From owner-freebsd-security Thu Jun 17 11:55:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from aurora.sol.net (aurora.sol.net [206.55.65.76]) by hub.freebsd.org (Postfix) with ESMTP id 1005D14DA6 for ; Thu, 17 Jun 1999 11:55:56 -0700 (PDT) (envelope-from jgreco@aurora.sol.net) Received: (from jgreco@localhost) by aurora.sol.net (8.9.2/8.9.2/SNNS-1.02) id NAA73439; Thu, 17 Jun 1999 13:55:54 -0500 (CDT) From: Joe Greco Message-Id: <199906171855.NAA73439@aurora.sol.net> Subject: Re: some nice advice.... To: security@freebsd.org Date: Thu, 17 Jun 1999 13:55:53 -0500 (CDT) Cc: imp@harmony.village.org, rchilders@hamquist.com X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The system won't even let root change /kernel. When the secure level > is elevated, even root can't remvoe the schg bit. Set it on all files > required to boot, and go to elevated secure level quickly and things > will be impossible to override... > > Warner A starting point... this is customized heavily towards my standard installs and my own needs, however it should make it a real bloody pain for somebody to mess with your system. This is acceptable around here since most "upgrades" are done via replacement; I rarely do in-place upgrades anymore and even if I did, all you do is remove the schg bit in single-user mode. #! /bin/sh # SUID or SGID stuff. Most of it - we don't want chmod 111 /usr/local/bin/ospf_monitor chmod 111 /usr/local/bin/gdc chmod 111 /usr/local/bin/ssh1 chmod 111 /usr/local/libexec/amanda/calcsize chmod 111 /usr/local/libexec/amanda/killpgrp chmod 111 /usr/local/libexec/amanda/rundump chmod 111 /usr/local/libexec/amanda/runtar chmod 111 /usr/local/libexec/amanda/dumper chmod 111 /usr/local/libexec/amanda/planner chmod 111 /usr/local/sbin/amcheck # /usr/bin/cu chmod 111 /usr/bin/uucp chmod 111 /usr/bin/uuname chmod 111 /usr/bin/uustat chmod 111 /usr/bin/uux chmod 111 /usr/bin/man chmod 111 /usr/bin/suidperl chmod 111 /usr/bin/sperl4.036 chmod 111 /usr/bin/at chmod 111 /usr/bin/atq chmod 111 /usr/bin/atrm chmod 111 /usr/bin/batch # /usr/bin/chpass # /usr/bin/chfn # /usr/bin/chsh chmod 111 /usr/bin/ypchpass chmod 111 /usr/bin/ypchfn chmod 111 /usr/bin/ypchsh chmod 111 /usr/bin/fstat chmod 111 /usr/bin/ipcs chmod 111 /usr/bin/keyinfo chmod 111 /usr/bin/keyinit # /usr/bin/lock # /usr/bin/login chmod 111 /usr/bin/netstat chmod 111 /usr/bin/nfsstat # /usr/bin/passwd chmod 111 /usr/bin/yppasswd chmod 111 /usr/bin/quota chmod 111 /usr/bin/rlogin chmod 111 /usr/bin/rsh # /usr/bin/su # /usr/bin/top # /usr/bin/w # /usr/bin/uptime chmod 111 /usr/bin/wall chmod 111 /usr/bin/write chmod 111 /usr/bin/systat chmod 111 /usr/bin/vmstat chmod 111 /usr/bin/crontab chmod 111 /usr/bin/lpq chmod 111 /usr/bin/lpr chmod 111 /usr/bin/lprm chmod 111 /usr/bin/newaliases chmod 111 /usr/bin/mailq chmod 111 /usr/bin/hoststat chmod 111 /usr/libexec/uucp/uucico chmod 111 /usr/libexec/uucp/uuxqt chmod 111 /usr/libexec/mail.local chmod 111 /usr/sbin/lpc chmod 111 /usr/sbin/mrinfo chmod 111 /usr/sbin/mtrace chmod 111 /usr/sbin/pppd chmod 111 /usr/sbin/pstat chmod 111 /usr/sbin/swapinfo chmod 111 /usr/sbin/sendmail chmod 111 /usr/sbin/purgestat chmod 111 /usr/sbin/sliplogin chmod 111 /usr/sbin/timedc # /usr/sbin/traceroute chmod 111 /usr/sbin/trpt chmod 111 /usr/sbin/iostat chmod 111 /usr/sbin/ncrcontrol chmod 111 /usr/sbin/ppp # /bin/df # /bin/ps chmod 111 /bin/rcp chmod 111 /sbin/ccdconfig # /sbin/dmesg chmod 111 /sbin/dump chmod 111 /sbin/rdump chmod 111 /sbin/ping chmod 111 /sbin/restore chmod 111 /sbin/rrestore chmod 111 /sbin/route chmod 111 /sbin/shutdown # Protect files. chflags schg / chflags -RP schg /.profile /.cshrc chflags -RP schg /bin chflags -RP schg /boot chflags -RP schg /etc chflags noschg /etc/motd /etc/ntp.drift chflags noschg /etc chflags schg /kernel* chflags -RP schg /lkm chflags -RP schg /modules chflags -RP schg /root/.[a-z]* chflags schg /root chflags -RP schg /sbin chflags -RP schg /stand chflags -RP schg /sys/. chflags -RP schg /usr chflags noschg /usr/local/etc/ssh_host_key Depending on specifics, you might choose to remove the suid bits from the remaining executables. When you are done, you will have a rather hardened system that simply demands to run at securelevel 2 or 3. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message