#!/usr/local/bin/bash # # securesystem # # changes flag and other settings for security # # Zoidial, Inc. # Eric Thern, 2001, eric@zoidial.com # # v0.1 08/10/2001 - initial release # v0.2 10/01/2001 - updated chflags and unsetting SUID's system, (less) false positives # v0.3 10/28/2001 - updated how it is started, can't 'mistakenly' run script # v0.4 07/31/2002 - updated a /tmp link and rm problem # --- updated some new SUID's that come with FreeBSD 4.5+ until test do echo "BE CAREFUL WITH THIS!" echo "THIS UTILITY CAN RUIN YOUR WHOLE SYSTEM" echo "PLEASE REVIEW WHAT IT DOES BEFORE YOU CONTINUE" echo "" echo "1) Quit!" echo "2) Secure The System!" echo "" read test case $test in 1) echo "Quitting." exit 0; ;; 2) echo "---" echo "this takes off a set of SUID bits and sets a ton of chmod's and flags" echo "securesystem.sh off, does NOT undo all of this, it merely takes off chflags" echo "---" #### echo "changing flags from schg to noschg on certain files" #### chflags noschg /usr/bin/cu chflags noschg /usr/bin/uucp chflags noschg /usr/bin/uuname chflags noschg /usr/bin/uustat chflags noschg /usr/bin/uux chflags noschg /usr/bin/man chflags noschg /usr/bin/chpass chflags noschg /usr/bin/chfn chflags noschg /usr/bin/chsh chflags noschg /usr/bin/opieinfo chflags noschg /usr/bin/opiepasswd chflags noschg /usr/bin/ypchpass chflags noschg /usr/bin/ypchfn chflags noschg /usr/bin/ypchsh chflags noschg /usr/bin/login chflags noschg /usr/bin/passwd chflags noschg /usr/bin/yppasswd chflags noschg /usr/bin/rlogin chflags noschg /usr/bin/rsh chflags noschg /usr/bin/su chflags noschg /usr/bin/tip chflags noschg /usr/bin/crontab chflags noschg /usr/sbin/sliplogin chflags noschg /bin/rcp chflags noschg /sbin/init #### echo "done setting flags" #### #### echo "take off SUID bits on these executables (only allow the few SUIDs that *need* to be here)" #### chmod u-s /usr/bin/* chmod u-s /usr/sbin/* chmod u-s /sbin/* chmod u-s /bin/* chmod -s /usr/libexec/uucp/* chmod -s /usr/X11R6/bin/* chmod -s /usr/local/bin/* #### echo "SUID's taken off" #### #### echo "change modes so that others cannot execute the following" #### chmod o-rwx /bin/df chmod o-rwx /bin/rcp chmod o-rwx /usr/bin/who chmod o-rwx /usr/bin/last chmod o-rwx /usr/bin/finger #chmod o-rwx /usr/bin/w chmod o-rwx /usr/bin/netstat chmod o-rwx /usr/bin/sockstat chmod o-rwx /usr/bin/users chmod o-rwx /usr/bin/who chmod o-rwx /usr/bin/write chmod o-rwx /usr/bin/wall chmod o-rwx /usr/bin/chpass chmod o-rwx /usr/bin/chsh chmod o-rwx /usr/bin/chgrp chmod o-rwx /usr/bin/chfn chmod o-rwx /usr/bin/chflags chmod o-rwx /usr/bin/fstat chmod o-rwx /usr/bin/ipcs chmod o-rwx /usr/bin/lp chmod o-rwx /usr/bin/lpq chmod o-rwx /usr/bin/lpr chmod o-rwx /usr/bin/lprm chmod o-rwx /usr/bin/systat chmod o-rwx /usr/bin/uustat chmod o-rwx /usr/bin/top chmod o-rwx /usr/bin/vmstat chmod o-rwx /sbin/ccdconfig chmod o-rwx /sbin/dump chmod o-rwx /sbin/rdump chmod o-rwx /sbin/ping chmod o-rwx /sbin/ping6 chmod