|
|
Sponsored Content
Operating Systems
Solaris
Hardening Solaris 10
Post 302203727 by flood on Monday 9th of June 2008 04:45:51 PM
06-09-2008
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi!
I am trying to get info/best practices/how-to harden unix,
especially solaris!
Appreciate any leads please..................... (3 Replies)
Discussion started by: sdharmap
3 Replies
2. Solaris
What do we need to do to harden a freshly installed solaris OS? like disable telnet, no ftp for root etc...What all services you need to stop? How to check what ports are open? etc etc....please provide all tips that come to your mind...thanks:) (5 Replies)
Discussion started by: rcmrulzz
5 Replies
3. UNIX for Dummies Questions & Answers
As per Hardening guide for the server.
ICMP Broadcast Response: The kernel parameter icmp_echo_ignore_broadcasts must match to 1
However when i check the value of icmp_echo_ignore_broadcasts it thrown an error as unkonwn key.
# sysctl icmp_echo_ignore_broadcasts
error:... (2 Replies)
Discussion started by: pinga123
2 Replies
4. Solaris
Hi guys,
Is there any script or program which i can use to verify that my hardening setting is all correct ? Recently i am given a task to make sure my Sun servers are all harden properly though sunjass was already introduced. I need to generate a report to convince my manager that the settings... (0 Replies)
Discussion started by: ahlude
0 Replies
5. SuSE
Currently we are hardening our Solaris server using the Sun provided Jass Security tool kit.
How Can I implement the same security level on SUSE11 SP1?
Are there any tools similar/equivalent to Jass for SUSE11 SP1?
Tanks and Regards (1 Reply)
Discussion started by: vcfko
1 Replies
6. UNIX for Advanced & Expert Users
We've got a FTP server that's open to the public network and its running on Suse SUSE Linux Enterprise Server 11 (x86_64) SP2
Now, since it's an FTP server I can't disable that service, but how else do I harden this server from attacks from outside?
I am thinking of disabling the firewall and... (3 Replies)
Discussion started by: hedkandi
3 Replies
7. Solaris
Hi,
Where I could find information about "Jass hardening" for Solaris10?
Because, I change the /opt/SUNWjass/Files/etc/syslog.conf file. But yet I don't know if I must restart the jass (and how?) or I must to copy /opt/SUNWjass/Files/etc/syslog.conf to /etc/syslog.conf?
Thanks for your... (2 Replies)
Discussion started by: hiddenshadow
2 Replies
8. Cybersecurity
Does anyone have any experience hardening the c-icap.conf file? Here is the default config file, it has a lot of options; sorry about how long it is. I have removed some entries that were not needed as well, but it is still so long :D. Any help is much appreciated as I have never dealt with ICAP.
... (0 Replies)
Discussion started by: savigabi
0 Replies
9. Linux
Hi
We have a requirement to vary the minimum password criteria by the group to which a user belongs.
For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14... (1 Reply)
Discussion started by: gregsih
1 Replies
10. HP-UX
Hi,
The standard accounts that are created during the HP-UX installation, eg, bin,adm,daemon,uucp,lp,hpdb and nobody have their own shell.
Will there be any impact if we change these user's shell to /bin/false?
Like processes get interrupted, files cannot be generated, etc.
