Lost access to server after running CIS hardening script

From: sunhux G (sunhux@gmail.com)
Date: Fri Apr 04 2008 - 05:13:51 EST

• Next message: Helen Petropoulos: "SMMARY: busy bit"
• Previous message: Masopust, Christian: "HBA for SUN StorEdge D1000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

After running the hardening script below,
found that no additional new users could access
the system anymore.

I'm currently the only user accessing the system
with a single ssh.

With my only ssh session still logged in, I tried a few
things :

created /.rhosts to permit other Solaris servers' root
to rlogin (did "svcadm enable svc:/network/login:rlogin) :
got prompted for root password but it appeared to not
accept the password (even though I've reset the root
password with that sole ssh session which I'm still in).

Tried the console using root (did not enter 3 consecutive
wrong password for root).

Tried reset one of my colleague's account password &
login using ssh but it did not work too.

What's the equivalent of "admintool" in Solaris 10 as I
want to check if accounts have been locked.

Dont think I should be using CDROM to boot up this
server to recover passwords as it appears not to
be a password issue.

Thanks
U

#!/bin/sh
# Remove / disable all the crap that solaris 10 starts by default.
# This enables the box to reach the CIS Level-1 benchmark.
#
#
# Run with no modifications, this script will leave SSHD running only.
# Any questions see Sam N.
#
set -x
# Item 1.1, enable sshd :)
svcadm enable svc:/network/ssh:default
# Item 1.2, rpcbind
svcadm disable svc:/network/rpc/bind:default
# Item 1.3, secure RPC
svcadm disable svc:/network/rpc/keyserv:default
# Item 1.4, NIS server
svcadm disable svc:/network/nis/server:default
svcadm disable svc:/network/nis/passwd:default
svcadm disable svc:/network/nis/update:default
svcadm disable svc:/network/nis/xfr:default
# Item 1.5, NIS client
svcadm disable svc:/network/nis/client:default
# Item 1.6, NIS+
svcadm disable svc:/network/rpc/nisplus:default
# Item 1.7, LDAP cache mgr
svcadm disable svc:/network/ldap/client:default
# Item 1.8, Kerberos server
svcadm disable svc:/network/security/kadmin:default
svcadm disable svc:/network/security/krb5kdc:default
svcadm disable svc:/network/security/krb5_prop:default
# Item 1.9, Kerberos client
svcadm disable svc:/network/security/ktkt_warn:default
# Item 1.10, GSS
svcadm disable svc:/network/rpc/gss:default
# Item 1.11, GUI
### mv /etc/rc2.d/S99dtlogin /etc/rc2.d/.NOS99dtlogin 2>> /tmp/Cis1.o
### svcadm disable svc:/network/rpc-100083_1/rpc_tcp:default
# Item 1.12, Solaris Management Console
### mv /etc/rc2.d/S90wbem /etc/rc2.d/.NOS90wbem 2>> /tmp/Cis1.o
### mv /etc/rc2.d/S90webconsole /etc/rc2.d/.NOS90webconsole 2>> /tmp/Cis1.o
# Item 1.13, volume manager
### svcadm disable svc:/network/rpc/smserver:default
### mv /etc/rc3.d/S81volmgt /etc/rc3.d/.NOS81volmgt 2>> /tmp/Cis1.o
# Item 1.14, SAMBA
mv /etc/rc3.d/S90samba /etc/rc3.d/.NOS90samba 2>> /tmp/Cis1.o
# Item 1.15, NFS server
svcadm disable svc:/network/nfs/server:default
svcadm disable svc:/network/nfs/cbd:default
svcadm disable svc:/network/nfs/mapid:default
# Item 1.16, rquota
svcadm disable svc:/network/nfs/rquota:default
# Item 1.17, NFS client
svcadm disable svc:/network/nfs/client:default
# Both NFS servers and clients need these (see 2.16 and 2.18 above)
svcadm disable svc:/network/nfs/status:default
