### ### Copyright 2000-2008 University of Illinois Board of Trustees ### All rights reserved. ### ### TODO - What we still have on our plate ### ### Campus Information Technologies and Educational Services ### University of Illinois at Urbana-Champaign ### cisecurity.org Fixes * Create/Maintain cron and at allow/deny files. * Integrate Bastille Linux into psgconf. * use_banners directives to set in + /etc/issue{.net} and /etc/motd + /etc/default/telnetd on Solaris. + Xresources + ftpwelcome, banner.msg or vsftpd.conf * umask setting + /etc/init.d/functions on RHEL. + /etc/default/login on Solaris. + ftpaccess * Disable inetd/xinetd if there is nothing in the hash directives (i.e. to be put into the config files). * Remove unused daemon accounts, i.e. bin, man, etc. * Kernel and network tuning. + syn cookie protection. * Add nosuid/nodev to mount entries in /etc/fstab. * Force root password in single user (Warn if root account disabled) + RHEL + Modifying the /etc/ttys file (console line=> insecure) on FreeBSD and MacOSX. * Force NFS Privilege Port only. + /etc/system for Solaris (nfssrv:nfs_portmon = 1). + /etc/sysctl.conf for FreeBSD. * Disable core dump directive + /etc/hostconfig on Mac OS X. + /etc/sysctl.conf on FreeBSD. + limits.conf on RHEL. + coreadm on Solaris. * Lockout accounts after multiple login failures. * Install and use Tripwire, bart, samhein or osiris * Use cron to run ntpdate instead of running ntpd. * Kernel Auditing on RHEL, Solaris, OSX. * Use MaxAuthTries and MaxAuthTriesLog for sshd_config on Solaris 10. But I do not see it in the documentation. * /etc/default/login enable SYSLOG_FAILED_LOGINS * /etc/default/cron enable CRONLOG * /etc/default/init enable CMASK * /etc/rmmount.conf set the nosuid flag on all mounts. * Disable power management on Solaris, RHEL. + /etc/default/power and /etc/default/sys-suspend for Solaris. Bug Fixes * Have Action::RestartDaemon run svcadm refresh FMRI on Solaris 10, and use stopsrc on AIX. * Remove the save_file function from PSGConf.pm, and implement it in PSGConf::Action. * Rename FOO_path to FOO_cmd for directives that reference commands directly and are not path variables. For other files that are call FOO_path change them to FOO_file. * Create a set once hash value to the PSGConf::Data->new() method so we can detect overwriting values that we previously set. Could be used in www_vh_root_svc hash. * Have Action::CopyFile reset file modes of the backed up file. * Having a host's IP address change is not caught by psgconf because it is looking first in /etc/hosts. * Add/Remove rpcuser login and group on Linux systems when NFS is enabled. New Modules * Control::Zones + Use zoneconfig to modify the netmask of the non global zone. + IPC configurations (not in /etc/system anymore) Use prctl on Solaris 10. + Modify the inittab hash to remove unneeded entries? + Allow people on the admins hash to run 'zlogin -C ' in the global zone, for zones they are manager of. + Modify the anon_ftp_chroot_files hash to change the /devices/YYY entries to /dev/XXX. * Control::ALOM (Maybe in Control::Solaris) + Use the scadm command to maintain accounts and configurations on the Solaris LOM/ALOM. * Control::Compiler * Control::Jails * Control::Oracle * Control::Console to support console tty settings. + /etc/security/console.perms + /etc/login.conf + /etc/securetty * Control::Xorg/XFree86 * Control::Samba * Control::Resources (The stack size, file size limit, etc)... + /etc/security/limits on AIX + /etc/systems on Solaris 8 & 9 + prctl on Solaris 10 + /etc/login.conf on FreeBSD + /etc/security/limits.conf on Linux * Control::CVS * Control::FireWall + ipchains for RHEL. + ipfilter for Solaris. + ipfw for FreeBSD and Mac OS X. + pf for FreeBSD, OpenBSD. * Control::Partitions + /etc/fstab For FreeBSD, etc + /etc/vfstab For Solaris + /etc/filesystems For AIX. * Control::htaccess * Control::Users::Local * Control::Users::LDAP * Control::Users::YP/NIS+ * Control::DHCP * Control::SVM * Control::syslog-ng * Control::DNS::Master * Control::DNS::Slave * Control::Kerberos * Control::Term * Action::GenerateFile::XMLFile * Action::TermInfo * DataStore::ConfigFile::CVS module to fetch config files from cvs. * DataStore::XML Minor enhancements * Rewrite Control::Apache to be more flexable and extendable. * Rewrite Control::TSM to be more flexable and support TDP configs. * Add support to change the default password encryption + /etc/login.conf on FreeBSD + /etc/libuser.conf on Linux * Add support to disable the suexec use in Apache, expecially when the www_user_name is not the default (httpd/apache). * Maintain sendmail virtusertable (sendmail_virtusers hash directive). * Have Action::PackageManager::Encap be able to determine what package is linked in currently. * Support running the commands with a ROOT_DIR offset (ala -R for pkgadd). * Set the timezone in Control::NTP module. * Replace tsm_df_command directive with the Sys::Filesystem module. * Maintain /etc/securetty on Linux * Maintain /etc/sysconfig/rhn/sources on Linux (for PackageManager::RedHat::RHN). * Add SUNWcnetr package for Solaris 10 DHCP configurations. * Update /etc/default/dhcpagent (add 6,15,28 to PARAM_REQUEST_LIST on Sol9). * Have make install setup a better default psg.conf file with directives enabled based on what it found on the system in the first place. * Have Control::RedHat remove gpg-pubkeys that are not in the gpg_keys directive. * Maintain the /etc/ssh/known_hosts file. * Have Control::Users use the useradd/del, groupadd/del, etc. commands to manage accounts, groups and clean up old home directories. * Configure TCP keepalive settings on all platforms. * Maintain /etc/csh.login (move stuff from /etc/csh.cshrc where appropriate). * Add support in PSGConf::Data::Table for virtual column names. * Have pkg_default_versions fully support the multiple pkg_separator fields so to be able to match a subset of those versions. For Encaps, there are versions and profile updates (+N), for RPMS there are versions and revisions, for Solaris there is versions and patch numbers, where ,REV=XXX is the patch, etc. is the patch level, for Solaris REV=XXX is the patch, etc. * Add package signing support to the PackageManager routines for Solaris. * Backup all files to separate directory structure, maybe under /var/log/maintenance or in CVS. Major redesign * Remove all platform matching constructs for directive tests. No OS specific code should be in the code. * Be able to run subset of Control modules via the command line. * Rewrite all pod documentation to be clearer for novice admins and use POD modules. * Reduce the number of Action Classes to just the basic file manipulation ones, Copy, Move, Remove, Symlink, Generate, etc. Most of the code should be moved into the associated Control class. * Warning on directives that do not change state (i.e. unused). * Have inheritance in Control Modules + tcp_wrappers configurations. + FOO_enable directives. + FOO_packages lists. + add_sendmail_alias + add_rc_scripts * Rewrite all Action::GenerateFile::*.pm to use Action::GenerateFile::Template.pm and the template defined in /usr/local/share/psgconf/files/templates/. Which template file that is used will be defined in the Control module that registers the Action. * Be able to have policies be written in Config::Objective format and read from a specified policy file. * Replace psgconf_modules with a modules hash with the key being the Control module, the value being on or off (i.e. psgconf disables the service, or ignore where psgconf does not manage the service). * Be able to add policies w/o adding them to the psgconf_modules file. * Have PackageManager be specified via Config::Objective directive and not in psgconf_modules. * Have psgconf able to generate its psgconf_modules file for list of Control modules. * Have command line directives (via -o) override config files directives. Last Updated: Mon Dec 31 12:09:56 CST 2007