#!/bin/ksh
#
# armor ver. 1.1
# Created by Lance Spitzner lance@spitzner.net
# 10 August 1998
# Last Modified: 29 November, 1999
#
# The purpose of this script is to armor a new
# installation of Solaris 2.7, 2.6 or 2.5.1, SPARC 
# or x86 on intel. For more info, please see the
# README
#
# Please forward all recommendations, flames, or 
# corrections to lance@spitzner.net
#

### Setp Path
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
export PATH


### Ensure that you are uid 0 and on solaris (SPARC or x86) before continuing.
set `id`
if [ $1 != "uid=0(root)" ]; then
        echo "Opps, don't forget you have to be root to run this script!"
        exit 5
fi

ostype=`uname`
if [ $ostype != "SunOS" ]; then
	echo "Opps, this only runs on the Solaris operating system.  Sorry."
	exit 10
fi



echo "\n--- Now installing the wheel group ---"

#################################################################
#			WHEEL GROUP				
# 
# This creates the wheel group.  The wheel
# group limits who can su by creating the 
# group wheel and changing group ownership to wheel.
#
# For Solaris 2.6 and 2.7, change permissions on
# /usr/bin/su   /sbin/su.static
#
# For Solaris 2.5.1, change permissions on
# /usr/bin/su   /sbin/su
# 
# Be sure you add any accounts that need to su to 
# the file /etc/group  
#

cp /etc/group /etc/group.orig
groupadd -g 101 wheel

id=`uname -r`
        if [ "${id}" = "5.6" ] || [ "${id}" = "5.7" ]
        then
		chown root:wheel /sbin/su.static /usr/bin/su
		chmod 4550 /sbin/su.static /usr/bin/su
        else
		chown root:wheel /sbin/su /usr/bin/su
		chmod 4550 /sbin/su /usr/bin/su
        fi

echo "\nCompleted installing the wheel group"
echo "Be sure to add Admin users to the group in /etc/group\n\n"

#								
#################################################################





echo "\n--- Now armoring the file /etc/inet/inetd.conf ---"

#################################################################
#		SERVICES /ETC/INETD.CONF			
#
# This limits the services run by /sbin/inetd
# by commenting out most services in /etc/inet/inetd.conf
# This will also add the entries for TCP Wrappers
#

mv /etc/inet/inetd.conf /etc/inet/inetd.conf.orig
cp inetd.conf /etc/inet/inetd.conf

echo "\nCompleted armoring the file /etc/inet/inetd.conf"
echo "/usr/sbin/inetd will now only accept TCP Wrapped"
echo "telnet and ftp connections\n\n"

#								
#################################################################





echo "\n--- Creating the file /etc/ftpusers ---"

#################################################################
#			FTP USERS	
#
# This limits who can ftp to the system by
# creating the /etc/ftpusers.  Any account in this file
# cannot ftp to the system.  By default, all of your 
# accounts will go into this file.  Remove any accounts 
# you want to have ftp access to this machine.
#

	if [ -f /etc/ftpusers ]
	then
		mv /etc/ftpusers /etc/ftpusers.orig
	fi

cut -f1 -d: /etc/passwd > /etc/ftpusers
chmod 744 /etc/ftpusers

echo "\nCompleted the file /etc/ftpusers"
echo "The following accounts cannot ftp to the system"
echo "`cat /etc/ftpusers`\n\n"

#						
#################################################################





echo "\n--- Now creating Banners for Telnet and ftp Daemons ---"

#################################################################
#			TELNET / FTP BANNER
#
# This removes your OS version from Telnet and FTP by
# creating the config files /etc/default/telnetd and
# /etc/default/ftpd.  Also, sets the umask for ftpd.
#

if [ -f /etc/default/telnetd ];then
	mv /etc/default/telnetd /etc/default/telnetd.orig
fi

if [ -f /etc/default/ftpd ];then
	mv /etc/default/ftpd /etc/default/ftpd.orig
fi

echo "BANNER=\"\"" > /etc/default/telnetd
echo "umask=077" > /etc/default/ftpd
echo "BANNER=\"WARNING:Authorized use only\"" >> /etc/default/ftpd

echo "\nUpdated BANNERS for ftpd and telnetd\n"

#						
#################################################################




echo "\n--- Now creating your login banner ---"

#################################################################
#			LOGIN BANNER				
#
# This creates a login banner that appears whenever
# someone attempts to login.  The banner is stored 
# in the file /etc/issue.
#

if [ -f /etc/issue ];then
	mv /etc/issue /etc/issue.orig
fi

cat << EOF > /etc/issue

#
#
#  WARNING:  You must have specific authorization to access
#            this machine.  Unauthorized users will be logged,
#            monitored, and then shot on site!
#
# 
EOF

echo "\nLogin banner now complete"
echo "Whenever someone telnets to your system, they will"
echo "see the following banner"
echo "`cat /etc/issue`\n\n"

#								
#################################################################





echo "\n--- Implementing TCP Wrappers ---"