svcadm disable svc:/network/nfs/nlockmgr:default
# Item 1.18, auto mounter
svcadm disable svc:/system/filesystem/autofs:default
# Item 1.19, telnet server
svcadm disable svc:/network/telnet:default
# Item 1.20, FTP server
svcadm disable svc:/network/ftp:default
# Item 1.21, rlogin/rsh servers
svcadm disable svc:/network/login:rlogin
svcadm disable svc:/network/shell:default
# Item 1.22, boot services
svcadm disable svc:/network/rpc/bootparams:default
svcadm disable svc:/network/rarp:default
# Item 1.23, DHCP server
svcadm disable svc:/network/dhcp-server:default
# Item 1.24, DNS server
svcadm disable svc:/network/dns/server:default
# Set up TFTP server entry if necessary
if [ ! "`inetadm | grep tftp`" ]; then
cd /var/svc/profile
echo 'tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd /tftpboot'
 inetd-tftpd.tmp
inetconv -n -i ./inetd-tftpd.tmp -o /var/svc/profile
sed 's#tftp/udp6#tftp#' tftp-udp6.xml tftp.xml
svccfg import tftp.xml
rm -f inetd-tftpd.tmp tftp-udp6.xml tftp.xml
fi
# Item 1.25, TFTP server
svcadm disable svc:/network/tftp:default
# Item 1.26, print servers
# Use -s for print/cleanup because it has already been started
# before upgrade script is read
svcadm disable -s svc:/application/print/cleanup:default
svcadm disable svc:/application/print/server:default
svcadm disable svc:/application/print/rfc1179:default
# Item 1.27, Web servers
# Apache 2.x (the first line below) is preferred. If you would
# rather run Apache 1.3.x, then disable the Apache 2.x service and
# move the /etc/rc3.d/S50apache script back into place.
#
svcadm disable svc:/network/http:apache2
mv /etc/rc3.d/S50apache /etc/rc3.d/.NOS50apache 2>> /dev/null
mv /etc/rc2.d/S42ncakmod /etc/rc2.d/.NOS42ncakmod 2>> /dev/null
mv /etc/rc2.d/S94ncalogd /etc/rc2.d/.NOS94ncalogd 2>> /dev/null
# Item 1.28, SNMP server (initsma is net-snmp)
mv /etc/rc3.d/S82initsma /etc/rc3.d/.NOS82initsma 2>> /dev/null
# Item 1.29, Solaris Volume Manager (software RAID) services
### svcadm disable svc:/system/metainit:default
### svcadm disable svc:/platform/sun4u/mpxio-upgrade:default
### svcadm disable svc:/system/mdmonitor:default
# Item 1.30, Solaris Volume Manager GUI services
### svcadm disable svc:/network/rpc/mdcomm:default
### svcadm disable svc:/network/rpc/meta:default
### svcadm disable svc:/network/rpc/metamed:default
### svcadm disable svc:/network/rpc/metamh:default
# Item 1.31, inetd
if [ "`inetadm | grep '^enable'`" ]; then
svcadm enable svc:/network/inetd:default
else
svcadm disable svc:/network/inetd:default
fi
# Item 1.32, sendmail
svcadm disable svc:/network/smtp:sendmail
# Item 1.33, all the other crap
svcadm disable svc:/network/chargen:dgram
svcadm disable svc:/network/chargen:stream
svcadm disable svc:/network/daytime:dgram
svcadm disable svc:/network/daytime:stream
svcadm disable svc:/network/discard:dgram
svcadm disable svc:/network/discard:stream
svcadm disable svc:/network/echo:dgram
svcadm disable svc:/network/echo:stream
svcadm disable svc:/network/time:dgram
svcadm disable svc:/network/time:stream
svcadm disable svc:/network/rpc/rex:default
svcadm disable svc:/network/rexec:default
svcadm disable svc:/network/uucp:default
svcadm disable svc:/network/comsat:default
svcadm disable svc:/network/rpc/spray:default
svcadm disable svc:/network/rpc/wall:default
