Security on the machine www.gate.ac.uk ************************************** 1. Patches ---------- Patches are checked at least fortnightly and maintained. Download the file patchdiag.xref into the directory /usr/local/patchdiag from http://sunsolve.sun.co.uk. Run (as root) the program /usr/local/patchdiag/patchdiag-1.0.4/patchdiag - this lists the missing patches. Download these patches from sunsolve to /tmp, add them (patchadd) and reboot. 2. Logging traffic ------------------ Amended /etc/syslog.conf with the following lines: auth.debug /var/log/authlog daemon.debug /var/log/inetd.log The first logs all messages from the authorization system in /var/log authlog and the second, by restarting inetd with the -t (trace flag) (edited /etc/init.d/inetsys script to do this automatically), logs all calls to inetd in /var/log/inetd.log. Hence we have an audit trail for logins and ftp. For extra security, created file /var/adm/loginlog - this automatically records failed login attempts after 5 retries (inc name of user and machine coming from - only readable by root). # touch /var/adm/loginlog # chmod 600 /var/adm/loginlog # chgrp sys /var/adm/loginlog AOL Server has two main logs: /var/log/www/access.log which records all access to the web server, including address of machine and web browser performing the lookup, and /usr/local/AOLserver/log/server.log, which records server diagnostic messages. Both are only readable by root and webadmin. 3. Disabled rlogin/rsh access ----------------------------- Checked no /etc/hosts.equiv or /.rhosts. Commented out the following daemons in /etc/inetd.conf: rpc.rusersd, in.fingerd, in.rshd, in.rlogind, in.rexecd, in.comsat, in.talkd 4. Checked network root logins are disabled ------------------------------------------- Checked CONSOLE line is enabled in /etc/default/login, thus: # If CONSOLE is set, root can only login on that device. # Comment this line out to allow remote login by root. # CONSOLE=/dev/console # Gate scanned by Nessus on 6/3/01 for holes. Resulting holes are closed: ********************************************************************** 5. Disabled sadmin ------------------ Shutdown the sadmin RPC service in /etc/inetd.conf by commenting out the line: # 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind This is in accordence with Sun guidelines, although patch 108662-01 was applied and the system should have been secure. 6. Disabled calendar manager ---------------------------- Nessus is a bit wishy-washy when pressed for details on this, but we don't use it so it was commented out of /etc/inetd.conf thus: # 100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd 7. Shut down the SNMP service ----------------------------- This accounted for most of the security holes. Only Nessus seems concerned with the security of SNMP - there are no bulletins or otherwise from Sun or CERT. Nevertheless, as I don't think this service is used it's worth closing off the network entry points serviced by these daemons. The web page http://www.ist.uwaterloo.ca/security/howto/2000-10-04.html was most useful for this. a) Stop SNMP and DMI services # cd /etc/init.d # ./init.dmi stop # ./init.snmpdx stop b) Comment them out of the startup scripts # cd /etc/rc3.d # mv S76snmpdx No.S76snmpdx # mv S77dmi No.S77dmi CPS 16/2/00 Last changed 7/3/01