[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tiger-user] Feedback: loading TIGER 2.2.4p1 on HP-UX 11.11 (long)
From: |
Bob Hall |
Subject: |
[Tiger-user] Feedback: loading TIGER 2.2.4p1 on HP-UX 11.11 (long) |
Date: |
Fri, 13 Sep 2002 13:43:24 -0700 (PDT) |
First I wanted to thank the author of the TIGER package for making
it available. The output has been valuable to me and I'm sure that
I can make good use of this product.
I just finished modifying and packaging up TIGER 2.2.4p1 so that
it will run properly on our HP-UX 11.11 systems, and I thought it
might be beneficial(?) to relate my experiences. My philosophy in
doing so is to package the product in such a way that it produces
a minimum of messages when run on a 'clean' system. I.e. I set up
a system that has our baseline configuration, and I wanted it to
produce a minimum of notes, warnings, and errors. As a result,
I'm sure that some may disagree with some of the shortcut methods
I used. But the goal was to produce output for a novice SysAdmin
that would not cause concern about the base install. Eventually I
want to modify the baseline install so that many of these measures
are not needed.
After downloading the package and setting it up on my test box, I
did the following:
* Change owner of directory and files to root:sys.
* Modify the Makefile and set TIGERHOME to our install directory.
* Ran make.
* Created the dynamic folders under /var/spool/tiger.
mkdir /var/spool/tiger
mkdir /var/spool/tiger/bin
mkdir /var/spool/tiger/logs
mkdir /var/spool/tiger/work
chown -hR root:sys /var/spool/tiger
* Edited the ./tiger/tigerrc file:
Tiger_Run_CRACK=N
Tiger_ROOT_PATH_OK_Owners='root|bin'
Tiger_Embedded_OK_Owners='root|bin|uucp|daemon|adm'
* Made a copy of the getdisks script from the Linux system:
cp -p /opt/tiger/systems/Linux/2/getdisks /opt/tiger/systems/HPUX
* In ./tiger/scripts/check_accounts following '$shcase)' in the
check_disabled() call, add a case statement to ignore the
standard accounts: daemon, bin, sys, adm, lp, hpdb.
| $shcase)
| case \"$user\" in
| daemon|bin|sys|adm|lp|nobody|hpdb) ;;
| *) message WARN acc001w \"\" \"Login ID $user is disabled, but
| still has a valid shell ($shell).\"
| ;;
| esac
| ;;
* Add a case statement to ignore 'bin' in the pathmsg() routine
of ./tiger/initdefs following root).
| root) {
| [ "$__owner" != "$__rowner" ] && {
| case "$__rowner" in
| bin) ;;
| *)
| __omsg="not owned by $__owner (owned by $__rowner)."
| __olvl='WARN'
| [ $__dir -eq 1 -o $__exec -eq 0 ] && __olvl='INFO'
| ;;
| esac
| }
| }
| ;;
* Modify the paths in the ./tiger/systems/HPUX/inetd file as
follows:
| exec stream tcp nowait root /usr/lbin/rexecd rexecd
| finger stream tcp nowait bin /usr/lbin/fingerd fingerd
| ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l
| login stream tcp nowait root /usr/lbin/rlogind rlogind
| printer stream tcp nowait root /usr/sbin/rlpdaemon rlpdaemon
| rpc dgram udp wait root /usr/sbin/rpc.mountd 100005 1
rpc.mountd
| rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1
rpc.rquotad
| rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd
100001 1-3 rpc.rstatd
| rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd
100002 1-2 rpc.rusersd
| rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld
100008 1 rpc.rwalld
| rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd
100012 1 rpc.sprayd
| rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1
rpc.rexd
| shell stream tcp nowait root /usr/lbin/remshd remshd
| telnet stream tcp nowait root /usr/lbin/telnetd telnetd
| tftp dgram udp wait root /usr/lbin/tftpd tftpd
* Add the following entries:
| rpc dgram udp wait root /usr/dt/bin/rpc.cmsd 100068 2-5 rpc.cmsd
| rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver 100083 1
/usr/dt/bin/rpc.ttdbserver
* In checkinetd() of ./tiger/scripts/check_inetd following the
"while read service ..." add an 'if' statement to ignore the
rpc service.
| while read service exppath currpath parm1 parms
| do
| if [ "$service" = "rpc" ]; then
| continue
| fi
| if [ "$currpath" != "$exppath" ]; then
* In ./tiger/systems/HPUX/services, change 'auth' to 'ident'.
