Date: Thu, 17 Jun 1999 13:55:53 -0500 (CDT) From: Joe Greco <jgreco@ns.sol.net> To: security@freebsd.org Cc: imp@harmony.village.org, rchilders@hamquist.com Subject: Re: some nice advice.... Message-ID: <199906171855.NAA73439@aurora.sol.net>
next in thread | raw e-mail | index | archive | help
> The system won't even let root change /kernel. When the secure level > is elevated, even root can't remvoe the schg bit. Set it on all files > required to boot, and go to elevated secure level quickly and things > will be impossible to override... > > Warner A starting point... this is customized heavily towards my standard installs and my own needs, however it should make it a real bloody pain for somebody to mess with your system. This is acceptable around here since most "upgrades" are done via replacement; I rarely do in-place upgrades anymore and even if I did, all you do is remove the schg bit in single-user mode. #! /bin/sh # SUID or SGID stuff. Most of it - we don't want chmod 111 /usr/local/bin/ospf_monitor chmod 111 /usr/local/bin/gdc chmod 111 /usr/local/bin/ssh1 chmod 111 /usr/local/libexec/amanda/calcsize chmod 111 /usr/local/libexec/amanda/killpgrp chmod 111 /usr/local/libexec/amanda/rundump chmod 111 /usr/local/libexec/amanda/runtar chmod 111 /usr/local/libexec/amanda/dumper chmod 111 /usr/local/libexec/amanda/planner chmod 111 /usr/local/sbin/amcheck # /usr/bin/cu chmod 111 /usr/bin/uucp chmod 111 /usr/bin/uuname chmod 111 /usr/bin/uustat chmod 111 /usr/bin/uux chmod 111 /usr/bin/man chmod 111 /usr/bin/suidperl chmod 111 /usr/bin/sperl4.036 chmod 111 /usr/bin/at chmod 111 /usr/bin/atq chmod 111 /usr/bin/atrm chmod 111 /usr/bin/batch # /usr/bin/chpass # /usr/bin/chfn # /usr/bin/chsh chmod 111 /usr/bin/ypchpass chmod 111 /usr/bin/ypchfn chmod 111 /usr/bin/ypchsh chmod 111 /usr/bin/fstat chmod 111 /usr/bin/ipcs chmod 111 /usr/bin/keyinfo chmod 111 /usr/bin/keyinit # /usr/bin/lock # /usr/bin/login chmod 111 /usr/bin/netstat chmod 111 /usr/bin/nfsstat # /usr/bin/passwd chmod 111 /usr/bin/yppasswd chmod 111 /usr/bin/quota chmod 111 /usr/bin/rlogin chmod 111 /usr/bin/rsh # /usr/bin/su # /usr/bin/top # /usr/bin/w # /usr/bin/uptime chmod 111 /usr/bin/wall chmod 111 /usr/bin/write chmod 111 /usr/bin/systat chmod 111 /usr/bin/vmstat chmod 111 /usr/bin/crontab chmod 111 /usr/bin/lpq chmod 111 /usr/bin/lpr chmod 111 /usr/bin/lprm chmod 111 /usr/bin/newaliases chmod 111 /usr/bin/mailq chmod 111 /usr/bin/hoststat chmod 111 /usr/libexec/uucp/uucico chmod 111 /usr/libexec/uucp/uuxqt chmod 111 /usr/libexec/mail.local chmod 111 /usr/sbin/lpc chmod 111 /usr/sbin/mrinfo chmod 111 /usr/sbin/mtrace chmod 111 /usr/sbin/pppd chmod 111 /usr/sbin/pstat chmod 111 /usr/sbin/swapinfo chmod 111 /usr/sbin/sendmail chmod 111 /usr/sbin/purgestat chmod 111 /usr/sbin/sliplogin chmod 111 /usr/sbin/timedc # /usr/sbin/traceroute chmod 111 /usr/sbin/trpt chmod 111 /usr/sbin/iostat chmod 111 /usr/sbin/ncrcontrol chmod 111 /usr/sbin/ppp # /bin/df # /bin/ps chmod 111 /bin/rcp chmod 111 /sbin/ccdconfig # /sbin/dmesg chmod 111 /sbin/dump chmod 111 /sbin/rdump chmod 111 /sbin/ping chmod 111 /sbin/restore chmod 111 /sbin/rrestore chmod 111 /sbin/route chmod 111 /sbin/shutdown # Protect files. chflags schg / chflags -RP schg /.profile /.cshrc chflags -RP schg /bin chflags -RP schg /boot chflags -RP schg /etc chflags noschg /etc/motd /etc/ntp.drift chflags noschg /etc chflags schg /kernel* chflags -RP schg /lkm chflags -RP schg /modules chflags -RP schg /root/.[a-z]* chflags schg /root chflags -RP schg /sbin chflags -RP schg /stand chflags -RP schg /sys/. chflags -RP schg /usr chflags noschg /usr/local/etc/ssh_host_key Depending on specifics, you might choose to remove the suid bits from the remaining executables. When you are done, you will have a rather hardened system that simply demands to run at securelevel 2 or 3. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906171855.NAA73439>