#################################################################
#			TCP WRAPPERS			
#
# This implements the TCP Wrappers binaries in
# /usr/local/bin.  TCP Wrappers has been compiled
# in paranoid mode, logging to facility local3. This 
# version can also use banners.
#

	if [ ! -d /usr/local/bin ]; then
		mkdir -p /usr/local/bin
	fi

/bin/sparc
	if [ "$?" = 0 ]
	then	
		cp tcpd.sparc /usr/local/bin/tcpd
	else
		cp tcpd.i386 /usr/local/bin/tcpd
	fi

chmod 755 /usr/local/bin/tcpd

echo "ALL: 192.168.5.1 :ALLOW" > /etc/hosts.allow
echo "ALL: ALL DENY" > /etc/hosts.deny

chmod 750 /etc/hosts.deny /etc/hosts.allow

mv /etc/syslog.conf /etc/syslog.conf.orig
cp syslog.conf /etc/syslog.conf

echo "\nCompleted implementing TCP Wrappers"
echo "Binaries for a `uname -p` system were installed"
echo "You will need to modify /etc/hosts.allow to"
echo "configure what systems can access this server"
echo "See readme.tcpd for more info\n\n"

#								
#################################################################




echo "\n--- Turning off specific services in the rc scripts ---"

#################################################################
#			INIT SCRIPTS
#
# Solaris launches a variety of uneeded services
# during the init process.  We can stop these servcies
# by changing the captital S to a small s in the /etc/rc
# directories (or you can delete them).  Below are some
# of the services I recommend you disable.
#


mv /etc/rc2.d/S73nfs.client /etc/rc2.d/s73nfs.client
mv /etc/rc2.d/S74autofs /etc/rc2.d/s74autofs
mv /etc/rc2.d/S80lp /etc/rc2.d/s80lp
mv /etc/rc2.d/S88sendmail /etc/rc2.d/s88sendmail
mv /etc/rc3.d/S15nfs.server /etc/rc3.d/s15nfs.server
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/s76snmpdx

echo "\nCompleted turning off uneeded services"
echo "You may wish to turn off more\n\n"

#						
#################################################################




echo "\n--- Now locking down .rhost, .netrc, and hosts.equiv ---"

#################################################################
#			TRUST RELATIONSHIPS			
#
# This creates empty .rhosts, .netrc, and hosts.equiv protecting
# against trust relationships.
#

touch /.rhosts /.netrc /etc/hosts.equiv
chmod 0 /.rhosts /.netrc /etc/hosts.equiv

echo "\nCompleted locking down the following files:"
echo "/.rhosts"
echo "/.netrc"
echo "/etc/hosts.equiv\n"

#								
#################################################################




echo "\n--- Enabling sulog, tcpdlog, inetdlog, and loginlog ---"

#################################################################
#								
#			LOGGING
#
# We add some additonal, critcal logging to the system.
#

touch /var/adm/tcpdlog /var/adm/sulog /var/adm/loginlog /var/adm/inetdlog
chmod 750 /var/adm/tcpdlog /var/adm/sulog /var/adm/loginlog /var/adm/inetdlog

# Blatantly stolen from Brad :)
# From the inetd man page:
#
#   -t    Instructs inetd to trace the incoming  connections
#                  for all of its TCP services.  It does this by log-
#                  ging the client's IP address and TCP port  number,
#                  along with the name of the service, using the sys-
#                  log(3) facility.

grep -i "usr\/sbin\/inetd \-s \-t" /etc/init.d/inetsvc
if [ "$?" -ne "0" ]; then
	echo "Looks like it has NOT been updated"
	cp /etc/init.d/inetsvc /etc/init.d/inetsvc.orig
	ed /etc/init.d/inetsvc <<- EOF
	g/^\/usr\/sbin\/inetd/s/\/usr\/sbin\/inetd\ \-s/\/usr\/sbin\/inetd\ \-s\ \-t/
	.
	w
	q
	EOF
fi
		  
echo "\nSuccessfully completed making log files\n\n"

#													 
#################################################################



echo "\n--- Setting TCP initial sequence number generation to RFC 1948 ---"

#################################################################
#								
#		TCP SEQUENCE NUMBERS
#
# This greatly improves security against IP spoofing or hijacking
# It randomized the initial sequence number for all TCP connections
#

if [ -s /etc/default/inetinit ]; then

	mv /etc/default/inetinit /etc/default/inetinit.orig
	cp inetinit /etc/default/inetinit
	echo "\nSuccessfully updated TCP sequence number generation\n\n"
fi

#							
#################################################################




echo "\n--- Modify/secure /dev/ip module ----"

#################################################################
#
# Lockdown the IP module by restricting how it responds to
# queries.
#

grep ip_respond_to_echo_broadcast /etc/init.d/inetinit > /dev/null

if [ "$?" -ne 0 ];then

cat << EOF >> /etc/init.d/inetinit

### Set kernel parameters for /dev/ip 
ndd -set /dev/ip ip_respond_to_echo_broadcast 0 
ndd -set /dev/ip ip_forward_directed_broadcasts 0 
ndd -set /dev/ip ip_respond_to_timestamp 0 
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 
ndd -set /dev/ip ip_forward_src_routed 0 
ndd -set /dev/ip ip_send_redirects 0 
ndd -set /dev/ip ip_ignore_redirect 1 
EOF

fi

echo "\nUpdated /dev/ip by adding ndd commands to the"
echo "bottom of the /etc/init.d/inetinit startup script\n"

#
#################################################################


echo "\nCongratulations, your Solaris box is now more secure!"
echo "Be sure to modify /etc/hosts.allow, specifying  which"
echo "systems can access your server.  Also, be sure to add"
echo "members to the group wheel that require access to the" 
echo "su command\n"

echo "Once modified, reboot your system to enable all changes"
echo "Once rebooted, be sure to verify all Access Control Lists,"
echo "services, and logging features\n"


exit 0