Thus:
| ident 113/tcp
* In ./tiger/check.tbl, comment out the 'check_sendmail' line.
* Create the signatures file.
echo " " > ./tiger/systems/HPUX/signatures
chmod 600 ./tiger/systems/HPUX/signatures
* Modify the ./tiger/systems/HPUX/genmounts file to replace the
ufs entry of the localfs() command with the following:
| [ "$1" = "vxfs" ] && LOCAL=0
| [ "$1" = "hfs" ] && LOCAL=0
* Modify the ./tiger/systems/HPUX/fal.db file to check for
correct permissions. The file is completely missing the
columns for suid and sgid.
/ -> root root
/etc -> bin bin
/usr -> bin bin
/usr/bin -> bin bin
/usr/lib -> bin bin
/dev -> bin
/etc/bootptab -> bin
/etc/group -> bin
/etc/hosts -> bin
/etc/netgroup -> bin . 0 0 1 . 0 1 0 0 1 0 0
/etc/resolv.conf -> bin
/etc/rpc -> bin
/etc/services -> bin
/etc/syslog.conf -> bin
/bin/write -> bin
/usr/bin/cu -> root . 1 0 . 0 1 . 0 1 . 0 . .
/usr/bin/uucp -> uucp . 1 0 . 0 1 . 0 1 . 0 . .
/usr/bin/uux -> uucp . 1 0 . 0 1 . 0 1 . 0 . .
/usr/bin/uuname -> uucp . 1 0 . 0 1 . 0 1 . 0 . .
/usr/bin/uustat -> uucp . 1 0 . 0 1 . 0 1 . 0 . .
/bin/login -> root . 1 0 1 . 1 1 0 1 1 0 1
/bin/su -> root . 1 0 1 . 1 . 0 . . 0 .
* Add suid files to ./tiger/systems/HPUX/suid_list:
| /sbin/lvchange
| /sbin/lvcreate
| /sbin/lvdisplay
| /sbin/lvextend
| /sbin/lvlnboot
| /sbin/lvreduce
| /sbin/lvremove
| /sbin/lvrmboot
| /sbin/lvmerge
| /sbin/lvsplit
| /sbin/lvsync
| /sbin/nomwcsyncd
| /sbin/vgsync
| /sbin/passwd
| /sbin/pvchange
| /sbin/pvck
| /sbin/pvcreate
| /sbin/pvdisplay
| /sbin/pvmove
| /sbin/pvremove
| /sbin/sdstolvm
| /sbin/shutdown
| /sbin/vgcfgbackup
| /sbin/vgcfgrestore
| /sbin/vgchange
| /sbin/vgchgid
| /sbin/vgcreate
| /sbin/vgdisplay
| /sbin/vgexport
| /sbin/vgextend
| /sbin/vgimport
| /sbin/vgreduce
| /sbin/vgremove
| /sbin/vgscan
| /usr/bin/X11/X
| /usr/bin/X11/hpterm
| /usr/bin/X11/xterm
| /usr/bin/at
| /usr/bin/bdf
| /usr/bin/cancel
| /usr/bin/chfn
| /usr/bin/chkey
| /usr/bin/chsh
| /usr/bin/crontab
| /usr/bin/ct
| /usr/bin/cu
| /usr/bin/df
| /usr/bin/disable
| /usr/bin/enable
| /usr/bin/kermit
| /usr/bin/login
| /usr/bin/lp
| /usr/bin/lpalt
| /usr/bin/lpstat
| /usr/bin/mail
| /usr/bin/mediainit
| /usr/bin/newgrp
| /usr/bin/nfsstat
| /usr/bin/nispasswd
| /usr/bin/passwd
| /usr/bin/passwd.HP-UX
| /usr/bin/pppd
| /usr/bin/rcp
| /usr/bin/rdist
| /usr/bin/remsh
| /usr/bin/rexec
| /usr/bin/rlogin
| /usr/bin/rmail
| /usr/bin/slp
| /usr/bin/su
| /usr/bin/uucp
| /usr/bin/uuls
| /usr/bin/uuname
| /usr/bin/uusnap
| /usr/bin/uustat
