#!/bin/sh # # Simple script for locking down Sun servers post-install... # Disables unecessary daemons in /etc/rc.[2,3]/* # # Created by Jonathan Katz, jonathan.katz@gmail.com # # Edited and updated to be run as a startup script to # disable the RC scripts replaced from patching. # # As you're probably well aware, # after patching a # Sun system that hasn't been minimized startup # scripts are replaced for daemons that have been # patched. Even if you removed the startup script # before, the patches will replace the startup script. # When you reboot after patching, the daemons you # thought would not start launch once again, slowing # your system with unnecessary services and opening # possible security holes. # # Therefore I came up with this script which simply # renames a series of startup scripts during each boot # process to ensure the daemons you don't want running # won't start. # # I've installed the sccript as /etc/rc2.d/S29lockdown # It needs to be installed with a proper name so it # will execute before the first script it intends to # disable is called by init. The first daemon I've # disabled is pppd, which starts at S47. So at a bare # minumum this # script would need to be saved as # /etc/rc2.d/S46lockdown # # Before this script starts I have a listing of what the # startup scripts this script looks for start. # # If you need a specific daemon to start be sure to # edit the name of its startup script OUT from # the RC2_LIST or RC3_LIST variable. # # RC2 Disabled... # # S47asppp Asynchronous PPPD, unnecessary # S47pppd Regular PPPD, unnecessary # S70uucp UUCP, unnecessary, people still use UUCP? # S71rpc RPC isn't needed for most day-to-day operations # S72slpd We don't use Service Location/LDAP # S73cachefs.daemon We don't use cachefs # S73nfs.client We generally don't use NFS except during jumpstart # S74autofs No automounter # S76nscd No nscd; we're using flat host files # S80lp No lpd, printer daemon # S80spc No SYSV printd # S85power No power management, not needed on servers # S88sendmail No sendmail # S90wbem No Solaris Management Console # S92volmgt No volmgt; no automount of CDs or floppies # S93cacheos.finish We aren't in install mode # S94ncalogd We aren't using NCA # S95ncad We aren't using NCA # S96ab2mgr No answerbook server # S99dtlogin No dtlogin # # RC3 Disabled... # # S15nfs.server Disables NFS Server # S34dhcp We don't use DHCP, client or server # S50apache We aren't running Apache # S80mipagent Disables SNMP Agent # S77dmi Disables SNMP Agent # S76snmpdx Disables SNMP Agent # S81volmgt On some OSes, automount of CDs moves to /etc/rc3.d RC2_LIST="S47asppp S47pppd S70uucp S71rpc S72slpd S73cachefs.daemon S73nfs.client S74autofs S76nscd S80lp S80spc S85power S88sendmail S90wbem S92volmgt S93cacheos.finish S94ncalogd S95ncad S96ab2mgr S99dtlogin" RC3_LIST="S15nfs.server S34dhcp S50apache S80mipagent S77dmi S76snmpdx S81volmgt" cd /etc/rc2.d for X in $RC2_LIST; do if [ -f $X ]; then echo "Securing $X ..." /bin/mv $X NO.$X fi done cd /etc/rc3.d for X in $RC3_LIST; do if [ -f $X ]; then echo "Securing $X ..." /bin/mv $X NO.$X fi done ############################################################################## ### This script is submitted to BigAdmin by a user of the BigAdmin community. ### Sun Microsystems, Inc. is not responsible for the ### contents or the code enclosed. ### ### ### Copyright Sun Microsystems, Inc. ALL RIGHTS RESERVED ### Use of this software is authorized pursuant to the ### terms of the license found at ### http://www.sun.com/bigadmin/common/berkeley_license.jsp ##############################################################################