Borrowing a bit of experience -- hardening FreeBSD -- Post: 302900608

Sponsored Content

Operating Systems BSD Borrowing a bit of experience -- hardening FreeBSD -- Post 302900608 by MadeInGermany on Wednesday 7th of May 2014 06:39:09 PM

05-07-2014

Registered User

Just seeing this post.
Besides remote scanners like nmap you perhaps can run the following script.

Code:

#!/bin/sh
# This script detects world-wide writable files that can make the OS unsafe.
# It lists them as shell commands that would do fixes. (Pipe it to sh for execution!)

# No wildcard globbing
set -f

# Safe PATH
export PATH
PATH=/bin:/usr/bin:/usr/sbin:/sbin

# Get "mtab"
# Seems like a hack but is better portable than df
#
for mtab in /etc/mnttab /etc/mtab /proc/mounts
do
  [ -f $mtab ] && break
done
if [ ! -f $mtab ]
then
  echo "UNKNOWN: no $mtab"
  exit 3
fi

# Knowing that / is the first mounted OS disk,
# get all disks of the same type from mtab
#
awk '$2=="/" {type=$3} $3==type {print $2}' $mtab |
# and process each disk
while read mdir
do
 # only consider directories that belong to a Unix OS
 case $mdir/ in
 //|/tmp/*|/var/*|/usr/*|/opt/*|/etc/*|/dev/*|/stand/*|/boot/*)
  # List world-writable files and directories together with a command that restricts it.
  # Assume that a directory ending with /tmp is a temporary directory: do not descend and set the t bit.
  find "$mdir" -xdev \( -type f -o -type d \! -perm -1000 \) -perm -2 \( -type d -name tmp -prune -exec echo chmod +t {} \; -o -exec echo chmod o-w {} \; \) -o -type d -name tmp -prune
 ;;
 esac
done

I don't have a BSD system, so am interested if it runs at all...

MadeInGermany

View Public Profile for MadeInGermany

Find all posts by MadeInGermany

6 More Discussions You Might Find Interesting

1. Programming

copying or concatinating string from 1st bit, leaving 0th bit

Hello, If i have 2 strings str1 and str2, i would like to copy/concatenate str2 to str1, from 1st bit leaving the 0th bit. How do i do it?

2. UNIX for Dummies Questions & Answers

I'm looking for a 64-bit Desktop that will run Windows, Linspire, FreeBSD and Solaris

Ok, I've been shopping around and I've seen some nice one's, but they are either too expensive or they are not 64-bit; I want to be prepared for the future at the right price (under $3,000 with a decent configuration)! :D Where can I find a good 64-bit desktop or workstation that will run the...

3. Red Hat

boot the 32 bit kernel on a 64 bit PPC Linux machine?

Hi all, I'm looking to cover a corner case for an upcoming test cycle. Is there a way to boot a RedHat Advanced Server 4 (update 3) installed on a Power PC machine to use a 32 bit kernel? This would be similar to what is done here -> https://www.unix.com/aix/26204-aix-platform.html I've done...

4. UNIX for Advanced & Expert Users

migrating unix mp-ras 32 bit to linux suse 64 bit

Hi. I need to migrate the whole unix environment from a Unix mp-ras 32 bit to a Linux Suse 64 bit. 1) can i use cpio to copy the data? 2) can i just copy the users from unix to linux or do i have to create them by hand 3) are there any other concerns i should worry about? thanx

5. Shell Programming and Scripting

How to handle 64 bit arithmetic operation at 32 bit compiled perl interpreter?H

Hi, Here is the issue. From the program snippet I have Base: 0x1800000000, Size: 0x3FFE7FFFFFFFF which are of 40 and 56 bits. SO I used use bignum to do the math but summing them up I always failed having correct result. perl interpreter info, perl, v5.8.8 built for...

6. Windows & DOS: Issues & Discussions

Which version of Windows Vista to install with a product key? 32-bit or 64-bit?

Hello everyone. I bought a dell laptop (XPS M1330) online which came without a hard drive. There is a Windows Vista Ultimate OEMAct sticker with product key at the bottom case. I checked dell website (here) for this model and it says this model supports both 32 and 64-bit version of Windows...

LEARN ABOUT LINUX

qmail-control

qmail-control(5)						File Formats Manual						  qmail-control(5)

NAME

       qmail-control - qmail configuration files

INTRODUCTION

       You can change the behavior of the qmail system by modifying qmail's control files in /var/lib/qmail/control.

       qmail  can  survive  with  just	one  control  file, me, containing the fully-qualified name of the current host.  This file is used as the
       default for other hostname-related control files.

       Comments are allowed in badmailfrom, locals, percenthack, qmqpservers, rcpthosts, smtproutes, and virtualdomains.  Trailing spaces and tabs
       are allowed in any control file.

       The following table lists all control files other than me.  See the corresponding man pages for further details.

	      control		  default	     used by

	      badmailfrom	  (none)	     qmail-smtpd
	      bouncefrom	  MAILER-DAEMON      qmail-send
	      bouncehost	  me		     qmail-send
	      concurrencylocal	  10		     qmail-send
	      concurrencyremote   20		     qmail-send
	      defaultdomain	  me		     qmail-inject
	      defaulthost	  me		     qmail-inject
	      databytes 	  0		     qmail-smtpd
	      doublebouncehost	  me		     qmail-send
	      doublebounceto	  postmaster	     qmail-send
	      envnoathost	  me		     qmail-send
	      helohost		  me		     qmail-remote
	      idhost		  me		     qmail-inject
	      localiphost	  me		     qmail-smtpd
	      locals		  me		     qmail-send
	      morercpthosts	  (none)	     qmail-smtpd
	      percenthack	  (none)	     qmail-send
	      plusdomain	  me		     qmail-inject
	      qmqpservers	  (none)	     qmail-qmqpc
	      queuelifetime	  604800	     qmail-send
	      rcpthosts 	  (none)	     qmail-smtpd
	      smtpgreeting	  me		     qmail-smtpd
	      smtproutes	  (none)	     qmail-remote
	      timeoutconnect	  60		     qmail-remote
	      timeoutremote	  1200		     qmail-remote
	      timeoutsmtpd	  1200		     qmail-smtpd
	      virtualdomains	  (none)	     qmail-send

SEE ALSO

       qmail-inject(8), qmail-qmqpc(8), qmail-remote(8), qmail-send(8), qmail-showctl(8), qmail-smtpd(8)

																  qmail-control(5)