| /usr/bin/uux
| /usr/bin/yppasswd
| /usr/contrib/bin/X11/xconsole
| /usr/contrib/bin/X11/xterm
| /usr/contrib/bin/traceroute
| /usr/dt/bin/dtaction
| /usr/dt/bin/dtappgather
| /usr/dt/bin/dtprintinfo
| /usr/dt/bin/dtsession
| /usr/dt/bin/dtterm
| /usr/lbin/chgpt
| /usr/lbin/exrecover
| /usr/lbin/grmd
| /usr/lbin/protect_pty
| /usr/lbin/rwrite
| /usr/lbin/uucp/uucico
| /usr/lbin/uucp/uuclean
| /usr/lbin/uucp/uusched
| /usr/lbin/uucp/uusub
| /usr/lbin/uucp/uuxqt
| /usr/sam/lbin/rsam
| /usr/sbin/accept
| /usr/sbin/acct/accton
| /usr/sbin/arp
| /usr/sbin/keyenvoy
| /usr/sbin/lpadmin
| /usr/sbin/lpfence
| /usr/sbin/lpmove
| /usr/sbin/lpsched
| /usr/sbin/lpshut
| /usr/sbin/lvchange
| /usr/sbin/lvcreate
| /usr/sbin/lvdisplay
| /usr/sbin/lvextend
| /usr/sbin/lvlnboot
| /usr/sbin/lvreduce
| /usr/sbin/lvremove
| /usr/sbin/lvrmboot
| /usr/sbin/lvmerge
| /usr/sbin/lvsplit
| /usr/sbin/lvsync
| /usr/sbin/nomwcsyncd
| /usr/sbin/vgsync
| /usr/sbin/ping
| /usr/sbin/pvchange
| /usr/sbin/pvck
| /usr/sbin/pvcreate
| /usr/sbin/pvdisplay
| /usr/sbin/pvmove
| /usr/sbin/pvremove
| /usr/sbin/rcancel
| /usr/sbin/reject
| /usr/sbin/rlp
| /usr/sbin/rlpdaemon
| /usr/sbin/rlpstat
| /usr/sbin/sd
| /usr/sbin/sendmail
| /usr/sbin/swacl
| /usr/sbin/swask
| /usr/sbin/swconfig
| /usr/sbin/swcopy
| /usr/sbin/swinstall
| /usr/sbin/swjob
| /usr/sbin/swlist
| /usr/sbin/swmodify
| /usr/sbin/swpackage
| /usr/sbin/swreg
| /usr/sbin/swremove
| /usr/sbin/swverify
| /usr/sbin/vgcfgbackup
| /usr/sbin/vgcfgrestore
| /usr/sbin/vgchange
| /usr/sbin/vgchgid
| /usr/sbin/vgcreate
| /usr/sbin/vgdisplay
| /usr/sbin/vgexport
| /usr/sbin/vgextend
| /usr/sbin/vgimport
| /usr/sbin/vgreduce
| /usr/sbin/vgremove
| /usr/sbin/vgscan
| /usr/sbin/vhe/vhe_u_mnt
| /usr/tsm/sys/tsm.root
| /usr/tsm/sys/tsm.utmp
| /var/spool/pdcinfo.lck
chmod 600 ./tiger/systems/HPUX/suid_list
* Include standard files known to have relative paths in the
./tiger/scripts/sub/check_suid, thus:
| case "$file" in
| ### Include all standard files with known relative paths
| /sbin/lvchange) ;;
| /sbin/lvcreate) ;;
| /sbin/lvdisplay) ;;
| /sbin/lvextend) ;;
| /sbin/lvlnboot) ;;
| /sbin/lvmerge) ;;
| /sbin/lvsplit) ;;
| /sbin/lvsync) ;;
| /sbin/lvreduce) ;;
| /sbin/lvremove) ;;
| /sbin/lvrmboot) ;;
| /sbin/passwd) ;;
| /sbin/pvchange) ;;
| /sbin/pvck) ;;
| /sbin/pvcreate) ;;
| /sbin/pvdisplay) ;;
| /sbin/pvmove) ;;
| /sbin/pvremove) ;;
| /sbin/sdstolvm) ;;
| /sbin/shutdown) ;;
| /sbin/vgcfgbackup) ;;
| /sbin/vgcfgrestore) ;;
