RPCBIND: By default, logging is to syslog MAIL.INFO, which is a little strange, so
change it to AUTH.INFO in the Makefile before compiling.
- Syslog: Adam would like a copy of logs to kept locally *by default*. At the moment it
has to be uncommented in /etc/syslog.conf, the default is to log to "loghost" if
available. The list didn't voice opinions one way or the other on this. Personally I
[sean] am worried that logs would grow because most people are tow lazy to set up pruning
scripts, but I don't really mind..
- yassp.conf
- remove NFS, use only NFSCLIENT or NFSSERVER
- inetd.conf: use comments like "#SECclean#", rather than "#SEC
#"
- fix-modes:
- By default fix-modes is very quiet. the output *is* in this file. So turn on the '-v'
option.
- Also, shouldn't it be re-run after patches have been installed?
- PARCdaily
- Modify "daily" to prune loginlog?
- Rename "daily" to sys_maint or something?
- Make log permissions configurable in yassp.conf
- Add logsurfer or logcheck (monitoring tools) to yassp?
- Empty unneeded comments in root crontab.
- SSH
- If ssh is already installed, warn the user and confirm that the Yassp SSH should be
installed.
- Remove SUID from 'ssh' and 'slogin'?
- update to OpenSSH 2.9
- add a /dev/random
- add /usr/local/bin as path to scp in sshd.
- create new package structure, with links in /opt/local
- Provide binaries for Solaris 2.6 to 8
- Clean up sshd_config:
RandomSeed
AllowSHosts
DenySHosts
AllowHosts [in /etc/hosts.allow]
DenyHosts
Only allow root login with no password (i.e. trust?)
- /etc/hosts.allow bug:
ALL: ALL : spawn ( /bin/logger -p auth.warn -t "tcpd" %s: connection attempt
from %c") & /etc/banners : rfc931 : DENY
In Solaris 8, it will problem because of the colon after %s. SSHD reads the
colon as an option separation, instead of a string.
This one may be a better sample:
ALL: ALL : spawn ( /bin/logger -p auth.warn -t "tcpd" %s\: connection
attempt from %c") & /etc/banners : rfc931 : DENY
Nic Pang
- Patches: should we include Reg's Patch script in the tarball. I [sean] think it would be
a good idea.
- nettune:
- include new version from Jens (voeckler@rvs.uni-hannover.de). Called
with "start", it will actually tweak variables, called w/o parameters, it will
show contents.
- Also: "I put in a new variable to be set in yassp.conf called YASSP_VERBOSE in
order to list current contents before tweaking them. Please consider a more appropriate
name for the YASSP_VERBOSE variable."
- All packages: make sure they can be installed without input, and also from Jumpstart (to
/a).
a) E.g. in install.sh
if [ "${ROOT}" = "" ] ; then > ROOT="/" ; export ROOT; fi
/usr/sbin/pkgadd -n -a ./admin -d ${PKGFI} -R ${ROOT} $i
also every reference to the root file system needs to have ${ROOT} prepended to it.
Hack: can also be installed by an /etc/rc?.d script without the need to
install to /a.
b) SECclean uses stdout, which produces the following when an automated install is
produced:
"pkgadd: ERROR: freopen(/dev/tty, "a", stdout) failed, errno=6"
another suggestion (from Neil Brookins) is:
at now <<EOF
cd /etc/rc3.d; ./InstallMyPackage.sh
EOF
Changes planned at a later stage / next major version
- a checking script which will, from the initial setup and the configuration defined using
the configuration script, check that the current installation hasn't have been modified.
i.e. Allow SECclean to be "reapplied" after naughty patches like sendmail!
- extend the configuration script to include SUID/SGID management: the sysadm should have
the choice to turn off or on some of them.
- after.html:
- providing a more detailed list of packages which can be removed
- Tripwire:
- Recompile it to use /opt/local/sbin (it is current in /secure because that's where I
like it:-)
- Port new 2.3.0 from Linux to Solaris: Lawson, Israel H.
[Israel.Lawson@GMACInsurance.com] has offered to have a go at this.
Karl Vogel [vogelke@dnaco.net] has already had a
go and says:I got it to compile on Solaris-7, gcc-2.95.2 but it was a miserable
exercise. Someone decided to rewrite it in C++ for some godawful reason. I'm planning to
use aide or something simpler from now on. The patch, my logfile, and an sstream header
file needed by g++ can be found at http://www.dnaco.net/~vogelke/tripwire-local/
Changes not yet decided upon:
- Possibly include optional packages such as OpenSSL or lsof (difficult due to
architecture dependencies)
- Add scripts for patch installation
- Add scripts for tightening of SUID files
- Use xinetd to augment (not replace) inetd. Better logging, access control, access
control per interface.
Home
**rcs id here**; Jean Chouanard (updated
by Sean Boran, 08 août, 2002)
8.8.02: Tweaks to point
14 after feedback from Neil Brookins.