svcadm disable svc:/network/tname:default
svcadm disable svc:/network/talk:default
svcadm disable svc:/network/finger:default
svcadm disable svc:/network/rpc/rstat:default
svcadm disable svc:/network/rpc/rusers:default
svcadm disable svc:/network/rpc/ocfserv:default
svcadm disable svc:/network/login:eklogin
svcadm disable svc:/network/login:klogin
svcadm disable svc:/network/shell:kshell
# Use -s for system/power because it has already been started
# before upgrade script is read
svcadm disable -s svc:/system/power:default
svcadm disable svc:/network/slp:default
svcadm disable svc:/application/management/webmin:default
svcadm disable svc:/system/consadm:default
svcadm disable svc:/application/gdm2-login:default
svcadm disable svc:/application/print/ipp-listener:default
# Use -s for system/name-service-cache because it has already
# been started before upgrade script is read
svcadm disable -s svc:/system/name-service-cache:default
svcadm disable svc:/network/apocd/udp:default
### svcadm disable svc:/application/x11/xfs:default
### svcadm disable svc:/application/font/stfsloader:default
### svcadm disable svc:/network/rpc-100068_2-5/rpc_udp:default
### svcadm disable svc:/network/rpc-100235_1/rpc_ticotsord:default
# Item 1.33, move the remaining (legacy) rc2.d stuff
mv /etc/rc2.d/S40llc2 /etc/rc2.d/.NOS40llc2 2>> /dev/null
mv /etc/rc2.d/S47pppd /etc/rc2.d/.NOS47pppd 2>> /dev/null
mv /etc/rc2.d/S70uucp /etc/rc2.d/.NOS70uucp 2>> /dev/null
mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.NOS72autoinstall 2> /dev/null
mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/.NOS73cachefs.daemon 2>>
/dev/null
mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.NOS89bdconfig 2>> /dev/null
mv /etc/rc2.d/S89PRESERVE /etc/rc2.d/.NOS89PRESERVE 2>> /dev/null
mv /etc/rc3.d/S16boot.server /etc/rc3.d/.NOS16boot.server 2>> /dev/null
mv /etc/rc3.d/S52imq /etc/rc3.d/.NOS52imq 2>> /dev/null
mv /etc/rc3.d/S84appserv /etc/rc3.d/.NOS84appserv 2>> /dev/null
mv /etc/rc3.d/S75seaport /etc/rc3.d/.NOS75seaport 2>> /dev/null
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.NOS76snmpdx 2>> /dev/null
mv /etc/rc3.d/S77dmi /etc/rc3.d/.NOS77dmi 2>> /dev/null
mv /etc/rc3.d/S80mipagent /etc/rc3.d/.NOS80mipagent 2>> /dev/null
#
#
# some additional hardening follows :
#
if [ ! "`grep -v '^#' /etc/syslog.conf | \
grep /var/log/authlog`" ]; then
echo e "auth.info\t\t\t/var/log/authlog" \
>>/etc/syslog.conf
fi
#
#
if [ ! "`grep -v '^#' /etc/syslog.conf | \
grep /var/log/connlog`" ]; then
echo -e "daemon.debug\t\t\t/var/log/connlog" \
>>/etc/syslog.conf
fi
#
#
touch /var/log/connlog
chown root:root /var/log/connlog
chmod 600 /var/log/connlog
logadm -w connlog -C 13 -a 'pkill -HUP syslogd' \
/var/log/connlog
#
#
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
cd /etc/default
awk '/SYSLOG_FAILED_LOGINS=/ \
{ $1 = "SYSLOG_FAILED_LOGINS=0" }; \
{ print }' login >login.new
mv login.new login
pkgchk -f -n -p /etc/default/login
logadm -w loginlog -C 13 /var/adm/loginlog
#
#
cd /etc/default
awk '/CRONLOG=/ { $1 = "CRONLOG=YES" }; \
{ print }' cron > cron.new
mv cron.new cron
pkgchk -f -n -p /etc/default/cron
#
# the end
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Helen Petropoulos: "SMMARY: busy bit"
• Previous message: Masopust, Christian: "HBA for SUN StorEdge D1000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:54 EDT