#!/usr/local/bin/bash

# securesystem.sh
#
# changes flag and other settings for security
#
# Zoidial, Inc.
# Eric Thern, 2001, eric@zoidial.com

test=$1
case $test in
[aA])
echo "usage: securesystem.sh on|off"
exit 0
;;
[oO][nN])
echo "---"
echo "this takes off a set of SUID bits and sets a ton of chmod's and flags"
echo "securesystem.sh off, does NOT undo all of this, it merely takes off chflags"
echo "---"

#
echo "changing flags noschg,nouchg,nouunlnk on directories"
#
chflags noschg,nouchg,nouunlnk /usr/libexec /usr/libexec/* /bin /usr/bin /usr/sbin /bin/* /usr/bin/* /sbin/* /usr/sbin/*
#chflags -R noschg,nouchg,nouunlnk /usr/lib
#
echo "done setting flags"
#

#
echo "take off SUID bits on these executables (only allow the few SUIDs that *need* to be here)"
#
chmod u-s /usr/bin/*
chmod 4550 /usr/bin/su
chmod 4555 /usr/bin/{passwd,man,login,crontab}
chgrp wheel /usr/bin/{who,last,finger,w}
chmod 550 /usr/bin/{who,last,finger,w}
chmod u-s /usr/sbin/*
chmod u-s /sbin/*
chmod u-s /bin/*
chmod -s /usr/libexec/uucp/*
chmod -s /usr/X11R6/bin/*
chmod -s /usr/local/bin/*
#
echo "SUID's taken off"
#

#
echo "change modes so that others cannot execute the following"
#
chmod o-rwx /bin/{df,rcp}
chmod o-rwx /usr/bin/{who,last,finger,w,netstat,sockstat,users,who,write,wall,chpass,chsh,chgrp,chfn,chflags,fstat,ipcs,lp,lpq,lpr,lprm,systat,uustat,top,vmstat}
chmod o-rwx /sbin/{ccdconfig,dump,rdump,ping,ping6}
chmod o-rwx /usr/sbin/{iostat,lpc,lpd,mrinfo,mtrace,ppp,pppd,pstat,sliplogin,swapinfo,trpt,timedc,traceroute,traceroute6,ypbind,ypinit,yppoll,yppush,ypserv,ypset}
chmod o-rwx /usr/local/sbin/*
chmod o+rx /usr/bin/uptime
#
echo "modes changed for files"
#

#
echo "change modes on configuration files"
#
cd /etc
chmod 700 syslog.conf newsyslog.conf rc.sysctl rc.conf sysctl.conf crontab
chown -R bind:bind namedb
chmod 660 namedb
sed -e "/atrun/d" crontab > crontab.rplzz
cat crontab.rplzz > crontab && rm crontab.rplzz
#
echo "done setting modes on config files"
#


#
echo "copying some files to locations for users:"
#
cp /sbin/ping /bin/ping
cp /usr/sbin/traceroute /bin/traceroute
chmod 4555 /bin/ping /bin/traceroute
chmod 4550 /usr/bin/su
chmod 4555 /usr/bin/{passwd,man,login,crontab}
chgrp wheel /usr/bin/{who,last,finger,w}
chmod 550 /usr/bin/who
chmod 550 /usr/bin/last
chmod 550 /usr/bin/finger
chmod 550 /usr/bin/w
chmod o+rx /usr/bin/uptime
#
echo "ping and traceroute now are in /bin"
# 

#
echo "setting modes on directories"
#
chmod 711 /usr/local /usr/sbin /usr/local/etc /usr/libexec /etc /home
chmod 700 /sbin /usr/local/sbin
chmod 750 /var/log /var/at /var/yp /var/rwho
chmod 700 /root
chmod 700 /root/*
# this one is for when you run "named -u bind -g bind"
chown -R bind:bind /etc/namedb
chmod 750 /etc/namedb
#
echo "done setting modes on directories"
#

#
echo "setting uchg,uunlnk flags....."
#
chflags uchg,uunlnk /usr/libexec /bin /sbin /usr/bin /usr/sbin
chflags uchg,uunlnk /usr/libexec/* /bin/* /sbin/* /usr/sbin/* /usr/bin/*
#
echo "done setting uchg,uunlnk flags"
#

# in a nutshell:
# - unsets chflags so that it can do its work
# - creates .history and .bash_history (if not present)
# - changes the owner to be root, and the group to be the user
# - changes modes to 770, so that only root and the owner can read/write/execute
# (this makes it so other users can't mess with history files, as long as they are in a different group)
# - sets the uunlnk (user undeletable) and uappnd (user append only) system flags
#
echo "Unsetting .*history flags"
#
for i in `ls -1 /usr/home`; do `chflags nouunlnk,nouappnd,nosappnd,nosunlnk /usr/home/$i/.*history`; done
#
echo "Setting .*history flags uunlnk,uappnd"
#
for i in `ls -1 /usr/home`; do `touch /usr/home/$i/.history; touch /usr/home/$i/.bash_history; chown root /usr/home/$i/.*history; chgrp $i /usr/home/$i/.*history; chmod 770 /usr/home/$i/.*history; chflags uunlnk,uappnd /usr/home/$i/.*history`; done
#
echo "done setting .*history flags"
#

echo "System is now rediculously more secure!"
exit 0
;;
[oO][fF][fF])

#
echo "unsetting flags noschg,nouchg,nouunlnk on files"
echo "unsetting nouappnd,nouunlnk on .*history files"
#
chflags noschg,nouchg,nouunlnk /usr/libexec /bin /sbin /usr/bin /usr/sbin  
chflags noschg,nouchg,nouunlnk /usr/libexec/* /bin/* /sbin/* /usr/sbin/* /usr/bin/* 
chflags nouappnd,nouunlnk /usr/home/*/.*history
#
echo "flags unset!"
#
exit 0
;;

esac