| /sbin/vgchange) ;;
| /sbin/vgchgid) ;;
| /sbin/vgchange) ;;
| /sbin/vgdisplay) ;;
| /sbin/vgexport) ;;
| /sbin/vgextend) ;;
| /sbin/vgimport) ;;
| /sbin/vgreduce) ;;
| /sbin/vgremove) ;;
| /sbin/vgscan) ;;
| /sbin/vgsync) ;;
| /sbin/nomwcsyncd) ;;
| /usr/bin/X11/X) ;;
| /usr/lbin/chgpt) ;;
| /usr/sbin/sd) ;;
| /usr/bin/at) ;;
| /usr/bin/chkey) ;;
| /usr/bin/ct) ;;
| /usr/lbin/grmd) ;;
| /usr/sam/lbin/rsam) ;;
| /usr/sbin/swacl) ;;
| /usr/sbin/swask) ;;
| /usr/sbin/swconfig) ;;
| /usr/sbin/swcopy) ;;
| /usr/sbin/swinstall) ;;
| /usr/sbin/swjob) ;;
| /usr/sbin/swlist) ;;
| /usr/sbin/swmodify) ;;
| /usr/sbin/swpackage) ;;
| /usr/sbin/swreg) ;;
| /usr/sbin/swremove) ;;
| /usr/sbin/swverify) ;;
| /usr/sbin/swverify) ;;
| /usr/dt/bin/dtsession) ;;
| /usr/dt/bin/dtterm) ;;
| */xload)
* Create the sgid_list file:
echo " " > ./tiger/systems/HPUX/sgid_list
chmod 600 ./tiger/systems/HPUX/sgid_list
* Then insert the following into ./tiger/systems/HPUX/config:
| SGID_LIST sgid_list
following the SUID_LIST line.
* Modify ./tiger/scripts/sub/check_wdir to skip certain 'open'
directories.
| $SORT $WORKDIR/wdir.tmp.$$ |\
| while read DIR
| do
| case $DIR in
| /dev/screen/) ;;
| /etc/opt/resmon/log/) ;;
| /usr/newconfig/var/stm/*) ;;
| /var/dt/appconfig/appmanager/*) ;;
| /var/X11/Xserver/logs/) ;;
| /var/news/) ;;
| /var/opt/dce/rpc/local/*) ;;
| /var/preserve/) ;;
| /var/rbootd/) ;;
| /var/stm/*) ;;
| */man/cat*) ;;
| /var/spool/calendar/*) ;;
| /var/spool/cron/tmp/*) ;;
| /var/spool/sockets/*) ;;
| /var/tmp/*) ;;
| /var/userlogs/*) ;;
| *) echo $DIR ;;
| esac
| done
* In the ./tiger/scripts/check_perms script, change the section
that checks the disk device group permissions as follows:
| # [ "$gr$gw" != '00' ] && {
| [ "$gr$gw" != '00' ] &&
| [ "$gr$gw" != '10' -a "$group" != 'sys' ] && {
* Comment out the following section of
./tiger/scripts/sub/check_suid:
| # case "$file" in
| # *xterm) {
| # message WARN misc013w "" "$file: see CERT Advisory
CA-93:17 about a security hole in xterm."
| # }
| # ;;
| # esac
* Alter two AWK commands in ./tiger/scripts/check_rhosts as
follows:
|# $AWK '/address@hidden ]*$/ {print}' < "$file" |
| $AWK '/address@hidden ]*$/ {print}' < "$file" |
|# $AWK 'BEGIN {count = 0} !/address@hidden ]*$/ {count +=
1}
| $AWK 'BEGIN {count = 0} !/address@hidden ]*$/ {count +=
1}
Thanks.
----
Bob
__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
- [Tiger-user] Feedback: loading TIGER 2.2.4p1 on HP-UX 11.11 (long),
Bob Hall <=