Well, so far in this series we've hit upon basic Linux and Unix installation security, even more security measures, user, group and account-based security and ensuring existing software's security. Today, we're going to continue by going over some additional security software that you may (or may not) want to add to your list of always-installed security-enhancing programs. This post, like the basic Linux and Unix installation security post, is going to end up being a two-(long)-parter. If only I planned my writing before I sat down and wrote these little novels... ;)
OS Installation Guidelines, Part 4: Additional Software Installation
Note: Our assumption here is that you've built your additional custom software to live in /usr/local/encap/PRODUCT-VERSION and packaged your it using a program called encap, originally developed at UIUC by a former manager of mine, who's name I will not mention because I haven't seen him in a long time and I don't publish anything personal about anyone else but me on this blog (unless they want me to ;) If you're reading this, you know who you are and my hat's still off to you, sir. Thanks for politely kicking me in the arse until I got my act together ;) I'm actually super-old-school on this, install all my custom software in /usr/local/encap, prefer version 1.2 (encap.pl) and haven't ever had the need to complicate my life with any of the newer versions. They should all be available for download from the above link, including instructions on proper usage.
Apologies for getting misty up there ;) Aside from our assumption, which will explain some of the instructions, any (or all) of this can be handled by Solaris pkg's or RedHat RPM's (rolling your own is my preference if I go down that road, but, these days, the products that come out are usually good enough if you're okay with "default build options"). The relative pro's and con's of using encap or epkg vs. regular packages are listed at the encap FAQ.
Note, also, that any packages for which there are no additional instructions do not require any additional setup, necessarily.
1. Clean up the /usr/local area as well as possible:
Remove all compilers (preferably, build the software on a different machine, or just clean up when you're done) if the machine is on our network’s perimeter. Be sure to check if they were installed, using pkginfo on Solaris or rpm -qa on RedHat, so you can remove them that way.
Remove any unnecessary programs, or rebuild them in encapped form before deleting them. If you do build new packages in encapped form, follow the same process as building any encapped software and place it in the /usr/local/encap directory.
2. Install encap to place software –
mkdir –p /usr/local/encap
3. assuming that you've built everything on another server, unpack your compiled software bundle into /usr/local/encap. A good collection of packages might look something like this, and then some (Note that a lot of these programs are included with Solaris 10, Open Solaris and RedHat, but have been included for folks still using older OS versions):
tcp-wrappers – tcpd.
John The Ripper.
Log management scripts.
Perl – Statically stripped in production environments.
egd – Entropy Gathering Daemon.
Open-SSH (Compiled to use EGD).
wu-ftpd or similar ftp server (if necessary).
The Coroner’s ToolKit (TCT).
chkrootkit-latest-version (Or latest revision)
4. Create a file called /usr/local/encap/encap.exclude, which should include the lines:
/usr/local/encap/encap-1.2/bin/encap.pl /usr/local/encap /usr/local
NOTE: You really don't need to run this command until you have successfully installed all of the packages per the instructions following for each. If you do, you will need to re-run it once you’ve completed your installations to ensure that all the links get made (or removed) as necessary.
6. Install cops:
Copy your entire cops distribution to this directory.
Edit /usr/local/encap/cops-VERSION/cops and ensure that the secure directory is set to /usr/local/encap/cops-VERSION, the MMAIL variable is set to YES, the ONLY_DIFF variable is set to NO, the RUN_SUID variable is set to YES and the secure user is set to yourAdminGroup@yourhost.com.
Edit the cops executable script. Look for this section and add the noted line if it does not exist already:
if $TEST ! -s $RESULT".FILT" ; then
$RM -f $RESULT
$RM -f $RESULT".FILT" <--- Add this line so your directory doesn't fill up with useless files.
Fix reported problems
Run cops again.
Repeat until you’re left with a report you can live with.
Run /usr/local/encap/cops/cfm (a script you can grab from this previous post on how to create a cops filter file).
Add “/usr/local/encap/cops-VERSION/cops –f /usr/local/encap/cops-VERSION/cops_filter” to root's cron.
7. Install the gzip-gunzip encap package.
8. Install S/key (configure only if not a heavy-user machine or if the machine acts as a login gateway) – (Check out the s/key entry in Wikipedia for lots of links to downloads and explanations of this one-time-password system. OPIE, SecuRemote, and others are all equally worthwhile but s/key is about the cheapest you can get (Free!!! :)
Run “keyinit username” for all user accounts except root and system accounts.
Change all user account login shells to /usr/local/bin/keysh.
to be continued...
Monday, June 23, 2008