o-rwx /usr/sbin/lpc chmod o-rwx /usr/sbin/lpd chmod o-rwx /usr/sbin/mrinfo chmod o-rwx /usr/sbin/mtrace chmod o-rwx /usr/sbin/ppp chmod o-rwx /usr/sbin/pppd chmod o-rwx /usr/sbin/pstat chmod o-rwx /usr/sbin/sliplogin chmod o-rwx /usr/sbin/swapinfo chmod o-rwx /usr/sbin/trpt chmod o-rwx /usr/sbin/timedc chmod o-rwx /usr/sbin/traceroute chmod o-rwx /usr/sbin/traceroute6 chmod o-rwx /usr/sbin/ypbind chmod o-rwx /usr/sbin/ypinit chmod o-rwx /usr/sbin/yppoll chmod o-rwx /usr/sbin/yppush chmod o-rwx /usr/sbin/ypserv chmod o-rwx /usr/sbin/ypset chmod o-rwx /usr/local/sbin/* #### echo "modes changed for files" #### #### echo "change modes on configuration files" #### chmod 700 /etc/syslog.conf chmod 700 /etc/newsyslog.conf chmod 700 /etc/rc.sysctl chmod 700 /etc/rc.conf chmod 700 /etc/sysctl.conf chmod 700 /etc/crontab # remove all 'at' junk from crontab sed -e "/atrun/d" /etc/crontab > /etc/crontab.rplzz cat /etc/crontab.rplzz > /etc/crontab && rm /etc/crontab.rplzz # don't let users get information about who is logged in from here chmod o-rwx /var/run/utmp # make the /usr/tmp a link (more secure) rm -rf /usr/tmp ln -s /tmp /usr/tmp #### echo "done setting modes on config files" #### #### echo "Make sure some permissions are added for some files:" #### mv /usr/bin/w /usr/local/sbin/w chmod 4550 /usr/bin/su chgrp wheel /usr/bin/su chmod 4555 /usr/bin/passwd chmod 4555 /usr/bin/man chmod 4555 /usr/bin/login chmod 4555 /usr/bin/crontab chgrp wheel /usr/bin/who chgrp wheel /usr/bin/last chgrp wheel /usr/bin/finger chgrp wheel /usr/local/sbin/w chmod o-rwx /usr/bin/who chmod o-rwx /usr/bin/last chmod o-rwx /usr/bin/finger chmod o-rwx /usr/local/sbin/w chmod 555 /usr/bin/uptime #### echo "permissions set for select files" #### #### echo "setting modes on directories" #### chmod 711 /usr/local /usr/sbin /usr/local/etc /usr/libexec /etc /home chmod 700 /sbin /usr/local/sbin chmod 750 /var/log /var/at /var/yp /var/rwho chmod 700 /root chmod 700 /root/* chmod 700 /usr/src /usr/ports # this one is for when you run "named -u bind -g bind" chown -R bind:bind /etc/namedb chmod 750 /etc/namedb #### echo "done setting modes on directories" #### #### echo "setting back schg flags on files:" #### chflags schg /usr/bin/cu chflags schg /usr/bin/uucp chflags schg /usr/bin/uuname chflags schg /usr/bin/uustat chflags schg /usr/bin/uux chflags schg /usr/bin/man chflags schg /usr/bin/chpass chflags schg /usr/bin/chfn chflags schg /usr/bin/chsh chflags schg /usr/bin/ypchpass chflags schg /usr/bin/ypchfn chflags schg /usr/bin/ypchsh chflags schg /usr/bin/login chflags schg /usr/bin/passwd chflags schg /usr/bin/yppasswd chflags schg /usr/bin/rlogin chflags schg /usr/bin/rsh chflags schg /usr/bin/su chflags schg /usr/bin/tip chflags schg /usr/bin/crontab chflags schg /usr/sbin/sliplogin chflags schg /bin/rcp chflags schg /sbin/init #### echo "done setting schg flags" #### echo "SUID's removed and some better permissions set!" exit 0 ;; esac done