Regards (3 Replies)
Discussion started by: anaigini45
3 Replies
LEARN ABOUT DEBIAN
blhc
BLHC(1) User Contributed Perl Documentation BLHC(1) NAME
blhc - build log hardening check, checks build logs for missing hardening flags SYNOPSIS
blhc [options] <dpkg-buildpackage build log file>.. DESCRIPTION
blhc is a small tool which checks build logs for missing hardening flags. It's licensed under the GPL 3 or later. It's designed to check build logs generated by Debian's dpkg-buildpackage (or tools using dpkg-buildpackage like pbuilder or the official buildd build logs) to help maintainers detect missing hardening flags in their packages. Only gcc is detected as compiler at the moment. If other compilers support hardening flags as well, please report them. If there's no output, no flags are missing and the build log is fine. OPTIONS
--all Force check for all +all (+pie, +bindnow) hardening flags. By default it's auto detected. --arch architecture Set the specific architecture (e.g. amd64, armel, etc.), automatically disables hardening flags not available on this architecture. Is detected automatically if dpkg-buildpackage is used. --bindnow Force check for all +bindnow hardening flags. By default it's auto detected. --buildd Special mode for buildds when automatically parsing log files. The following changes are in effect: o Print tags instead of normal warnings, see "BUILDD TAGS" for a list of possible tags. o Don't check hardening flags in old log files (if dpkg-dev << 1.16.1 is detected). o Don't require Term::ANSIColor. o Return exit code 0, unless there was a error (-I, -W messages don't count as error). --color Use colored (ANSI) output for warning messages. --ignore-arch arch Ignore build logs from architectures matching arch. arch is a string. Used to prevent false positives. This option can be specified multiple times. --ignore-arch-flag arch:flag Like --ignore-flag, but only ignore flag on arch. --ignore-arch-line arch:line Like --ignore-line, but only ignore line on arch. --ignore-flag flag Don't print an error when the specific flag is missing in a compiler line. flag is a string. Used to prevent false positives. This option can be specified multiple times. --ignore-line regex Ignore lines matching the given Perl regex. regex is automatically anchored at the beginning and end of the line to prevent false negatives. NOTE: Not the input lines are checked, but the lines which are displayed in warnings (which have line continuation resolved). Used to prevent false positives. This option can be specified multiple times. --pie Force check for all +pie hardening flags. By default it's auto detected. -h -? --help Print available options. --version Print version number and license. Auto detection for --pie and --bindnow only works if at least one command uses the required hardening flag (e.g. -fPIE). Then it's required for all other commands as well. EXAMPLES
Normal usage, parse a single log file. blhc path/to/log/file If there's no output, no flags are missing and the build log is fine. Parse multiple log files. The exit code is ORed over all files. blhc path/to/directory/with/log/files/* Don't treat missing "-g" as error: blhc --ignore-flag -g path/to/log/file Don't treat missing "-pie" on kfreebsd-amd64 as error: blhc --ignore-arch-flag kfreebsd-amd64:-pie path/to/log/file Ignore lines consisting exactly of "./script gcc file" which would cause a false positive. blhc --ignore-line './script gcc file' path/to/log/file Ignore lines matching "./script gcc file" somewhere in the line. blhc --ignore-line '.*./script gcc file.*' path/to/log/file Use blhc with pbuilder. pbuilder path/to/package.dsc | tee path/log/file blhc path/to/file || echo flags missing BUILDD TAGS
The following tags are used in --buildd mode. In braces the additional data which is displayed. I-hardening-wrapper-used The package uses hardening-wrapper which intercepts calls to gcc and adds hardening flags. The build log doesn't contain any hardening flags and thus can't be checked by blhc. W-compiler-flags-hidden (summary of hidden lines) Build log contains lines which hide the real compiler flags. For example: CC test-a.c CC test-b.c CC test-c.c LD test Most of the time either "export V=1" or "export verbose=1" in debian/rules fixes builds with hidden compiler flags. Sometimes ".SILENT" in a Makefile must be removed. And as last resort the Makefile must be patched to remove the "@"s hiding the real compiler commands. W-dpkg-buildflags-missing (summary of missing flags) CPPFLAGS, CFLAGS, CXXFLAGS, LDFLAGS missing. I-invalid-cmake-used (version) By default CMake ignores CPPFLAGS thus missing those hardening flags. Debian patched CMake in versions 2.8.7-1 and 2.8.7-2 to respect CPPFLAGS, but this patch was rejected by upstream and later reverted in Debian. Thus those two versions show correct usage of CPPFLAGS even if the package doesn't correctly handle them (for example by passing them to CFLAGS). To prevent false negatives just blacklist those two versions. I-no-compiler-commands No compiler commands were detected. Either the log contains none or they were not correctly detected by blhc (please report the bug in this case). EXIT STATUS
The exit status is a "bit mask", each listed status is ORed when the error condition occurs to get the result. 0 Success. 1 No compiler commands were found. 2 Invalid arguments/options given to blhc. 4 Non verbose build. 8 Missing hardening flags. 16 Hardening wrapper detected, no tests performed. 32 Invalid CMake version used. See I-invalid-cmake-used under "BUILDD TAGS" for a detailed explanation. AUTHOR
Simon Ruderich, <simon@ruderich.org> Thanks to to Bernhard R. Link <brlink@debian.org> and Jaria Alto <jari.aalto@cante.net> for their valuable input and suggestions. COPYRIGHT AND LICENSE
Copyright (C) 2012 by Simon Ruderich This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. SEE ALSO
hardening-check(1), dpkg-buildflags(1) perl v5.14.2 2012-06-27 BLHC(1)